Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client 3.6.3(A)

Hi, I have a problem with this client. I can't connect with a router 837 with this IOS c837-k9o3sy6-mz.122-13.ZH.bin.

The configuration of the router is:

Router_Adsl#sh run

version 12.2

no service pad

hostname Router_Adsl

!

username xxxx password 0 xxxx

aaa new-model

!

!

aaa authorization network administradores local

aaa session-id common

ip subnet-zero

ip domain name racing.es

!

crypto isakmp policy 18

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration address-pool local mipool

!

crypto isakmp client configuration group administradores

key 0 xxxx

dns 192.168.200.2

domain racing.es

pool mipool

!

!

crypto ipsec transform-set mitrans esp-3des esp-sha-hmac

crypto ipsec transform-set lasegtrans esp-des esp-md5-hmac

!

crypto dynamic-map mapadinamico 20

set transform-set mitrans

reverse-route

!

crypto dynamic-map elsegmapa 30

set transform-set lasegtrans

!

!

crypto map mapaestatico isakmp authorization list administradores

crypto map mapaestatico client configuration address respond

crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico

crypto map mapaestatico 20 ipsec-isakmp dynamic elsegmapa

!

!

interface Loopback0

ip address x.x.x.2 255.255.255.255

!

interface Ethernet0

ip address 192.168.200.251 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

ip address xx.x.9 255.255.255.252

ip access-group 100 in

ip nat outside

no ip route-cache

no ip mroute-cache

pvc 1/32

protocol ip 10.0.80.10 broadcast

vbr-nrt 384 384 32

encapsulation aal5mux ip

!

crypto map mapaestatico

!

ip local pool mipool 192.168.200.218 192.168.200.220

ip nat inside source list 1 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.80.10

ip access-list extended default-domain

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended save-password

access-list 1 permit 192.168.200.0 0.0.0.255

radius-server authorization permit missing Service-Type

!

scheduler max-task-time 5000

!

end

When I put debug crypto ipsec I get:

*Mar 1 01:51:55.215: IPSEC(key_engine): got a queue event...

*Mar 1 01:51:55.727: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.727: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.731: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.731: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.735: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.735: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.739: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2

*Mar 1 01:51:55.739: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.743: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.743: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2

*Mar 1 01:51:55.743: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.743: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.747: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.747: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.751: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.751: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.751: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2

*Mar 1 01:51:55.755: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

The log viewer of the client tell me:

The lenght of the mode Config option is invalid

Received malformed message or negotiation no longer active

Can can I do?

I need your help please.

Many thanks

3 REPLIES
Silver

Re: VPN client 3.6.3(A)

This could happen if IP/protocol filters set up on the router. Also check if you have the latest version of the VPN client running.

New Member

Re: VPN client 3.6.3(A)

This seems to be your problem:

*Mar 1 01:51:55.755: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

This is probably the address you use on the loopback interface?

ip nat inside source list 1 interface Loopback0 overload

You need to define which traffic you want to encrypt:

ip access-list extended VPNRANGE

permit ip any 192.168.200.218 0.0.0.1

permit ip any 192.168.200.220 0.0.0.0

deny ip any any

crypto dynamic-map mapadinamico 10

set transform-set mitrans

match address VPNRANGE

New Member

Re: VPN client 3.6.3(A)

i haven't worked with the 827 or 837 for a long while, but try....

int loopback0

ip address x.x.x.2

crypto map mapaestatico local-address x.x.x.2 (whatever loopback is, if it is truly a static address)

138
Views
0
Helpful
3
Replies
CreatePlease to create content