pix 6.3 and L2TP/preshared keys + Windows XP problem

Discussion in 'Cisco' started by Rik Bain, Jul 6, 2003.

  1. Rik Bain

    Rik Bain Guest

    "proxy identities not supported" means that the subnet/host proposed for
    the SA do not match between the client and the pix. I have never setup
    L2TP/IPSEC, but check the match address acl on the pix and make sure it
    matches the setup on the client.
     
    Rik Bain, Jul 6, 2003
    #1
    1. Advertisements

  2. Rik Bain

    Hugo Drax Guest

    anyone get it to work. I used the wizard and configured the XP machine with
    the preshared key etc.. and I get this debug.





    (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    dest_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    src_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    IPSEC(validate_transform_proposal): proxy identities not supported
    IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= 10.200.100.1, src= 10.200.100.11,
    dest_proxy= 10.200.100.11/255.255.255.255/17/1701 (type=1),
    src_proxy= 10.200.100.1/255.255.255.255/17/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
    IPSEC(validate_transform_proposal): proxy identities not supported

    ISAKMP: IPSec policy invalidated proposal
    ISAKMP : Checking IPSec proposal 2

    ISAKMP: transform 1, AH_SHA
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (2)
    ISAKMP : Checking IPSec proposal 3

    ISAKMP: transform 1, AH_MD5
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts are acceptable.
    ISAKMP : Checking IPSec proposal 3

    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2IPSEC(validate_proposal): transform proposal (prot
    3, trans 3, hmac_alg 0) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP : Checking IPSec proposal 4

    ISAKMP: transform 1, AH_SHA
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
    ISAKMP: encaps is 2
    ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported

    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (4)
    ISAKMP : Checking IPSec proposal 5

    ISAKMP: transform 1, AH_MD5
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP: SA life type in kilobytes
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.transform
    proposal (prot 2, trans 3, hmac_alg 2) not supported
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 2957376203, spi size =
    16
    ISAKMP (0): deleting SA: src 10.200.100.11, dst 10.200.100.1
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xaca474, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:10.200.100.11/500 Ref cnt decremented to:0 Total
    VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:10.200.100.11/500 Total VPN peers:0
    crypto_isakmp_process_block:src:10.200.100.11, dest:10.200.100.1 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0
     
    Hugo Drax, Jul 6, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.