Re: IPSEC(validate_transform_proposal): peer address X.X.X.X not

jmondaca · ‎08-16-2004

When trying to establish a VPN connection from a VPN box to my firewall PIX 515E, I get the following in the debugs. Any ideas?

crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for Y.Y.Y.Y, peer port 62465

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:Y.Y.Y.Y/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:Y.Y.Y.Y/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3265318006

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-SHA

ISAKMP: group is 2

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,

dest_proxy= 192.168.147.0/255.255.255.0/0/0 (type=4),

src_proxy= 10.13.65.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

IPSEC(validate_transform_proposal): peer address Y.Y.Y.Y not found

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,

dest_proxy= 10.13.65.0/255.255.255.0/0/0 (type=4),

src_proxy= 192.168.147.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

IPSEC(validate_transform_proposal): peer address X.X.X.X not found

Thanks.

spremkumar · ‎08-16-2004

hi

before establishing the ipsec connecitivity do u hve the connecitivity with the remote peer address that u ve mentioned ??

ru able to ping and reach the remote peer ??

regds

jmondaca · ‎08-17-2004

Yes there is connectivity between the peers, but any computer on the other network can ping my network.

Actually I had other VPN connection to my network working fine, but when trying to add this new VPN connection (with other client) I get those logs.

Let me correct If I am wrong but I just add to the old access list the network of the new client and create the crypto map for the new client peer.

Regards,

jmia · ‎08-17-2004

Have you got ISAKMP key pramater configured for the new peer i.e.

isakmp key address netmask 255.255.255.255

Also, a look at your config might help too (remember to take out any sensitive info)

Jay