Solved: Hello notomyto1,

adrianopinaffo1 · ‎12-18-2015

Hello,

I have set up an L2PT/IPSEC tunnel using a router Cisco 1905, which is behind a FW Cisco ASA. This tunnel is to be established between the router and mobile devices, mainly iPhones and Androids. For the sake of troubleshooting, I made sure the FW would not be in the way (opened all necessary ports, configured NAT and routes, etc). It turns out the iPhones establish the tunnel correctly but Androids fail.

Apparently the problem is phase 2 of IPSec, especifically where it says in the debug
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x800
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 1024

I tried AES and 3DES in the transform-sets but it seems it just doesn´t work.

Can anyone help me out?

Router: Cisco 1905, image: c1900-universalk9-mz.SPA.150-1.M8.bin
iPhone: 6 (iOS 8.1) and 5 (9.1)
Android: Motorola MotoG (Android 4.4.2)

Mobile devices setup:

Type: L2TP/IPSec PSL
Server address: <public IP address>
IPSec Pre-shared password: cisco
username: cisco
password: cisco

Cisco 1905 relevant config:

aaa authentication ppp default local
!
vpdn enable
!
vpdn-group L2TP
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username cisco password cisco
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map ipnetconfig-map 10
set nat demux
set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.192
no ip proxy-arp
duplex auto
speed auto
crypto map cisco
!
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
peer default ip address pool poolipnetconfig
ppp encrypt mppe 40
ppp authentication ms-chap-v2 pap chap ms-chap
!
ip local pool poolipnetconfig 192.168.1.1 192.168.1.255

Debug:

Dec 18 12:42:30.763: ISAKMP (0): received packet from 200.247.229.53 dport 500 sport 50003 Global (N) NEW SA
Dec 18 12:42:30.763: ISAKMP: Created a peer struct for 200.247.229.53, peer port 50003
Dec 18 12:42:30.763: ISAKMP: New peer created peer = 0x285F5FBC peer_handle = 0x80000018
Dec 18 12:42:30.763: ISAKMP: Locking peer struct 0x285F5FBC, refcount 1 for crypto_isakmp_process_block
Dec 18 12:42:30.763: ISAKMP: local port 500, remote port 50003
Dec 18 12:42:30.763: ISAKMP:(0):insert sa successfully sa = 28840894
Dec 18 12:42:30.763: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 18 12:42:30.763: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Dec 18 12:42:30.763: ISAKMP:(0): processing SA payload. message ID = 0
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Dec 18 12:42:30.763: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID is NAT-T v2
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): processing IKE frag vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID is DPD
Dec 18 12:42:30.763: ISAKMP:(0):found peer pre-shared key matching 200.247.229.53
Dec 18 12:42:30.763: ISAKMP:(0): local preshared key found
Dec 18 12:42:30.763: ISAKMP : Scanning profiles for xauth ...
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 256
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash SHA
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 256
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash MD5
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 128
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash SHA
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 128
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash MD5
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption 3DES-CBC
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash SHA
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):atts are acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Acceptable atts:actual life: 3600
Dec 18 12:42:30.767: ISAKMP:(0):Acceptable atts:life: 0
Dec 18 12:42:30.767: ISAKMP:(0):Basic life_in_seconds:28800
Dec 18 12:42:30.767: ISAKMP:(0):Returning Actual lifetime: 3600
Dec 18 12:42:30.767: ISAKMP:(0)::Started lifetime timer: 3600.

Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Dec 18 12:42:30.767: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID is NAT-T v2
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): processing IKE frag vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID is DPD
Dec 18 12:42:30.767: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 18 12:42:30.767: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Dec 18 12:42:30.767: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Dec 18 12:42:30.767: ISAKMP:(0): sending packet to 200.247.229.53 my_port 500 peer_port 50003 (R) MM_SA_SETUP
Dec 18 12:42:30.767: ISAKMP:(0):Sending an IKE IPv4 Packet.
Dec 18 12:42:30.767: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 18 12:42:30.767: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Dec 18 12:42:31.730: ISAKMP (0): received packet from 200.247.229.53 dport 500 sport 50003 Global (R) MM_SA_SETUP
Dec 18 12:42:31.730: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 18 12:42:31.730: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Dec 18 12:42:31.730: ISAKMP:(0): processing KE payload. message ID = 0
Dec 18 12:42:31.758: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 18 12:42:31.758: ISAKMP:(0):found peer pre-shared key matching 200.247.229.53
Dec 18 12:42:31.758: ISAKMP:received payload type 20
Dec 18 12:42:31.758: ISAKMP (1028): NAT found, both nodes inside NAT
Dec 18 12:42:31.758: ISAKMP:received payload type 20
Dec 18 12:42:31.758: ISAKMP (1028): NAT found, both nodes inside NAT
Dec 18 12:42:31.758: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 18 12:42:31.758: ISAKMP:(1028):Old State = IKE_R_MM3 New State = IKE_R_MM3

Dec 18 12:42:31.758: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 500 peer_port 50003 (R) MM_KEY_EXCH
Dec 18 12:42:31.758: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:31.758: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 18 12:42:31.758: ISAKMP:(1028):Old State = IKE_R_MM3 New State = IKE_R_MM4

Dec 18 12:42:32.278: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50001 Global (R) MM_KEY_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Old State = IKE_R_MM4 New State = IKE_R_MM5

Dec 18 12:42:32.278: ISAKMP:(1028): processing ID payload. message ID = 0
Dec 18 12:42:32.278: ISAKMP (1028): ID payload
next-payload : 8
type : 1
address : 10.92.110.15
protocol : 17
port : 500
length : 12
Dec 18 12:42:32.278: ISAKMP:(0):: peer matches *none* of the profiles
Dec 18 12:42:32.278: ISAKMP:(1028): processing HASH payload. message ID = 0
Dec 18 12:42:32.278: ISAKMP:(1028):SA authentication status:
authenticated
Dec 18 12:42:32.278: ISAKMP:(1028):SA has been authenticated with 200.247.229.53
Dec 18 12:42:32.278: ISAKMP:(1028):Detected port floating to port = 50001
Dec 18 12:42:32.278: ISAKMP: Trying to insert a peer 192.168.0.1/200.247.229.53/50001/, and inserted successfully 285F5FBC.
Dec 18 12:42:32.278: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 18 12:42:32.278: ISAKMP:(1028):Old State = IKE_R_MM5 New State = IKE_R_MM5

Dec 18 12:42:32.278: ISAKMP:(1028):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Dec 18 12:42:32.278: ISAKMP (1028): ID payload
next-payload : 8
type : 1
address : 192.168.0.1
protocol : 17
port : 0
length : 12
Dec 18 12:42:32.278: ISAKMP:(1028):Total payload length: 12
Dec 18 12:42:32.278: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 4500 peer_port 50001 (R) MM_KEY_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:32.278: ISAKMP:(1028):Returning Actual lifetime: 3600
Dec 18 12:42:32.278: ISAKMP: set new node 662318345 to QM_IDLE
Dec 18 12:42:32.278: ISAKMP:(1028):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 672252680, message ID = 662318345
Dec 18 12:42:32.278: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 4500 peer_port 50001 (R) MM_KEY_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:32.278: ISAKMP:(1028):purging node 662318345
Dec 18 12:42:32.278: ISAKMP: Sending phase 1 responder lifetime 3600

Dec 18 12:42:32.278: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 18 12:42:32.278: ISAKMP:(1028):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Dec 18 12:42:32.278: ISAKMP:(1028):IKE_DPD is enabled, initializing timers
Dec 18 12:42:32.282: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Dec 18 12:42:32.282: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Dec 18 12:42:32.834: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50001 Global (R) QM_IDLE
Dec 18 12:42:32.834: ISAKMP: set new node -647285005 to QM_IDLE
Dec 18 12:42:32.834: ISAKMP:(1028): processing HASH payload. message ID = -647285005
Dec 18 12:42:32.834: ISAKMP:(1028): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -647285005, sa = 28840894
Dec 18 12:42:32.834: ISAKMP:(1028):SA authentication status:
authenticated
Dec 18 12:42:32.834: ISAKMP:(1028): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.0.1 remote 200.247.229.53 remote port 50001
Dec 18 12:42:32.834: ISAKMP:(1028):deleting node -647285005 error FALSE reason "Informational (in) state 1"
Dec 18 12:42:32.834: ISAKMP:(1028):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 18 12:42:32.834: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Dec 18 12:42:32.834: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 18 12:42:34.222: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:34.222: ISAKMP: set new node -725923158 to QM_IDLE
Dec 18 12:42:34.222: ISAKMP:(1028): processing HASH payload. message ID = -725923158
Dec 18 12:42:34.222: ISAKMP:(1028): processing SA payload. message ID = -725923158
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 1, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 256
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 2, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 256
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 3, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 128
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 4, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 128
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 5, ESP_3DES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.226: ISAKMP: transform 6, ESP_3DES
Dec 18 12:42:34.226: ISAKMP: attributes in transform:
Dec 18 12:42:34.226: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.226: ISAKMP: transform 7, ESP_DES
Dec 18 12:42:34.226: ISAKMP: attributes in transform:
Dec 18 12:42:34.226: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.226: ISAKMP: transform 8, ESP_DES
Dec 18 12:42:34.226: ISAKMP: attributes in transform:
Dec 18 12:42:34.226: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x800
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 1024
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-des esp-sha-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-des esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 192.168.0.1 remote 200.247.229.53)
Dec 18 12:42:34.226: ISAKMP: set new node 924420306 to QM_IDLE
Dec 18 12:42:34.226: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 672251800, message ID = 924420306
Dec 18 12:42:34.226: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 4500 peer_port 50001 (R) QM_IDLE
Dec 18 12:42:34.226: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:34.226: ISAKMP:(1028):purging node 924420306
Dec 18 12:42:34.226: ISAKMP:(1028):deleting node -725923158 error TRUE reason "QM rejected"
Dec 18 12:42:34.226: ISAKMP:(1028):Node -725923158, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Dec 18 12:42:34.226: ISAKMP:(1028):Old State = IKE_QM_READY New State = IKE_QM_READY
Dec 18 12:42:36.558: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:36.558: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:36.558: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:36.558: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:40.670: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:40.670: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:40.670: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:40.670: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:42.566: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:42.566: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:42.566: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:42.566: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:47.262: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:47.262: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:47.262: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:47.262: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:49.414: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:49.414: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:49.414: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:49.414: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:52.466: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:52.466: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:52.466: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:52.466: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:54.574: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:54.574: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:54.574: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:54.574: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:58.738: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:58.738: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:58.738: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:58.738: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:43:00.626: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:43:00.626: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:43:00.626: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:43:00.626: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:43:04.274: L2X:pak tableid 0 set for vrf
Dec 18 12:43:04.274: L2X:Punting to L2TP control message queue
Dec 18 12:43:04.274: L2X:pak tableid 0 set for vrf
Dec 18 12:43:04.274: L2X:Punting to L2TP control message queue
Dec 18 12:43:04.278: L2TP _____:________: ERROR: Found NULL l2x cc with handle [32787]

rvarelac · ‎12-23-2015

In fact the main problem is NAT-T, if avoid the connection to pass through a NAT-T should work.

The loopback solution seems to be a possible workaround.

Enjoy the holidays!

-Randy-

View solution in original post

rvarelac · ‎12-20-2015

Hi adrianopinaffo1,

It seems to eb a problem with the transform set configured, have your tried the TS with esp-aes 256 esp-sha-hmac ? it seems to be the one the Android is trying to negotiate.

Hope it helps

-Randy-

adrianopinaffo1 · ‎12-21-2015

Hello rvarelac,

I did try that TS, and in fact, I tried many of them separately and altogether. It seems Android is actually trying several TSs, no? esp-aes 256 esp-sha-hmac seems to be only the first one. and then the others are tried as well.

rvarelac · ‎12-21-2015

Hey,

I think you might be matching the defect.

https://tools.cisco.com/bugsearch/bug/CSCth50464/?reffering_site=dumpcr

It says it apply for Windows connections, but checking some internal notes, this behavior is also reproducible with Android devices.

The Android devices does'not support NAT-OA, so It's unable to build a tunnel which traverse NAT, especially if the headend is behind NAT.

If your router is behind NAT, you should be matching this behavior, looks like moving to IPSEC or Anyconnect will be desirable on this situation.

Hope it helps

-Randy-

adrianopinaffo1 · ‎12-22-2015

The page you sent is not available. It says:

Insufficient Permissions to View Bug

This bug contains proprietary information and is not yet publicly available.

You may find useful information within theCisco Support Community

But in fact my router is behind NAT. Do you think, if I create a loopback interface with a public IP address and instead of NATing the packets I route them towards the router, it will work?

rvarelac · ‎12-23-2015

In fact the main problem is NAT-T, if avoid the connection to pass through a NAT-T should work.

The loopback solution seems to be a possible workaround.

Enjoy the holidays!

-Randy-

notomyto1 · ‎11-15-2016

adrianopinaffo1

You solved the problem?
I have about the same problem, could you give a working config?

adrianopinaffo1 · ‎12-21-2016

Hello notomyto1,

I solved the problem by following rvarelac tips. I stopped using vpdn and used pure IPSEC instead. Maybe I could have used that vpdn if I configured the loopback interface but since IPSEC worked, I was ok with it.

hung99hn · ‎10-16-2017

I am facing similar problem when access L2TP VPN From Android device.
Could you tech more detail how to configure pure IPSEC ?

L2PT/IPSEC failling for Android (invalid transform proposal flags -- 0x800)