Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

bma
New Member

vpn problem

Hi

I am starting to build peer to peer vpn from a 1720 route to PIX 515. We already have vpn clients to PIX515 setup and is working. After setup peer to peer vpn site, I get debug info(please see following info 2). Who can tell me what's for "IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!" ?

On the route, if show crypto ipsec sa, I can get info:(please following info 1) do you think (0.0.0.0/0.0.0.0/1/0)is for proxy identities and makes problem, how to clean up it?

1. show crypto ipsec sa

interface: Ethernet0

Crypto map tag: nolan, local addr. 66.x.x.x

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

current_peer: 12.x.x.x

PERMIT, flags={origin_is_acl,}

.........

local crypto endpt.: 66.x.x.x, remote crypto endpt.: 12.x.x.x

path mtu 1500, media mtu 1500

current outbound spi: 0

.......

local ident (addr/mask/prot/port): (10.20.x.x/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.30.x.x/255.255.255.0/0/0)

current_peer: 12.x.x.x

PERMIT, flags={origin_is_acl,}

.......

local crypto endpt.: 66.x.x.x, remote crypto endpt.: 12.x.x.x

path mtu 1500, media mtu 1500

current outbound spi: 0

...........

2). debug info from PIX

ISAKMP (0): processing SA payload. message ID = 2967232329

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 3600

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

......

thanks

ben

3 REPLIES
New Member

Re: vpn problem

It sounds like your dynamic crypto map is picking up the peer-to-peer session. Make sure your dynamic map ID is higher than any other peer-to-peer crypto map ID. The ID is used as a priority, so the lowest crypto map ID will be checked against that transform first.

bma
New Member

Re: vpn problem

Hi Joels

After change id 50 to 10 for peer map, that error fixed. I got debug info from PIX, please see following..... From debug info, tunnel looks at ok, but I still cannot ping or make any connection from both side. what do you think? I have aaa RADIUS runnig,peer to peer how to pass RADIUS check? Or do I have to do disable RADIUS for peer network? I still got retransmitting phase 2... or phase 1 from both side debug info, what do you think?

I have access-list permit for 10.20.0.0 and 10.30.0.0 network.

Thank you very much!

Ben

ISAKMP (0): Creating IPSec SAs

inbound SA from 66.x.x.x to 12.x.x.x (proxy 10.20.0.0 to 10.30.0.0)

has spi 867901758 and conn_id 4 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

outbound SA from 12.x.x.x to 66.x.x.x (proxy 10.30.0.0 to 10.20.0.0)

has spi 329093523 and conn_id 3 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,

dest_proxy= 10.30.0.0/255.255.255.0/0/0 (type=4),

src_proxy= 10.20.0.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x33bb213e(867901758), conn_id= 4, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= 12.x.x.x, dest= 66.x.x.x,

src_proxy= 10.30.0.0/255.255.255.0/0/0 (type=4),

dest_proxy= 10.20.0.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x139d9193(329093523), conn_id= 3, keysize= 0, flags= 0x4

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 2...

New Member

Re: vpn problem

Yup same problem here! I am doing a similar setup with a PIX 515 and a 7204. I also have a bunch of dynamic clients connecting just fine to my PIX.

Also if anyone knows how to get the Unified Client to work behind a NATed firewall/router (Netscreen 100) let me know! Thank!

118
Views
0
Helpful
3
Replies