×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPsec tunnel problems between Cisco router and WatchGuard Firebox

Unanswered Question

Hello,


I have a problem to establish a VPN connection between these two boxes. As a Cisco I use a 1721 router with the c1700-k8sy7-mz.122-15.T5.bin IOS.

A tunnel can be established only from Cisco box to WatchGuard Firebox. When Watchguard tries to establish a VPN connection, I get an error message on the Cisco


Aug 7 10:20:22.175: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 195.91.44.100, remote= 62.217.33.200,

local_proxy= 192.168.199.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.26.90.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Aug 7 10:20:22.175: IPSEC(kei_proxy): head = sycon, map->ivrf = , kei->ivrf =

Aug 7 10:20:22.175: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x2


I have checked the transform-set settings on both devices and they were the same. Then I have changed the transorm-set from


crypto ipsec transform-set sycon-set esp-des esp-sha-hmac

to

crypto ipsec transform-set sycon-set esp-des esp-md5-hmac


but got the same error message.


The configuration on the router is simple


crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address xx.xxx.33.200

!

!

crypto ipsec transform-set sycon-set esp-des esp-md5-hmac

!

!

!

crypto map sycon local-address Loopback0

crypto map sycon 1 ipsec-isakmp

set peer 62.217.33.200

set security-association lifetime kilobytes 8192

set security-association lifetime seconds 86400

set transform-set sycon-set

set pfs group1

match address 110

!

interface Serial1.1 point-to-point

ip address xx.xx.44.106 255.255.255.252

frame-relay interface-dlci 16

crypto map sycon

!

access-list 110 permit ip xxx.xxxx.199.0 0.0.0.255 xxxx.26.90.0 0.0.0.255


If there is a problem with the transform-set, can someone explain me what are flags in "invalid transform proposal flags -- 0x2 " error message and their meaning?

I was in the belief, that when there is a problem with a tranform-set, I will get error message like this

IPSec (validate_proposal): transform proposal

(port 3, trans 2, hmac_alg 2) not supported


Thank you.


Peter


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion