Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3901
Views
0
Helpful
1
Replies

VPN Client: proxy identities not supported

marcosorfila
Level 1
Level 1

‎01-17-2008 12:00 PM - edited ‎02-21-2020 03:29 PM

Phase 1 is complete since I see this message in the debug output:

*Jan 17 19:41:04.618: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

The checking of the IPSec proposal fails because of "proxy identities not supported":

=[ BEGIN debug output ]====================================================================

*Jan 17 19:41:04.634: ISAKMP:(2029):Checking IPSec proposal 4

*Jan 17 19:41:04.634: ISAKMP: transform 1, ESP_AES

*Jan 17 19:41:04.634: ISAKMP: attributes in transform:

*Jan 17 19:41:04.634: ISAKMP: authenticator is HMAC-SHA

*Jan 17 19:41:04.634: ISAKMP: key length is 128

*Jan 17 19:41:04.634: ISAKMP: encaps is 1 (Tunnel)

*Jan 17 19:41:04.634: ISAKMP: SA life type in seconds

*Jan 17 19:41:04.634: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 17 19:41:04.634: ISAKMP:(2029):atts are acceptable.

*Jan 17 19:41:04.634: ISAKMP:(2029):Checking IPSec proposal 4

*Jan 17 19:41:04.634: ISAKMP:(2029):transform 1, IPPCP LZS

*Jan 17 19:41:04.634: ISAKMP: attributes in transform:

*Jan 17 19:41:04.634: ISAKMP: encaps is 1 (Tunnel)

*Jan 17 19:41:04.634: ISAKMP: SA life type in seconds

*Jan 17 19:41:04.634: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 17 19:41:04.634: ISAKMP:(2029):atts are acceptable.

*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #1

*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 200.40.164.178, remote= 200.40.164.177,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 192.168.101.22/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #2

*Jan 17 19:41:04.638: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 200.40.164.178, remote= 200.40.164.177,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 192.168.101.22/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jan 17 19:41:04.638: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported

*Jan 17 19:41:04.638: ISAKMP:(2029): IPSec policy invalidated proposal with error 32

=[ END debug output ]======================================================================

I see that "local_proxy= 0.0.0.0/0.0.0.0/0/0", but it should have the IP address of the router internal interface.

Labels:
0 Helpful
1 Reply 1

marcosorfila
Level 1
Level 1

‎01-18-2008 11:59 AM

Well, finally a coleague found the cause of the problem: I had added a "match address" command to the "crypto dynamic-map" for the RemoteAccess VPN.

The "match address" command must be used only with VPN L2L.

0 Helpful
Customers Also Viewed These Support Documents