Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

proxy identities not supported

I'm configuring a VPN for the first time with a 1720 and an 806. Both routers are doing NAT (with an address pool). There is a router in between them, so both gateways are set to the 2 interfaces on the "middle" router. The VPN does not work. The SA's appear to be formed, though. When viewing the debug messages, the following lines appear:

01:40:12: IPSEC(validate_transform_proposal): proxy identities not supported

01:40:12: ISAKMP (0:1): IPSec policy invalidated proposal

01:40:12: ISAKMP (0:1): phase 2 SA not acceptable!

Also, further down in the debug, I get this message:

01:40:12: ISAKMP (0:1): purging node 2143726286

01:40:12: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at

Can anyone explain what they mean? I can barely find any info on the proxy message... Thanks!!!

  • Other Security Subjects
Cisco Employee

Re: proxy identities not supported

Proxy identities not supported means the access-lists that you are using for the interesting traffic doesn't actually match or if they do, I suspect your

nat is getting into the way of the IPSec traffic. IPSec traffic should bypass your nat, sample config is on:

This widget could not be displayed.