10-03-2005 07:53 AM - edited 02-21-2020 02:01 PM
I am trying to setup a VPN connection to a router with no success. The connection never fully establishes on Phase II.This is what I am using for configuration. I am also attaching configs and log files as well.
Cisco VPN client v4.0.3(C)
Cisco 1750 IOS v123-16 w/3des
Cisco Secure ACS for Windows v3.2.1 using the following document URL for configuration.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
10-03-2005 08:30 PM
Interesting problem. The main issue is here:
Oct 3 11:05:56.070 EST: ISAKMP (0:1): Checking IPSec proposal 12
Oct 3 11:05:56.070 EST: ISAKMP: transform 1, ESP_3DES
Oct 3 11:05:56.070 EST: ISAKMP: attributes in transform:
Oct 3 11:05:56.070 EST: ISAKMP: authenticator is HMAC-SHA
Oct 3 11:05:56.074 EST: ISAKMP: encaps is 1 (Tunnel)
Oct 3 11:05:56.074 EST: ISAKMP: SA life type in seconds
Oct 3 11:05:56.074 EST: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Oct 3 11:05:56.074 EST: ISAKMP (0:1): atts are acceptable.
Oct 3 11:05:56.074 EST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= "router outside IP", remote= ""client Public IP"",
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.1.6/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Oct 3 11:05:56.078 EST: IPSEC(kei_proxy): head = VPN, map->ivrf = , kei->ivrf =
Oct 3 11:05:56.078 EST: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x2
The router checks through all the proposals sent by the client, until it finally comes to the matching one (3DES/SHA), and then it fails with "invalid transform proposal flags".
I believe this is due to you having "set pfs group2" under your dynamic crypto map on the router. The client will not propose to use this as it doesn't support it, and the router will never step down and accept what it sees as a lower security offering. It assumes that if you have configured PFS Group2 then you must want to use it, and it will therefore not accept a request without that.
You will have to remove PFS Group2 off the router and both the VPN Client and the router will then agree to not use PFS.
10-05-2005 12:07 PM
Thanks for the tip. I have connectivity now since I removed the pfs group command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide