Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1656
Views
0
Helpful
2
Replies

IPsec tunnel problems between Cisco router and WatchGuard Firebox

filop
Level 1
Level 1

‎08-19-2003 12:33 AM - edited ‎02-21-2020 12:43 PM

Hello,

I have a problem to establish a VPN connection between these two boxes. As a Cisco I use a 1721 router with the c1700-k8sy7-mz.122-15.T5.bin IOS.

A tunnel can be established only from Cisco box to WatchGuard Firebox. When Watchguard tries to establish a VPN connection, I get an error message on the Cisco

Aug 7 10:20:22.175: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 195.91.44.100, remote= 62.217.33.200,

local_proxy= 192.168.199.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.26.90.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Aug 7 10:20:22.175: IPSEC(kei_proxy): head = sycon, map->ivrf = , kei->ivrf =

Aug 7 10:20:22.175: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x2

I have checked the transform-set settings on both devices and they were the same. Then I have changed the transorm-set from

crypto ipsec transform-set sycon-set esp-des esp-sha-hmac

to

crypto ipsec transform-set sycon-set esp-des esp-md5-hmac

but got the same error message.

The configuration on the router is simple

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address xx.xxx.33.200

!

!

crypto ipsec transform-set sycon-set esp-des esp-md5-hmac

!

!

!

crypto map sycon local-address Loopback0

crypto map sycon 1 ipsec-isakmp

set peer 62.217.33.200

set security-association lifetime kilobytes 8192

set security-association lifetime seconds 86400

set transform-set sycon-set

set pfs group1

match address 110

!

interface Serial1.1 point-to-point

ip address xx.xx.44.106 255.255.255.252

frame-relay interface-dlci 16

crypto map sycon

!

access-list 110 permit ip xxx.xxxx.199.0 0.0.0.255 xxxx.26.90.0 0.0.0.255

If there is a problem with the transform-set, can someone explain me what are flags in "invalid transform proposal flags -- 0x2 " error message and their meaning?

I was in the belief, that when there is a problem with a tranform-set, I will get error message like this

IPSec (validate_proposal): transform proposal

(port 3, trans 2, hmac_alg 2) not supported

Thank you.

Peter

Labels:
0 Helpful
2 Replies 2

trailman73
Level 4
Level 4

‎08-20-2003 11:54 AM

See if this link helps you out:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Geoff

0 Helpful

filop
Level 1
Level 1
In response to trailman73

‎08-21-2003 02:13 AM

I know about this link already, but did not find the answer in the document.

0 Helpful
Customers Also Viewed These Support Documents