Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
2
Replies

VPN client to Router not working (NEED HELP)

ecarrasquillo
Level 1
Level 1

‎10-03-2005 07:53 AM - edited ‎02-21-2020 02:01 PM

I am trying to setup a VPN connection to a router with no success. The connection never fully establishes on Phase II.This is what I am using for configuration. I am also attaching configs and log files as well.

Cisco VPN client v4.0.3(C)

Cisco 1750 IOS v123-16 w/3des

Cisco Secure ACS for Windows v3.2.1 using the following document URL for configuration.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

Labels:
Preview file
9 KB
Preview file
2 KB
Preview file
143 KB
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎10-03-2005 08:30 PM

Interesting problem. The main issue is here:

Oct 3 11:05:56.070 EST: ISAKMP (0:1): Checking IPSec proposal 12

Oct 3 11:05:56.070 EST: ISAKMP: transform 1, ESP_3DES

Oct 3 11:05:56.070 EST: ISAKMP: attributes in transform:

Oct 3 11:05:56.070 EST: ISAKMP: authenticator is HMAC-SHA

Oct 3 11:05:56.074 EST: ISAKMP: encaps is 1 (Tunnel)

Oct 3 11:05:56.074 EST: ISAKMP: SA life type in seconds

Oct 3 11:05:56.074 EST: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

Oct 3 11:05:56.074 EST: ISAKMP (0:1): atts are acceptable.

Oct 3 11:05:56.074 EST: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= "router outside IP", remote= ""client Public IP"",

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.1.6/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Oct 3 11:05:56.078 EST: IPSEC(kei_proxy): head = VPN, map->ivrf = , kei->ivrf =

Oct 3 11:05:56.078 EST: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x2

The router checks through all the proposals sent by the client, until it finally comes to the matching one (3DES/SHA), and then it fails with "invalid transform proposal flags".

I believe this is due to you having "set pfs group2" under your dynamic crypto map on the router. The client will not propose to use this as it doesn't support it, and the router will never step down and accept what it sees as a lower security offering. It assumes that if you have configured PFS Group2 then you must want to use it, and it will therefore not accept a request without that.

You will have to remove PFS Group2 off the router and both the VPN Client and the router will then agree to not use PFS.

0 Helpful

ecarrasquillo
Level 1
Level 1
In response to gfullage

‎10-05-2005 12:07 PM

Thanks for the tip. I have connectivity now since I removed the pfs group command.

0 Helpful
Customers Also Viewed These Support Documents