WinXP L2TP, Linksys to Pix 6.2 - FIXED

Answered Question
Dec 23rd, 2009

Pix 515e 6.2 at central office, L2L VPN from Linksys at remote office, trying to setup WinXP SP3 & Vista remote VPN clients using L2TP.  First question: Is this even possible, without using the Cisco VPN client or upgrading the Pix OS?  Second question: if it is possible, what's wrong with my current config?  The L2L VPN works fine, but when the WinXP client tries to connect, this is what I get:

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= (PIX outside address), src= (WinXP outside address),
    dest_proxy= (PIX outside address)/255.255.255.255/17/1701 (type=1),
    src_proxy= (WinXP internal address)/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= (PIX outside address), src= (WinXP outside address),
    dest_proxy= (PIX outside address)/255.255.255.255/17/1701 (type=1),
    src_proxy= (WinXP internal address)/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2

PIX Version 6.2(2)
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
no sysopt route dnat

access-list nonat permit ip CO_WAN 255.255.224.0 Remote_LAN 255.255.255.0
access-list nonat permit ip DMZ_LAN 255.255.255.0 Remote_LAN 255.255.255.0
access-list nonat permit ip CO_LAN 255.255.255.0 10.100.100.0 255.255.255.0

ip local pool VPNPool 10.100.100.100-10.100.100.110

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
no sysopt route dnat


crypto ipsec transform-set LINKSYS_TS esp-3des esp-sha-hmac
crypto ipsec transform-set WINCLIENT_TS esp-3des esp-sha-hmac
crypto ipsec transform-set WINCLIENT_TS mode transport
crypto dynamic-map L2TP 30 set transform-set WINCLIENT_TS


crypto map ONLYMAP 10 ipsec-isakmp
crypto map ONLYMAP 10 match address nonat
crypto map ONLYMAP 10 set pfs group2
crypto map ONLYMAP 10 set peer LINKSYS_IP
crypto map ONLYMAP 10 set transform-set LINKSYS_TS
crypto map ONLYMAP 600 ipsec-isakmp dynamic L2TP
crypto map ONLYMAP interface outside


isakmp enable outside
isakmp key ******** address LINKSYS_IP netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address


isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800


vpdn group WINCLIENTS accept dialin l2tp
vpdn group WINCLIENTS ppp authentication pap
vpdn group WINCLIENTS client configuration address local VPNPool
vpdn group WINCLIENTS client configuration dns DNS_IP
vpdn group WINCLIENTS client authentication local
vpdn group WINCLIENTS l2tp tunnel hello 60
vpdn username USERNAME password *********
vpdn enable outside

I have this problem too.
0 votes
Correct Answer by Yudong Wu about 6 years 11 months ago

By the way, I did not play with this old 6.2 code. If it does not support NAT-T and the client is behind NAT device, it could cause the issue. Some NAT device has VPN-passthrough feature, you can enable it and give it try.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (7 ratings)
Loading.
tripoli-e Wed, 12/23/2009 - 13:10

Thanks Kevin, I hadn't come across that suggestion befo

re.  I've applied the commands, and received 'WARNING: access-list has port selectors may have performance impact
' after the crypto dynamic-map command.  Now, the error message has changed:

ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 2, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 2
ISAKMP:      authenticator is HMAC-SHA
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= (PIX outside address), src= (WinXP outside address),
    dest_proxy= (PIX outside address)/255.255.255.255/17/1701 (type=1),
    src_proxy= (WinXP private address)/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= (PIX outside address), src= (WinXP outside address),
    dest_proxy= (PIX outside address)/255.255.255.255/17/1701 (type=1),
    src_proxy= (WinXP private address)/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0

ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2

WinXP machine is behind a Netgear firewall.  And, Pix 6.2 doesn't support 'nat-traversal'

Yudong Wu Wed, 12/23/2009 - 13:23

Ok, now the transform-set is not match,

Can you configure a different transform-set

crypto ipsec transform-set l2tp esp-des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport

tripoli-e Wed, 12/23/2009 - 13:35

I now have:

crypto ipsec transform-set LINKSYS_TS esp-3des esp-sha-hmac
crypto ipsec transform-set WINCLIENT_TS esp-3des esp-sha-hmac
crypto ipsec transform-set WINCLIENT_TS mode transport

crypto ipsec transform-set l2tp esp-des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport

crypto dynamic-map L2TP 30 match address l2tp
crypto dynamic-map L2TP 30 set transform-set WINCLIENT_TS

Could it be using the wrong transform set?  The one for the LINKSYS_TS instead of the WINCLIENT_TS?

Yudong Wu Wed, 12/23/2009 - 14:31

You are still using previous transform-set?

crypto dynamic-map L2TP 30 set transform-set WINCLIENT_TS <<<<<

You need change it to

crypto dynamic-map L2TP 30 set transform-set l2tp <<<<<

tripoli-e Wed, 12/23/2009 - 14:53

Your right, I changed that after my previous post.  I also changed from 'esp-des' to 'esp-3des', as the WinXP client didn't offer in its proposals.  From show run:

crypto ipsec transform-set LINKSYS_TS esp-3des esp-sha-hmac
crypto ipsec transform-set WINCLIENT_TS esp-3des esp-sha-hmac
crypto ipsec transform-set WINCLIENT_TS mode transport
crypto ipsec transform-set l2tp esp-3des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport
crypto dynamic-map L2TP 30 match address l2tp
crypto dynamic-map L2TP 30 set transform-set l2tp
crypto map ONLYMAP 10 ipsec-isakmp
crypto map ONLYMAP 10 match address nonat
crypto map ONLYMAP 10 set pfs group2
crypto map ONLYMAP 10 set peer LINKSYS_IP
crypto map ONLYMAP 10 set transform-set LINKSYS_TS
crypto map ONLYMAP 600 ipsec-isakmp dynamic WINCLIENT
crypto map ONLYMAP interface outside

And output from:

sh cry ip tran                           

Transform set LINKSYS_TS: { esp-3des esp-sha-hmac  }
   will negotiate = { Tunnel,  },
  
Transform set WINCLIENT_TS: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },
  
Transform set l2tp: { esp-3des esp-md5-hmac  }
   will negotiate = { Transport,  },

Still receiving same error.  I appreciate the help!

Yudong Wu Wed, 12/23/2009 - 15:10

If you still see the same error, phase 2 proposal still does not match on both sides. can you post "debug crypto ipsec 3".

tripoli-e Wed, 12/23/2009 - 15:39

Debug output doesn't look any different.  I'm posting the session in its entirety:

Output of show debug

debug crypto ipsec 3
debug crypto isakmp 3
debug crypto ca 1
debug ppp negotiation
debug ppp error
debug vpdn event
debug vpdn error
debug vpdn packet

crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
VPN Peer: ISAKMP: Added new peer: ip:(WinXP Public) Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:(WinXP Public) Ref cnt incremented to:1 Total VPN Peers:2
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      unknown DH group 14
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
    next-payload : 8
    type         : 1
    protocol     : 17
    port         : 500
    length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1521528853

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 2
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= (PIX Outside), src= (WinXP Public),
    dest_proxy= (PIX Outside)/255.255.255.255/17/1701 (type=1),
    src_proxy= 192.168.0.4/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= (PIX Outside), src= (WinXP Public),
    dest_proxy= 192.168.0.4/255.255.255.255/17/1701 (type=1),
    src_proxy= (PIX Outside)/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0

ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, AH_SHA
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 2
ISAKMP:      authenticator is HMAC-SHAIPSEC(validate_proposal): transform proposal (prot 2, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, AH_MD5
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 2
ISAKMP:      authenticator is HMAC-MD5IPSEC(validate_proposal): transform proposal (prot 2, trans 2, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, AH_SHA
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 2
ISAKMP:      authenticator is HMAC-SHAIPSEC(validate_proposal): transform proposal (prot 2, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, AH_MD5
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 2
ISAKMP:      authenticator is HMAC-MD5IPSEC(validate_proposal): transform proposal (prot 2, trans 2, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (5)
ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of 
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src (WinXP Public), dest (PIX Outside)
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

Yudong Wu Wed, 12/23/2009 - 16:01

I am not sure why if it still complains about invalidated ipsec proposal.

Can you try it by using a pc which is not behind NAT device?

Correct Answer
Yudong Wu Wed, 12/23/2009 - 16:15

By the way, I did not play with this old 6.2 code. If it does not support NAT-T and the client is behind NAT device, it could cause the issue. Some NAT device has VPN-passthrough feature, you can enable it and give it try.

tripoli-e Wed, 12/23/2009 - 16:41

Just tested on a WinXP laptop directly connected to outside network with PIX, and it connects without problems.  And I don't think the Netgear firewall has any options for VPN passthrough, but I'll double-check.

Update: while the laptop connects fine, no traffic seems to pass.  The PIX can ping the pool address assigned, but no other hosts can.

Yudong Wu Wed, 12/23/2009 - 19:48

For traffic issue, you need check

1. if decrypt and encrypt count in "show crypto ipsec sa" is incrementing

2. Routing in both direction

3. if the traffic is by-passed by NAT

tripoli-e Thu, 12/24/2009 - 08:23

1. yes, both encaps and decaps, from the vpn client and to the vpn client

2. yes, the PIX is the default gateway, ICMP works correctly, both ways

3. yes, but only ICMP

I removed the 'crypto dynamic-map WINCLIENT 30 match address L2TP_ACL' line we added earlier, but no change.  Hitcount on the 'nonat' ACL matches the number of packet decaps.  No other traffic, besides pings, seem to work.

Also, this issue was the final nail in the coffin for version 6.2(2) on the PIX.  I upgraded to 6.3(5) last night, added the 'isakmp nat-traversal 60' and now all remote clients connect fine.  Further, traffic through the L2L VPN still works correctly.

UPDATE:  Fixed, removed the 'sysopt ipsec pl-compatible' command.  Not sure why it was in there in the first place.

Actions

This Discussion