Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4405
Views
0
Helpful
3
Replies

IPSec policy invalidated proposal with error 512

Go to solution
StefanS
Level 1
Level 1

‎10-17-2017 08:50 AM - edited ‎03-12-2019 04:38 AM

Hello,

 

I'm trying to setup a von L2TP VPN connection between a Windows 10 machine and a Cisco 2910 router. The connection can be established sometimes, but fails at other times.

 

I've tried to find the cause of the problem by looking at the debug messages and noted the following.

 

This happens when the connection fails:

 

Oct 17 14:41:04.169: ISAKMP:(6233):Checking IPSec proposal 1
Oct 17 14:41:04.169: ISAKMP: transform 1, ESP_AES
Oct 17 14:41:04.169: ISAKMP:   attributes in transform:
Oct 17 14:41:04.169: ISAKMP:      encaps is 4 (Transport-UDP)
Oct 17 14:41:04.169: ISAKMP:      key length is 128
Oct 17 14:41:04.169: ISAKMP:      authenticator is HMAC-SHA
Oct 17 14:41:04.169: ISAKMP:      SA life type in seconds
Oct 17 14:41:04.169: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Oct 17 14:41:04.169: ISAKMP:      SA life type in kilobytes
Oct 17 14:41:04.169: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Oct 17 14:41:04.169: ISAKMP:(6233):atts are acceptable.
Oct 17 14:41:04.169: IPSEC(ipsec_process_proposal): transform not supported by encryption hardware:
    {esp-aes esp-sha-hmac }
Oct 17 14:41:04.169: ISAKMP:(6233): IPSec policy invalidated proposal with error 512
Oct 17 14:41:04.169: ISAKMP:(6233):Checking IPSec proposal 2
Oct 17 14:41:04.169: ISAKMP: transform 1, ESP_3DES
Oct 17 14:41:04.169: ISAKMP:   attributes in transform:
Oct 17 14:41:04.169: ISAKMP:      encaps is 4 (Transport-UDP)
Oct 17 14:41:04.169: ISAKMP:      authenticator is HMAC-SHA
Oct 17 14:41:04.169: ISAKMP:      SA life type in seconds
Oct 17 14:41:04.169: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Oct 17 14:41:04.173: ISAKMP:      SA life type in kilobytes
Oct 17 14:41:04.173: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Oct 17 14:41:04.173: ISAKMP:(6233):atts are acceptable.
Oct 17 14:41:04.173: IPSEC(ipsec_process_proposal): transform not supported by encryption hardware:
    {esp-3des esp-sha-hmac }
Oct 17 14:41:04.173: ISAKMP:(6233): IPSec policy invalidated proposal with error 512
Oct 17 14:41:04.173: ISAKMP:(6233):Checking IPSec proposal 3
Oct 17 14:41:04.173: ISAKMP: transform 1, ESP_DES
Oct 17 14:41:04.173: ISAKMP:   attributes in transform:
Oct 17 14:41:04.173: ISAKMP:      encaps is 4 (Transport-UDP)
Oct 17 14:41:04.173: ISAKMP:      authenticator is HMAC-SHA
Oct 17 14:41:04.173: ISAKMP:      SA life type in seconds
Oct 17 14:41:04.173: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Oct 17 14:41:04.173: ISAKMP:      SA life type in kilobytes
Oct 17 14:41:04.173: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Oct 17 14:41:04.173: ISAKMP:(6233):atts are acceptable.
Oct 17 14:41:04.173: IPSEC(ipsec_process_proposal): transform not supported by encryption hardware:
    {esp-des esp-sha-hmac }
Oct 17 14:41:04.173: ISAKMP:(6233): IPSec policy invalidated proposal with error 512
Oct 17 14:41:04.177: ISAKMP:(6233): phase 2 SA policy not acceptable! (local xxxxx remote xxxxx)

and this one if it succeeds:

Oct 17 14:39:59.069: ISAKMP:(6230):Checking IPSec proposal 1
Oct 17 14:39:59.069: ISAKMP: transform 1, ESP_AES
Oct 17 14:39:59.069: ISAKMP:   attributes in transform:
Oct 17 14:39:59.069: ISAKMP:      encaps is 2 (Transport)
Oct 17 14:39:59.069: ISAKMP:      key length is 128
Oct 17 14:39:59.069: ISAKMP:      authenticator is HMAC-SHA
Oct 17 14:39:59.069: ISAKMP:      SA life type in seconds
Oct 17 14:39:59.069: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Oct 17 14:39:59.069: ISAKMP:      SA life type in kilobytes
Oct 17 14:39:59.069: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Oct 17 14:39:59.069: ISAKMP:(6230):atts are acceptable.

Settings of both sides do not change in between. It just happens if I try often enough.

Any idea what could be the reason for this behaviour?

 

Thank you

 

Stefan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
StefanS
Level 1
Level 1
In response to StefanS

‎07-27-2018 06:55 AM

If anyone has this problem too, this is the solution:

https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows

AssumeUDPEncapsulationContextOnSendRule should be set to 2.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Are Endrerud
Level 3
Level 3

‎10-18-2017 06:00 AM

Not sure, but could it be "idle timeout" or rekey that occours.

Please rate as helpful, if that would be the case. Thanx
0 Helpful

Go to solution
StefanS
Level 1
Level 1
In response to Jon Are Endrerud

‎10-20-2017 01:16 AM

What might be the difference between 

- encaps 2 (Transport) --> works

- encaps 4 (Transport-UDP) --> does not work

 

Is there any chance to influence this parameter on the client side (i.e. Windows 10) ?

0 Helpful

Go to solution
StefanS
Level 1
Level 1
In response to StefanS

‎07-27-2018 06:55 AM

If anyone has this problem too, this is the solution:

https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows

AssumeUDPEncapsulationContextOnSendRule should be set to 2.

0 Helpful
Customers Also Viewed These Support Documents