"proxy identities not supported" means that the subnet/host proposed for
the SA do not match between the client and the pix. I have never setup
L2TP/IPSEC, but check the match address acl on the pix and make sure it
matches the setup on the client.
On Sun, 06 Jul 2003 17:24:21 -0400, Hugo Drax wrote:
> anyone get it to work. I used the wizard and configured the XP machine with
> the preshared key etc.. and I get this debug.
>
>
>
>
>
> (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
> dest_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
> src_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
> protocol= ESP, transform= esp-3des esp-md5-hmac ,
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
> IPSEC(validate_transform_proposal): proxy identities not supported
> IPSEC(validate_proposal_request): proposal part #1,
> (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
> dest_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
> src_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
> protocol= ESP, transform= esp-3des esp-md5-hmac ,
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
> IPSEC(validate_transform_proposal): proxy identities not supported
>
> ISAKMP: IPSec policy invalidated proposal
> ISAKMP : Checking IPSec proposal 2
>
> ISAKMP: transform 1, AH_SHA
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2
> ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
> proposal (prot 2, trans 3, hmac_alg 2) not supported
>
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP (0): skipping next ANDed proposal (2)
> ISAKMP : Checking IPSec proposal 3
>
> ISAKMP: transform 1, AH_MD5
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2
> ISAKMP: authenticator is HMAC-MD5
> ISAKMP (0): atts are acceptable.
> ISAKMP : Checking IPSec proposal 3
>
> ISAKMP: transform 1, ESP_3DES
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot
> 3, trans 3, hmac_alg 0) not supported
>
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP : Checking IPSec proposal 4
>
> ISAKMP: transform 1, AH_SHA
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
> ISAKMP: encaps is 2
> ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
> proposal (prot 2, trans 3, hmac_alg 2) not supported
>
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP (0): skipping next ANDed proposal (4)
> ISAKMP : Checking IPSec proposal 5
>
> ISAKMP: transform 1, AH_MD5
> ISAKMP: attributes in transform:
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
> ISAKMP: SA life type in kilobytes
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.transform
> proposal (prot 2, trans 3, hmac_alg 2) not supported
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> ISAKMP (0): processing DELETE payload. message ID = 2957376203, spi size =
> 16
> ISAKMP (0): deleting SA: src 10.200.100.11, dst 10.200.100.1
> return status is IKMP_NO_ERR_NO_TRANS
> ISADB: reaper checking SA 0xaca474, conn_id = 0 DELETE IT!
>
> VPN Peer: ISAKMP: Peer ip:10.200.100.11/500 Ref cnt decremented to:0 Total
> VPN Peers:1
> VPN Peer: ISAKMP: Deleted peer: ip:10.200.100.11/500 Total VPN peers:0
> crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
> dpt:500
> OAK_MM exchange
> ISAKMP (0): processing SA payload. message ID = 0
Similar Threads
