pix 6.3 and L2TP/preshared keys + Windows XP problem

Discussion in 'Cisco' started by Rik Bain, Jul 6, 2003.

  1. Rik Bain

    Rik Bain Guest

    "proxy identities not supported" means that the subnet/host proposed for
    the SA do not match between the client and the pix. I have never setup
    L2TP/IPSEC, but check the match address acl on the pix and make sure it
    matches the setup on the client.
     
    Rik Bain, Jul 6, 2003
    #1

    1. Advertisements

  2. Rik Bain

    Hugo Drax Guest

    anyone get it to work. I used the wizard and configured the XP machine with
    the preshared key etc.. and I get this debug.





    (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    dest_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    src_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    IPSEC(validate_transform_proposal): proxy identities not supported
    IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    dest_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    src_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    IPSEC(validate_transform_proposal): proxy identities not supported

    ISAKMP: IPSec policy invalidated proposal
    ISAKMP : Checking IPSec proposal 2

    ISAKMP: transform 1, AH_SHA
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (2)
    ISAKMP : Checking IPSec proposal 3

    ISAKMP: transform 1, AH_MD5
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts are acceptable.
    ISAKMP : Checking IPSec proposal 3

    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot
    3, trans 3, hmac_alg 0) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP : Checking IPSec proposal 4

    ISAKMP: transform 1, AH_SHA
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (4)
    ISAKMP : Checking IPSec proposal 5

    ISAKMP: transform 1, AH_MD5
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 2957376203, spi size =
    16
    ISAKMP (0): deleting SA: src 10.200.100.11, dst 10.200.100.1
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xaca474, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:10.200.100.11/500 Ref cnt decremented to:0 Total
    VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:10.200.100.11/500 Total VPN peers:0
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0
     
    Hugo Drax, Jul 6, 2003
    #2

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine.

  2. Using certificate authentication on VPN tunnel instaed of preshared

  3. Trying to Connect NCP CE Client to PIX using Preshared Keys...

  4. keyboard keys replacing mouse keys?

  5. 4506 acting as LNS with L2TP over IPsec and IPsec over L2TP.

  6. 4506 acting as LNS with L2TP over IPsec and IPsec over L2TP.

  7. client-initiated L2TP tunnel over L2TP tunnel

Loading...