Re: Invalid transform proposal flags

koaps · ‎12-03-2003

Hello,

I'm trying to setup L2TP and IPsec so that my VPN clients are totally dynamic. I do not know any IP end points as they all are PPOE or Dialup.

I'm pretty close to what I think should work, but I'm seeing an error that I'm not sure the cause.

Here's the Debugs:

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 6.21.12.12, src= 6.19.18.15,

dest_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),

src_proxy= 192.168.0.124/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200

IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x200

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 6.21.12.12, src= 6.19.18.15,

dest_proxy= 192.168.0.124/255.255.255.255/17/1701 (type=1),

src_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200

IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x200

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

ISADB: reaper checking SA 0x2dde684, conn_id = 0 DELETE IT!

Here's the config info:

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list l2tp permit udp host 6.21.12.12 any eq 1701

access-list inbound permit icmp any any

ip local pool vpn-pool 10.1.1.100-10.1.1.200

global (outside) 1 6.21.12.18

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 6.21.12.1 1

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set set-des esp-des esp-md5-hmac

crypto ipsec transform-set set-des mode transport

crypto dynamic-map dyn-map 1 match address l2tp

crypto dynamic-map dyn-map 1 set transform-set set-des

crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map

crypto map vpn-map client configuration address initiate

crypto map vpn-map client configuration address respond

crypto map vpn-map interface outside

isakmp enable outside

isakmp key * address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp nat-traversal 10

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

vpdn group 1 accept dialin l2tp

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local vpn-pool

vpdn group 1 client configuration dns 18.16.11.12

vpdn group 1 client authentication local

vpdn group 1 l2tp tunnel hello 60

vpdn username altair password *

vpdn enable outside

koaps · ‎12-03-2003

So what I don't get is this:

invalid transform proposal flags -- 0x200

How is this getting passed?

Note: I'm on XP.

I have configured my laptop by the XP examples on cisco's site for a concentrator(no PIX examples)

I did have it failing before at invalid proposal because the IP address of SRC wasn't in any ACL's. Obviously I was trying to get around this because I need a pure dynamic setup, the only known endpoint will be the PIX itself.

koaps · ‎12-04-2003

Well,

I'm closer.

I can now authencate L2TP and get my IP assignments on 10.1.1.0. I still can't access internal clients or outside hosts but It did get futher.

I see an error while building the IPsec part.

It seems to be ok with the ISAKMP part. But IPsec fails on the proposals. Note the 0x200 flags still seem to get passed.

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:6.21.12.19, dest:6.21.12.12 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:6.21.12.19, dest:6.21.12.12 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for 6.21.12.19, peer port 62465

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 0

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:6.21.12.19/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:6.21.12.19/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:6.21.12.19, dest:6.21.12.12 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1823340243

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 6.21.12.12, src= 6.21.12.19,

dest_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),

src_proxy= 6.21.12.19/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200

IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac }

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 6.21.12.12, src= 6.21.12.19,

dest_proxy= 6.21.12.19/255.255.255.255/17/1701 (type=1),

src_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200

IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac }

ISAKMP: IPSec policy invalidated proposal

ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, AH_SHA

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-SHA

ISAKMP (0): atts are acceptable.

ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90

ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supported

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, AH_MD5

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90

ISAKMP: encaps is 2

ISAKMP (0): sending NOTIFY message 11 protocol 2

arthecker · ‎04-19-2004

How did you get from your original "invalid transform proposal flags" to this point?

I seem to be exactly where you were. Using XP client to aceess Pix 501 and getting the invalid flags (0x200) regardless of the which acceptable transform-set is configured. The common error seems to have to do with tunnel vs transport mode I already have my transform sets configured for transport mode.

Any ideas are welcome.

Thanks in advance.

ehirsel · ‎04-20-2004

From what I can tell, the ip vpdn pool is in the same range as the dest. network in the acl that defines interesting traffic. The pix sees the pool as internal and I believe that it will process the packet differently than if the address were not an internal assigned one.

I would try to assign a different pool for l2tp traffic that is still routable to the pix (make sure that that is the case) and is different from the crypto map acl. Even if that is done, from what I understand about windows ipsec and l2tp, transport mode is used, but in some cases the pix/ios ipsec handling is better with tunnel mode due to the fact that one end is specing an address and wants to tell the other, so tunnel mode is used to create new ip headers and trailers so that the pix/ios router can tell host 1.2.3.4 on the internet that you have a virtual adapeter interface address of 10.3.4.5.

Even if you get L2TP to work, it is useless without ipsec or some other encryption, in the case of windows 2000/xp and linux/solaris, the only way I know to have true dynamic clients, other than pptp, is to use the cisco vpn client.

By the way, the pix 6.3 code can use 128-bit mppe encryption for local accounts, and the new concentrator's from cisco can use ssl-based vpns that do not require a vpn client.