Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Computing > Cisco > w2k client --> cisco pix l2tp ipsec vpn

Reply
Thread Tools

w2k client --> cisco pix l2tp ipsec vpn

 
 
daniel
Guest
Posts: n/a
 
      11-20-2003
hi,

could anyone help me and shed some light on a problem i am having?
i am trying to setup a remote access vpn as follows

w2k client --> cisco pix 515e using l2tp/ipsec

w2k client is connected to the net via an adsl router with a lan net of
192.168.0.0 255.255.255.0 and an external ip s.s.s.s (in the debug)
pix is (d.d.d.d)

i have installed the ms cert server and have installed a cert onto the cisco
and the w2k client. i have read just about everything i can find and have
hit the following problem.

the vpn connection from the w2k client hangs and the pix seems to be showing
a debug message;
"invalid transform proposal flags"

the only ref to this error seems to point to the pix being incorrectly
configured to use tunnel mode, but i have set

"crypto ipsec transform-set trans01 mode transport"

(ike seems to be working in the debug)

im stumped and have spent 2 weeks getting this far :O(

help

Dan

debug follows;
########

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 6
type : 2
protocol : 17
port : 500
length : 32
ISAKMP (0): Total payload length: 36
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src s.s.s.s, dest d.d.d.d
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2952273358

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
dest_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
src_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
dest_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
src_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0

ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2

########

setup follows

########

vpdn group vpn01 accept dialin l2tp
vpdn group vpn01 ppp authentication mschap

vpdn group vpn01 client authentication local
vpdn username xxxxxxxx password xxxxxxxx

ip local pool vpn01_pool 10.1.111.1-10.1.111.100

vpdn group vpn01 client configuration address local vpn01_pool
vpdn group vpn01 client configuration dns 10.1.50.125 10.1.50.127
vpdn group vpn01 client configuration wins 10.1.50.22 10.1.50.46
vpdn enable outside

access-list acl_vpn01_inside_outbound_nat0 permit ip any 10.1.111.0
255.255.255.0
nat (inside) 0 access-list acl_vpn01_inside_outbound_nat0

isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp enable outside

access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip any 10.1.111.0
255.255.255.0
access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip host <d.d.d.d>
192.168.0.0 255.255.255.0

crypto ipsec transform-set trans01 esp-3des esp-sha-hmac
crypto ipsec transform-set trans01 mode transport
crypto ipsec transform-set trans02 esp-3des esp-md5-hmac
crypto ipsec transform-set trans02 mode transport
crypto ipsec transform-set trans03 esp-des esp-sha-hmac
crypto ipsec transform-set trans03 mode transport
crypto ipsec transform-set trans04 esp-des esp-md5-hmac
crypto ipsec transform-set trans04 mode transport

crypto dynamic-map outside_dyn_map 20 match address
acl_vpn01_outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set trans01 trans02
trans03 trans04
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
seconds 3600

crypto map outside_map 200 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-l2tp
 
Reply With Quote
 
 
 
Reply

« Cisco Networking Simplified - book review and a sample chapter | What's wrong with this config? »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
client-initiated L2TP tunnel over L2TP tunnel davidls Cisco 0 03-31-2009 11:20 AM
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 0 02-20-2007 09:00 AM
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 1 02-20-2007 07:20 AM
IPsec within L2TP over IPsec - PIX. AM Cisco 0 07-23-2006 10:14 PM
VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine. Gary Cisco 2 04-24-2005 02:48 AM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57