Sep 19 16:43:19.958 AEST: ISAKMP:(1025):Checking IPSec proposal 1
Sep 19 16:43:19.958 AEST: ISAKMP: transform 1, ESP_AES
Sep 19 16:43:19.958 AEST: ISAKMP: attributes in transform:
Sep 19 16:43:19.958 AEST: ISAKMP: SA life type in seconds
Sep 19 16:43:19.958 AEST: ISAKMP: SA life duration (basic) of 28800
Sep 19 16:43:19.958 AEST: ISAKMP: SA life type in kilobytes
Sep 19 16:43:19.958 AEST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Sep 19 16:43:19.958 AEST: ISAKMP: encaps is 3 (Tunnel-UDP)
Sep 19 16:43:19.958 AEST: ISAKMP: authenticator is HMAC-SHA
Sep 19 16:43:19.958 AEST: ISAKMP: key length is 256
Sep 19 16:43:19.958 AEST: ISAKMP:(1025):atts are acceptable.
Sep 19 16:43:19.958 AEST: IPSEC(validate_proposal_request): proposal part #1
Sep 19 16:43:19.958 AEST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <ip address removed>:0, remote= <ip address removed>:0,
local_proxy= <ip address removed>/255.255.255.255/0/0 (type=1),
remote_proxy= <ip address removed>/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 19 16:43:19.958 AEST: Crypto mapdb : proxy_match
src addr : <ip address removed>
dst addr : <ip address removed>
protocol : 0
src port : 0
dst port : 0
Sep 19 16:43:19.958 AEST: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Sep 19 16:43:19.958 AEST: ISAKMP:(1025): IPSec policy invalidated proposal with error 256
Does the highlighted part tell me that my transform set is not being matched/applied to the incoming traffic? Is there any way I can determine from this output what part of the negotiation has caused it to fail? (or other output I can generate)
My transform set commands are shown below (this is on an 1841):
crypto ipsec transform-set transformset1 ah-sha-hmac esp-aes 256
crypto map IPSECMap 3 ipsec-isakmp
set peer <ip address removed>
set transform-set transformset1 match address 102
