Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client: proxy identities not supported

Phase 1 is complete since I see this message in the debug output:

*Jan 17 19:41:04.618: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

The checking of the IPSec proposal fails because of "proxy identities not supported":

=[ BEGIN debug output ]====================================================================

*Jan 17 19:41:04.634: ISAKMP:(2029):Checking IPSec proposal 4

*Jan 17 19:41:04.634: ISAKMP: transform 1, ESP_AES

*Jan 17 19:41:04.634: ISAKMP: attributes in transform:

*Jan 17 19:41:04.634: ISAKMP: authenticator is HMAC-SHA

*Jan 17 19:41:04.634: ISAKMP: key length is 128

*Jan 17 19:41:04.634: ISAKMP: encaps is 1 (Tunnel)

*Jan 17 19:41:04.634: ISAKMP: SA life type in seconds

*Jan 17 19:41:04.634: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 17 19:41:04.634: ISAKMP:(2029):atts are acceptable.

*Jan 17 19:41:04.634: ISAKMP:(2029):Checking IPSec proposal 4

*Jan 17 19:41:04.634: ISAKMP:(2029):transform 1, IPPCP LZS

*Jan 17 19:41:04.634: ISAKMP: attributes in transform:

*Jan 17 19:41:04.634: ISAKMP: encaps is 1 (Tunnel)

*Jan 17 19:41:04.634: ISAKMP: SA life type in seconds

*Jan 17 19:41:04.634: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 17 19:41:04.634: ISAKMP:(2029):atts are acceptable.

*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #1

*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 200.40.164.178, remote= 200.40.164.177,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 192.168.101.22/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #2

*Jan 17 19:41:04.638: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 200.40.164.178, remote= 200.40.164.177,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 192.168.101.22/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jan 17 19:41:04.638: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported

*Jan 17 19:41:04.638: ISAKMP:(2029): IPSec policy invalidated proposal with error 32

=[ END debug output ]======================================================================

I see that "local_proxy= 0.0.0.0/0.0.0.0/0/0", but it should have the IP address of the router internal interface.

1 REPLY
New Member

Re: VPN Client: proxy identities not supported

Well, finally a coleague found the cause of the problem: I had added a "match address" command to the "crypto dynamic-map" for the RemoteAccess VPN.

The "match address" command must be used only with VPN L2L.

1994
Views
0
Helpful
1
Replies
CreatePlease to create content