Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   pix 6.3 and L2TP/preshared keys + Windows XP problem (http://www.velocityreviews.com/forums/t28875-pix-6-3-and-l2tp-preshared-keys-windows-xp-problem.html)

Rik Bain 07-06-2003 06:30 PM

Re: pix 6.3 and L2TP/preshared keys + Windows XP problem
 
"proxy identities not supported" means that the subnet/host proposed for
the SA do not match between the client and the pix. I have never setup
L2TP/IPSEC, but check the match address acl on the pix and make sure it
matches the setup on the client.


On Sun, 06 Jul 2003 17:24:21 -0400, Hugo Drax wrote:

> anyone get it to work. I used the wizard and configured the XP machine with
> the preshared key etc.. and I get this debug.
>
>
>
>
>
> (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
> dest_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
> src_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
> protocol= ESP, transform= esp-3des esp-md5-hmac ,
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
> IPSEC(validate_transform_proposal): proxy identities not supported
> IPSEC(validate_proposal_request): proposal part #1,
> (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
> dest_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
> src_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
> protocol= ESP, transform= esp-3des esp-md5-hmac ,
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
> IPSEC(validate_transform_proposal): proxy identities not supported
>
> ISAKMP: IPSec policy invalidated proposal
> ISAKMP : Checking IPSec proposal 2
>
> ISAKMP: transform 1, AH_SHA
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2
> ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
> proposal (prot 2, trans 3, hmac_alg 2) not supported
>
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP (0): skipping next ANDed proposal (2)
> ISAKMP : Checking IPSec proposal 3
>
> ISAKMP: transform 1, AH_MD5
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2
> ISAKMP: authenticator is HMAC-MD5
> ISAKMP (0): atts are acceptable.
> ISAKMP : Checking IPSec proposal 3
>
> ISAKMP: transform 1, ESP_3DES
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot
> 3, trans 3, hmac_alg 0) not supported
>
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP : Checking IPSec proposal 4
>
> ISAKMP: transform 1, AH_SHA
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2
> ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
> proposal (prot 2, trans 3, hmac_alg 2) not supported
>
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP (0): skipping next ANDed proposal (4)
> ISAKMP : Checking IPSec proposal 5
>
> ISAKMP: transform 1, AH_MD5
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.transform
> proposal (prot 2, trans 3, hmac_alg 2) not supported
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0): processing DELETE payload. message ID = 2957376203, spi size =
> 16
> ISAKMP (0): deleting SA: src 10.200.100.11, dst 10.200.100.1
> return status is IKMP_NO_ERR_NO_TRANS
> ISADB: reaper checking SA 0xaca474, conn_id = 0 DELETE IT!
>
> VPN Peer: ISAKMP: Peer ip:10.200.100.11/500 Ref cnt decremented to:0 Total
> VPN Peers:1
> VPN Peer: ISAKMP: Deleted peer: ip:10.200.100.11/500 Total VPN peers:0
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> OAK_MM exchange
> ISAKMP (0): processing SA payload. message ID = 0



Hugo Drax 07-06-2003 09:24 PM

pix 6.3 and L2TP/preshared keys + Windows XP problem
 
anyone get it to work. I used the wizard and configured the XP machine with
the preshared key etc.. and I get this debug.





(key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
dest_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
src_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
dest_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
src_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, AH_SHA
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
proposal (prot 2, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, AH_MD5
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot
3, trans 3, hmac_alg 0) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, AH_SHA
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
proposal (prot 2, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, AH_MD5
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.transform
proposal (prot 2, trans 3, hmac_alg 2) not supported
crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
dpt:500
ISAKMP (0): processing DELETE payload. message ID = 2957376203, spi size =
16
ISAKMP (0): deleting SA: src 10.200.100.11, dst 10.200.100.1
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xaca474, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:10.200.100.11/500 Ref cnt decremented to:0 Total
VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:10.200.100.11/500 Total VPN peers:0
crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0




All times are GMT. The time now is 09:03 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.