Cisco Support Community
Community Member

VPN Client 3.5.4 to PIX 6.1(2)

Can anyone help?

I am currently setting up our PIX to be able to accept VPN tunneling from VPN Client s/w ver 3.5.4.

From the debug on the PIX I can see the connection gets through the first level of authentication but then when it finds the atts acceptable during the second level it returns the following error and then continues trying to find acceptable attributes until it hangs and returns an error at the VPN client side

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest=, src=,

dest_proxy= (type=4),

src_proxy= (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

The VPN client gives the following error:

Sev=Warning/3 IKE0xA3000058

Received malformed message or negotiation no longer active

Can anyone give any pointers. I have seen similar problems in the forum but nothing exactly matching this.

The additional config to the PIX is below

access-list nat0vpn permit ip

access-list VPDN permit ip

ip local pool vpdnpool

nat (inside) 0 access-list nat0vpn

route outside 1

sysopt connection permit-ipsec

crypto ipsec transform-set tripledesmd5 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 1 match address VPDN

crypto dynamic-map dynmap 1 set transform-set tripledesmd5

crypto map mapname 1 ipsec-isakmp dynamic dynmap

crypto map mapname interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vpngroup address-pool vpdnpool

vpngroup vpngroup dns-server

vpngroup vpngroup wins-server

vpngroup vpngroup default-domain

vpngroup vpngroup idle-time 1800

vpngroup vpngroup max-time 86400

vpngroup vpngroup password ********

Community Member

Re: VPN Client 3.5.4 to PIX 6.1(2)

Before anyone replies to this please don't bother as the answer has turned out to be an access-list issue.


Community Member

Re: VPN Client 3.5.4 to PIX 6.1(2)

What exactly was the issue with the acl?

CreatePlease to create content