pix 6.3 and L2TP/preshared keys + Windows XP problem

Discussion in 'Cisco' started by Rik Bain, Jul 6, 2003.

  1. Rik Bain

    Rik Bain Guest

    "proxy identities not supported" means that the subnet/host proposed for
    the SA do not match between the client and the pix. I have never setup
    L2TP/IPSEC, but check the match address acl on the pix and make sure it
    matches the setup on the client.


    On Sun, 06 Jul 2003 17:24:21 -0400, Hugo Drax wrote:

    > anyone get it to work. I used the wizard and configured the XP machine with
    > the preshared key etc.. and I get this debug.
    >
    >
    >
    >
    >
    > (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    > dest_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    > src_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    > protocol= ESP, transform= esp-3des esp-md5-hmac ,
    > lifedur= 0s and 0kb,
    > spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    > IPSEC(validate_transform_proposal): proxy identities not supported
    > IPSEC(validate_proposal_request): proposal part #1,
    > (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    > dest_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    > src_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    > protocol= ESP, transform= esp-3des esp-md5-hmac ,
    > lifedur= 0s and 0kb,
    > spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    > IPSEC(validate_transform_proposal): proxy identities not supported
    >
    > ISAKMP: IPSec policy invalidated proposal
    > ISAKMP : Checking IPSec proposal 2
    >
    > ISAKMP: transform 1, AH_SHA
    > ISAKMP: attributes in transform:
    > ISAKMP: SA life type in seconds
    > ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    > ISAKMP: SA life type in kilobytes
    > ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    > ISAKMP: encaps is 2
    > ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    > proposal (prot 2, trans 3, hmac_alg 2) not supported
    >
    > ISAKMP (0): atts not acceptable. Next payload is 0
    > ISAKMP (0): skipping next ANDed proposal (2)
    > ISAKMP : Checking IPSec proposal 3
    >
    > ISAKMP: transform 1, AH_MD5
    > ISAKMP: attributes in transform:
    > ISAKMP: SA life type in seconds
    > ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    > ISAKMP: SA life type in kilobytes
    > ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    > ISAKMP: encaps is 2
    > ISAKMP: authenticator is HMAC-MD5
    > ISAKMP (0): atts are acceptable.
    > ISAKMP : Checking IPSec proposal 3
    >
    > ISAKMP: transform 1, ESP_3DES
    > ISAKMP: attributes in transform:
    > ISAKMP: SA life type in seconds
    > ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    > ISAKMP: SA life type in kilobytes
    > ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    > ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot
    > 3, trans 3, hmac_alg 0) not supported
    >
    > ISAKMP (0): atts not acceptable. Next payload is 0
    > ISAKMP : Checking IPSec proposal 4
    >
    > ISAKMP: transform 1, AH_SHA
    > ISAKMP: attributes in transform:
    > ISAKMP: SA life type in seconds
    > ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    > ISAKMP: SA life type in kilobytes
    > ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    > ISAKMP: encaps is 2
    > ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    > proposal (prot 2, trans 3, hmac_alg 2) not supported
    >
    > ISAKMP (0): atts not acceptable. Next payload is 0
    > ISAKMP (0): skipping next ANDed proposal (4)
    > ISAKMP : Checking IPSec proposal 5
    >
    > ISAKMP: transform 1, AH_MD5
    > ISAKMP: attributes in transform:
    > ISAKMP: SA life type in seconds
    > ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    > ISAKMP: SA life type in kilobytes
    > crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    > dpt:500
    > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    > crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    > dpt:500
    > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    > crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    > dpt:500
    > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    > crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    > dpt:500
    > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    > crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    > dpt:500
    > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.transform
    > proposal (prot 2, trans 3, hmac_alg 2) not supported
    > crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    > dpt:500
    > ISAKMP (0): processing DELETE payload. message ID = 2957376203, spi size =
    > 16
    > ISAKMP (0): deleting SA: src 10.200.100.11, dst 10.200.100.1
    > return status is IKMP_NO_ERR_NO_TRANS
    > ISADB: reaper checking SA 0xaca474, conn_id = 0 DELETE IT!
    >
    > VPN Peer: ISAKMP: Peer ip:10.200.100.11/500 Ref cnt decremented to:0 Total
    > VPN Peers:1
    > VPN Peer: ISAKMP: Deleted peer: ip:10.200.100.11/500 Total VPN peers:0
    > crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    > dpt:500
    > OAK_MM exchange
    > ISAKMP (0): processing SA payload. message ID = 0
     
    Rik Bain, Jul 6, 2003
    #1
    1. Advertising

  2. Rik Bain

    Hugo Drax Guest

    anyone get it to work. I used the wizard and configured the XP machine with
    the preshared key etc.. and I get this debug.





    (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    dest_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    src_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    IPSEC(validate_transform_proposal): proxy identities not supported
    IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    dest_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    src_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    IPSEC(validate_transform_proposal): proxy identities not supported

    ISAKMP: IPSec policy invalidated proposal
    ISAKMP : Checking IPSec proposal 2

    ISAKMP: transform 1, AH_SHA
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (2)
    ISAKMP : Checking IPSec proposal 3

    ISAKMP: transform 1, AH_MD5
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts are acceptable.
    ISAKMP : Checking IPSec proposal 3

    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot
    3, trans 3, hmac_alg 0) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP : Checking IPSec proposal 4

    ISAKMP: transform 1, AH_SHA
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (4)
    ISAKMP : Checking IPSec proposal 5

    ISAKMP: transform 1, AH_MD5
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 2957376203, spi size =
    16
    ISAKMP (0): deleting SA: src 10.200.100.11, dst 10.200.100.1
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xaca474, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:10.200.100.11/500 Ref cnt decremented to:0 Total
    VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:10.200.100.11/500 Total VPN peers:0
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0
     
    Hugo Drax, Jul 6, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary
    Replies:
    2
    Views:
    2,092
  2. Scott Townsend
    Replies:
    0
    Views:
    5,236
    Scott Townsend
    Jun 23, 2005
  3. AM
    Replies:
    1
    Views:
    556
  4. AM
    Replies:
    0
    Views:
    460
  5. davidls
    Replies:
    0
    Views:
    1,073
    davidls
    Mar 31, 2009
Loading...

Share This Page