Help: trying to setup mobile VPN to IOS with L2TP over IPSEC

Discussion in 'Cisco' started by ent, Sep 4, 2004.

  1. ent

    ent Guest

    I'm trying to setup some IOS boxes (827, 1721, 1751)
    to accept incoming L2TP over IPSEC VPN access
    from windows XP clients, using preshared key (no certificates).
    I can't find any configuration example with google,
    so I have to build my own.
    I'm using the internal/standard windows XP L2TP over IPSEC client: no
    additional software is installed for VPN access on the client PC.

    Now I have the following problem: the IPSEC Phase1 negotiation
    works fine, but the Phase2 refuses the right proposal with
    the following error:

    "invalid transform proposal flags -- 0x4"

    what could it be ? I'm totally unable to find any docs
    on this "transform proposal flags".


    many thanks in advance for all answers
    Giovanni

    ----------------------------------
    MY ADDED CONFIGURATION
    ---------------------------
    vpdn enable
    !
    vpdn-group myL2TPvpn
    ! Default L2TP VPDN group
    accept-dialin
    protocol l2tp
    virtual-template 1
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
    !
    crypto ipsec transform-set dynTrSet esp-3des esp-md5-hmac
    mode transport
    !
    crypto dynamic-map dynVPN 10
    set transform-set dynTrSet
    match address 130
    !
    crypto map myextmap 10 ipsec-isakmp dynamic dynVPN
    !
    interface Serial0.1
    description "Frame Relay to the Internet"
    ip address 2.2.2.2 255.255.255.252 (my PUBLIC ip address)
    crypto map myextmap

    access-list 130 permit udp host 2.2.2.2 any eq 1701
    !
    !
    interface Virtual-Template1 (this template already works for PPTP)
    ip unnumbered FastEthernet0
    peer default ip address pool vpnpool
    ppp encrypt mppe 128
    ppp authentication ms-chap chap
    ppp ipcp dns 172.16.1.1 172.16.1.2
    !


    ["2.2.2.2" is used above instead of my public IP address]


    ----------------------------------
    LOG OF PHASE2 where the most interesting proposal is refused
    ---------------------------

    012054: Aug 29 10:59:57.300 PCTimeZ: ISAKMP: set new node -348222072 to QM_IDLE
    012055: Aug 29 10:59:57.312 PCTimeZ: ISAKMP (0:2): processing HASH payload.
    message ID = -348222072
    012056: Aug 29 10:59:57.312 PCTimeZ: ISAKMP (0:2): processing SA payload.
    message ID = -348222072
    012057: Aug 29 10:59:57.312 PCTimeZ: ISAKMP (0:2): Checking IPSec proposal 1
    012058: Aug 29 10:59:57.312 PCTimeZ: ISAKMP: transform 1, ESP_3DES
    012059: Aug 29 10:59:57.312 PCTimeZ: ISAKMP: attributes in transform:
    012060: Aug 29 10:59:57.312 PCTimeZ: ISAKMP: SA life type in seconds
    012061: Aug 29 10:59:57.312 PCTimeZ: ISAKMP: SA life duration (VPI) of
    0x0 0x0 0xE 0x10
    012062: Aug 29 10:59:57.312 PCTimeZ: ISAKMP: SA life type in kilobytes
    012063: Aug 29 10:59:57.316 PCTimeZ: ISAKMP: SA life duration (VPI) of
    0x0 0x3 0xD0 0x90
    012064: Aug 29 10:59:57.316 PCTimeZ: ISAKMP: encaps is 2
    012065: Aug 29 10:59:57.316 PCTimeZ: ISAKMP: authenticator is HMAC-MD5
    012066: Aug 29 10:59:57.316 PCTimeZ: ISAKMP (0:2): atts are acceptable.
    012067: Aug 29 10:59:57.316 PCTimeZ: IPSEC(validate_proposal_request):
    proposal part #1,
    (key eng. msg.) INBOUND local= 2.2.2.2, remote= 3.3.3.3,
    local_proxy= 2.2.2.2/255.255.255.255/17/0 (type=1),
    remote_proxy= 192.168.56.10/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
    012068: Aug 29 10:59:57.316 PCTimeZ: IPSEC(kei_proxy): head = myextmap,
    map->ivrf = , kei->ivrf =
    012069: Aug 29 10:59:57.316 PCTimeZ: IPSEC(validate_transform_proposal):
    invalid transform proposal flags -- 0x4
    012070: Aug 29 10:59:57.316 PCTimeZ: ISAKMP (0:2): IPSec policy invalidated
    proposal
    012071: Aug 29 10:59:57.320 PCTimeZ: ISAKMP (0:2): Checking IPSec proposal 2
    012072: Aug 29 10:59:57.320 PCTimeZ: ISAKMP: transform 1, AH_SHA
    012073: Aug 29 10:59:57.320 PCTimeZ: ISAKMP: attributes in transform:
    ent, Sep 4, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary
    Replies:
    2
    Views:
    2,059
  2. AM
    Replies:
    0
    Views:
    624
  3. AM
    Replies:
    1
    Views:
    520
  4. AM
    Replies:
    0
    Views:
    428
  5. davidls
    Replies:
    0
    Views:
    1,032
    davidls
    Mar 31, 2009
Loading...

Share This Page