w2k client --> cisco pix l2tp ipsec vpn

Discussion in 'Cisco' started by daniel, Nov 20, 2003.

  1. daniel

    daniel Guest

    hi,

    could anyone help me and shed some light on a problem i am having?
    i am trying to setup a remote access vpn as follows

    w2k client --> cisco pix 515e using l2tp/ipsec

    w2k client is connected to the net via an adsl router with a lan net of
    192.168.0.0 255.255.255.0 and an external ip s.s.s.s (in the debug)
    pix is (d.d.d.d)

    i have installed the ms cert server and have installed a cert onto the cisco
    and the w2k client. i have read just about everything i can find and have
    hit the following problem.

    the vpn connection from the w2k client hangs and the pix seems to be showing
    a debug message;
    "invalid transform proposal flags"

    the only ref to this error seems to point to the pix being incorrectly
    configured to use tunnel mode, but i have set

    "crypto ipsec transform-set trans01 mode transport"

    (ike seems to be working in the debug)

    im stumped and have spent 2 weeks getting this far :O(

    help

    Dan

    debug follows;
    ########

    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
    next-payload : 6
    type : 2
    protocol : 17
    port : 500
    length : 32
    ISAKMP (0): Total payload length: 36
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    crypto_isakmp_process_block: src s.s.s.s, dest d.d.d.d
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 2952273358

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
    part #1,
    (key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
    dest_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
    src_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0
    IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
    dest_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
    src_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0

    ISAKMP: IPSec policy invalidated proposal
    ISAKMP : Checking IPSec proposal 2

    ########

    setup follows

    ########

    vpdn group vpn01 accept dialin l2tp
    vpdn group vpn01 ppp authentication mschap

    vpdn group vpn01 client authentication local
    vpdn username xxxxxxxx password xxxxxxxx

    ip local pool vpn01_pool 10.1.111.1-10.1.111.100

    vpdn group vpn01 client configuration address local vpn01_pool
    vpdn group vpn01 client configuration dns 10.1.50.125 10.1.50.127
    vpdn group vpn01 client configuration wins 10.1.50.22 10.1.50.46
    vpdn enable outside

    access-list acl_vpn01_inside_outbound_nat0 permit ip any 10.1.111.0
    255.255.255.0
    nat (inside) 0 access-list acl_vpn01_inside_outbound_nat0

    isakmp policy 20 authentication rsa-sig
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp enable outside

    access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip any 10.1.111.0
    255.255.255.0
    access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip host <d.d.d.d>
    192.168.0.0 255.255.255.0

    crypto ipsec transform-set trans01 esp-3des esp-sha-hmac
    crypto ipsec transform-set trans01 mode transport
    crypto ipsec transform-set trans02 esp-3des esp-md5-hmac
    crypto ipsec transform-set trans02 mode transport
    crypto ipsec transform-set trans03 esp-des esp-sha-hmac
    crypto ipsec transform-set trans03 mode transport
    crypto ipsec transform-set trans04 esp-des esp-md5-hmac
    crypto ipsec transform-set trans04 mode transport

    crypto dynamic-map outside_dyn_map 20 match address
    acl_vpn01_outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set trans01 trans02
    trans03 trans04
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime
    seconds 3600

    crypto map outside_map 200 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside

    sysopt connection permit-l2tp
    daniel, Nov 20, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary
    Replies:
    2
    Views:
    2,056
  2. AM
    Replies:
    0
    Views:
    622
  3. AM
    Replies:
    1
    Views:
    519
  4. AM
    Replies:
    0
    Views:
    424
  5. davidls
    Replies:
    0
    Views:
    1,030
    davidls
    Mar 31, 2009
Loading...

Share This Page