12-03-2003 06:19 PM - edited 03-09-2019 05:44 AM
Hello,
I'm trying to setup L2TP and IPsec so that my VPN clients are totally dynamic. I do not know any IP end points as they all are PPOE or Dialup.
I'm pretty close to what I think should work, but I'm seeing an error that I'm not sure the cause.
Here's the Debugs:
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 6.21.12.12, src= 6.19.18.15,
dest_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),
src_proxy= 192.168.0.124/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x200
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 6.21.12.12, src= 6.19.18.15,
dest_proxy= 192.168.0.124/255.255.255.255/17/1701 (type=1),
src_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x200
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
ISADB: reaper checking SA 0x2dde684, conn_id = 0 DELETE IT!
Here's the config info:
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list l2tp permit udp host 6.21.12.12 any eq 1701
access-list inbound permit icmp any any
ip local pool vpn-pool 10.1.1.100-10.1.1.200
global (outside) 1 6.21.12.18
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 6.21.12.1 1
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set set-des esp-des esp-md5-hmac
crypto ipsec transform-set set-des mode transport
crypto dynamic-map dyn-map 1 match address l2tp
crypto dynamic-map dyn-map 1 set transform-set set-des
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto map vpn-map client configuration address initiate
crypto map vpn-map client configuration address respond
crypto map vpn-map interface outside
isakmp enable outside
isakmp key * address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
vpdn group 1 accept dialin l2tp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local vpn-pool
vpdn group 1 client configuration dns 18.16.11.12
vpdn group 1 client authentication local
vpdn group 1 l2tp tunnel hello 60
vpdn username altair password *
vpdn enable outside
12-03-2003 06:29 PM
So what I don't get is this:
invalid transform proposal flags -- 0x200
How is this getting passed?
Note: I'm on XP.
I have configured my laptop by the XP examples on cisco's site for a concentrator(no PIX examples)
I did have it failing before at invalid proposal because the IP address of SRC wasn't in any ACL's. Obviously I was trying to get around this because I need a pure dynamic setup, the only known endpoint will be the PIX itself.
12-04-2003 01:40 PM
Well,
I'm closer.
I can now authencate L2TP and get my IP assignments on 10.1.1.0. I still can't access internal clients or outside hosts but It did get futher.
I see an error while building the IPsec part.
It seems to be ok with the ISAKMP part. But IPsec fails on the proposals. Note the 0x200 flags still seem to get passed.
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a MSWIN2K client
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:6.21.12.19, dest:6.21.12.12 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:6.21.12.19, dest:6.21.12.12 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 6.21.12.19, peer port 62465
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:6.21.12.19/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:6.21.12.19/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:6.21.12.19, dest:6.21.12.12 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1823340243
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 6.21.12.12, src= 6.21.12.19,
dest_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),
src_proxy= 6.21.12.19/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 6.21.12.12, src= 6.21.12.19,
dest_proxy= 6.21.12.19/255.255.255.255/17/1701 (type=1),
src_proxy= 6.21.12.12/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, AH_SHA
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-SHA
ISAKMP (0): atts are acceptable.
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 3
ISAKMP: transform 1, AH_MD5
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP (0): sending NOTIFY message 11 protocol 2
04-19-2004 07:31 AM
How did you get from your original "invalid transform proposal flags" to this point?
I seem to be exactly where you were. Using XP client to aceess Pix 501 and getting the invalid flags (0x200) regardless of the which acceptable transform-set is configured. The common error seems to have to do with tunnel vs transport mode I already have my transform sets configured for transport mode.
Any ideas are welcome.
Thanks in advance.
04-20-2004 11:31 AM
From what I can tell, the ip vpdn pool is in the same range as the dest. network in the acl that defines interesting traffic. The pix sees the pool as internal and I believe that it will process the packet differently than if the address were not an internal assigned one.
I would try to assign a different pool for l2tp traffic that is still routable to the pix (make sure that that is the case) and is different from the crypto map acl. Even if that is done, from what I understand about windows ipsec and l2tp, transport mode is used, but in some cases the pix/ios ipsec handling is better with tunnel mode due to the fact that one end is specing an address and wants to tell the other, so tunnel mode is used to create new ip headers and trailers so that the pix/ios router can tell host 1.2.3.4 on the internet that you have a virtual adapeter interface address of 10.3.4.5.
Even if you get L2TP to work, it is useless without ipsec or some other encryption, in the case of windows 2000/xp and linux/solaris, the only way I know to have true dynamic clients, other than pptp, is to use the cisco vpn client.
By the way, the pix 6.3 code can use 128-bit mppe encryption for local accounts, and the new concentrator's from cisco can use ssl-based vpns that do not require a vpn client.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: