The VPN client fails to connect to the PIX firewall and VPN Tunnel is unable to complete the Phase 2 negotiations.
The debug crypto ipsec command shows this error message:
IPSEC(validate_transform_proposal): proxy identities not supported
This issue usually occurs if crypto maps are configured with the PIX Device Manager (PDM), because the PDM generates and adds this entry into the crypto map independently:
crypto dynamic-map 20 match address
In order to resolve this issue:
Use the command line in order to remove this entry from the crypto map. Use the no form in front of this entry in order to remove it. For example:
PIX(config)#no crypto dynamic-map 20 match address
Note: It is necessary to remove the crypto map from the outside interface before any changes are made.
Attempts to connect to the VPN client now work.