09-19-2011 04:47 PM - edited 02-21-2020 05:36 PM
Sep 19 16:43:19.958 AEST: ISAKMP:(1025):Checking IPSec proposal 1
Sep 19 16:43:19.958 AEST: ISAKMP: transform 1, ESP_AES
Sep 19 16:43:19.958 AEST: ISAKMP: attributes in transform:
Sep 19 16:43:19.958 AEST: ISAKMP: SA life type in seconds
Sep 19 16:43:19.958 AEST: ISAKMP: SA life duration (basic) of 28800
Sep 19 16:43:19.958 AEST: ISAKMP: SA life type in kilobytes
Sep 19 16:43:19.958 AEST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Sep 19 16:43:19.958 AEST: ISAKMP: encaps is 3 (Tunnel-UDP)
Sep 19 16:43:19.958 AEST: ISAKMP: authenticator is HMAC-SHA
Sep 19 16:43:19.958 AEST: ISAKMP: key length is 256
Sep 19 16:43:19.958 AEST: ISAKMP:(1025):atts are acceptable.
Sep 19 16:43:19.958 AEST: IPSEC(validate_proposal_request): proposal part #1
Sep 19 16:43:19.958 AEST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <ip address removed>:0, remote= <ip address removed>:0,
local_proxy= <ip address removed>/255.255.255.255/0/0 (type=1),
remote_proxy= <ip address removed>/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 19 16:43:19.958 AEST: Crypto mapdb : proxy_match
src addr : <ip address removed>
dst addr : <ip address removed>
protocol : 0
src port : 0
dst port : 0
Sep 19 16:43:19.958 AEST: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Sep 19 16:43:19.958 AEST: ISAKMP:(1025): IPSec policy invalidated proposal with error 256
Does the highlighted part tell me that my transform set is not being matched/applied to the incoming traffic? Is there any way I can determine from this output what part of the negotiation has caused it to fail? (or other output I can generate)
My transform set commands are shown below (this is on an 1841):
crypto ipsec transform-set transformset1 ah-sha-hmac esp-aes 256
crypto map IPSECMap 3 ipsec-isakmp
set peer <ip address removed>
set transform-set transformset1 match address 102
Solved! Go to Solution.
09-19-2011 10:23 PM
Hi Dan,
I am not sure why are you using "ah-sha-hmac esp-aes-256", however just to isolate the issue have you tried something like this :-
crypto ipsec transform-set transformset1 esp-3des esp-sha-hmac
Give it a shot and let us know how it goes.
Hope this helps,
Sian
09-19-2011 10:23 PM
Hi Dan,
I am not sure why are you using "ah-sha-hmac esp-aes-256", however just to isolate the issue have you tried something like this :-
crypto ipsec transform-set transformset1 esp-3des esp-sha-hmac
Give it a shot and let us know how it goes.
Hope this helps,
Sian
09-19-2011 10:29 PM
I am not sure why are you using "ah-sha-hmac esp-aes-256"
Because the last time I scratch built an IPSEC tunnel on an IOS device was 2002 and apparently I'm still living in the past where AH is in use...
That fixed the issue. The ASA at the other end was refusing to do unencrypted authentication.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide