Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1710
Views
0
Helpful
3
Replies

ERROR: transform set with tag "VPN" can't be used on a static crypto map

xuantruong
Level 1
Level 1

‎03-15-2005 07:51 PM - edited ‎03-09-2019 10:39 AM

I 'm practicing the LAB with IOS router-to-PIX firewall VPN scenario.The problem happened when I configured crypto map with "crypto map Mymap 10 set transform-set VPN" command on PIX.The PIX was warning that "ERROR: transform set with tag "VPN" can't be used on a static crypto map".

I will enter "crypto map Mymap 10 set transform-set VPN" command line, If I remove "crypto ipsec transform-set VPN mode transport" command line.

Following are somthing configured:

crypto ipsec transform-set VPN esp-des esp-md5-hmac

crypto ipsec transform-set VPN mode transport

crypto map Mymap 10 ipsec-isakmp

crypto map Mymap 10 match address ipsec

crypto map Mymap 10 set peer 10.50.13.84

crypto map Mymap 10 set transform-set VPN

ERROR: transform set with tag "VPN" can't be used on a static crypto map

Pls advice me to resolve the problem.

Thanks

Labels:
0 Helpful
3 Replies 3

aashish.c
Level 4
Level 4

‎03-15-2005 09:39 PM

Hi,

I have a pix 515E with restricted license running OS 6.3(3). Here is the config I tried and I didnt get any error message :

crypto ipsec transform-set VPN esp-3des esp-md5-hmac

crypto ipsec transform-set VPN mode transport

crypto dynamic-map test1 20 set transform-set VPN

There is no where mentioned that "VPN" keywork cant be used. Before applying the transform set , you have to define the protocols and authentication parameters in transform set and then you can also select its mode (tunnel/transport)

Pls try it again, or use the above exact three commands and try.

regards

aashish C

0 Helpful

xuantruong
Level 1
Level 1
In response to aashish.c

‎03-16-2005 07:03 PM

Hi Aashish C,

Thanks for your response.

My firewall is a PIX-501.I have tried on another Pix-501 but still encountered the same problem.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to xuantruong

‎03-16-2005 07:17 PM

The PIX doesn't allow transport mode transform-sets on static crypto maps, the documentation says so:

A transport mode transform can only be used on a dynamic crypto map, and the PIX Firewall CLI will display an error if you attempt to tie a transport-mode transform to a static crypto map.

The above is taken from here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972

The error is a bit misleading, the PIX is not actually complaining about the name of the transform set, but merely that you can't set it to transport mode on a static tunnel. Note that Aashish's tests were done on a dynamic crypto map, which is the only place you can have a transport mode transform set.

0 Helpful
Customers Also Viewed These Support Documents