12-18-2015 05:34 AM - edited 02-21-2020 08:35 PM
Hello,
I have set up an L2PT/IPSEC tunnel using a router Cisco 1905, which is behind a FW Cisco ASA. This tunnel is to be established between the router and mobile devices, mainly iPhones and Androids. For the sake of troubleshooting, I made sure the FW would not be in the way (opened all necessary ports, configured NAT and routes, etc). It turns out the iPhones establish the tunnel correctly but Androids fail.
Apparently the problem is phase 2 of IPSec, especifically where it says in the debug
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x800
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 1024
I tried AES and 3DES in the transform-sets but it seems it just doesn´t work.
Can anyone help me out?
Router: Cisco 1905, image: c1900-universalk9-mz.SPA.150-1.M8.bin
iPhone: 6 (iOS 8.1) and 5 (9.1)
Android: Motorola MotoG (Android 4.4.2)
Mobile devices setup:
Type: L2TP/IPSec PSL
Server address: <public IP address>
IPSec Pre-shared password: cisco
username: cisco
password: cisco
Cisco 1905 relevant config:
aaa authentication ppp default local
!
vpdn enable
!
vpdn-group L2TP
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username cisco password cisco
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map ipnetconfig-map 10
set nat demux
set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.192
no ip proxy-arp
duplex auto
speed auto
crypto map cisco
!
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
peer default ip address pool poolipnetconfig
ppp encrypt mppe 40
ppp authentication ms-chap-v2 pap chap ms-chap
!
ip local pool poolipnetconfig 192.168.1.1 192.168.1.255
Debug:
Dec 18 12:42:30.763: ISAKMP (0): received packet from 200.247.229.53 dport 500 sport 50003 Global (N) NEW SA
Dec 18 12:42:30.763: ISAKMP: Created a peer struct for 200.247.229.53, peer port 50003
Dec 18 12:42:30.763: ISAKMP: New peer created peer = 0x285F5FBC peer_handle = 0x80000018
Dec 18 12:42:30.763: ISAKMP: Locking peer struct 0x285F5FBC, refcount 1 for crypto_isakmp_process_block
Dec 18 12:42:30.763: ISAKMP: local port 500, remote port 50003
Dec 18 12:42:30.763: ISAKMP:(0):insert sa successfully sa = 28840894
Dec 18 12:42:30.763: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 18 12:42:30.763: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Dec 18 12:42:30.763: ISAKMP:(0): processing SA payload. message ID = 0
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Dec 18 12:42:30.763: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID is NAT-T v2
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): processing IKE frag vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 18 12:42:30.763: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.763: ISAKMP:(0): vendor ID is DPD
Dec 18 12:42:30.763: ISAKMP:(0):found peer pre-shared key matching 200.247.229.53
Dec 18 12:42:30.763: ISAKMP:(0): local preshared key found
Dec 18 12:42:30.763: ISAKMP : Scanning profiles for xauth ...
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 256
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash SHA
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 256
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash MD5
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 128
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash SHA
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption AES-CBC
Dec 18 12:42:30.767: ISAKMP: keylength of 128
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash MD5
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 18 12:42:30.767: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
Dec 18 12:42:30.767: ISAKMP: life type in seconds
Dec 18 12:42:30.767: ISAKMP: life duration (basic) of 28800
Dec 18 12:42:30.767: ISAKMP: encryption 3DES-CBC
Dec 18 12:42:30.767: ISAKMP: auth pre-share
Dec 18 12:42:30.767: ISAKMP: hash SHA
Dec 18 12:42:30.767: ISAKMP: default group 2
Dec 18 12:42:30.767: ISAKMP:(0):atts are acceptable. Next payload is 3
Dec 18 12:42:30.767: ISAKMP:(0):Acceptable atts:actual life: 3600
Dec 18 12:42:30.767: ISAKMP:(0):Acceptable atts:life: 0
Dec 18 12:42:30.767: ISAKMP:(0):Basic life_in_seconds:28800
Dec 18 12:42:30.767: ISAKMP:(0):Returning Actual lifetime: 3600
Dec 18 12:42:30.767: ISAKMP:(0)::Started lifetime timer: 3600.
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Dec 18 12:42:30.767: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID is NAT-T v2
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): processing IKE frag vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 18 12:42:30.767: ISAKMP:(0): processing vendor id payload
Dec 18 12:42:30.767: ISAKMP:(0): vendor ID is DPD
Dec 18 12:42:30.767: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 18 12:42:30.767: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Dec 18 12:42:30.767: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Dec 18 12:42:30.767: ISAKMP:(0): sending packet to 200.247.229.53 my_port 500 peer_port 50003 (R) MM_SA_SETUP
Dec 18 12:42:30.767: ISAKMP:(0):Sending an IKE IPv4 Packet.
Dec 18 12:42:30.767: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 18 12:42:30.767: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Dec 18 12:42:31.730: ISAKMP (0): received packet from 200.247.229.53 dport 500 sport 50003 Global (R) MM_SA_SETUP
Dec 18 12:42:31.730: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 18 12:42:31.730: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Dec 18 12:42:31.730: ISAKMP:(0): processing KE payload. message ID = 0
Dec 18 12:42:31.758: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 18 12:42:31.758: ISAKMP:(0):found peer pre-shared key matching 200.247.229.53
Dec 18 12:42:31.758: ISAKMP:received payload type 20
Dec 18 12:42:31.758: ISAKMP (1028): NAT found, both nodes inside NAT
Dec 18 12:42:31.758: ISAKMP:received payload type 20
Dec 18 12:42:31.758: ISAKMP (1028): NAT found, both nodes inside NAT
Dec 18 12:42:31.758: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 18 12:42:31.758: ISAKMP:(1028):Old State = IKE_R_MM3 New State = IKE_R_MM3
Dec 18 12:42:31.758: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 500 peer_port 50003 (R) MM_KEY_EXCH
Dec 18 12:42:31.758: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:31.758: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 18 12:42:31.758: ISAKMP:(1028):Old State = IKE_R_MM3 New State = IKE_R_MM4
Dec 18 12:42:32.278: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50001 Global (R) MM_KEY_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Old State = IKE_R_MM4 New State = IKE_R_MM5
Dec 18 12:42:32.278: ISAKMP:(1028): processing ID payload. message ID = 0
Dec 18 12:42:32.278: ISAKMP (1028): ID payload
next-payload : 8
type : 1
address : 10.92.110.15
protocol : 17
port : 500
length : 12
Dec 18 12:42:32.278: ISAKMP:(0):: peer matches *none* of the profiles
Dec 18 12:42:32.278: ISAKMP:(1028): processing HASH payload. message ID = 0
Dec 18 12:42:32.278: ISAKMP:(1028):SA authentication status:
authenticated
Dec 18 12:42:32.278: ISAKMP:(1028):SA has been authenticated with 200.247.229.53
Dec 18 12:42:32.278: ISAKMP:(1028):Detected port floating to port = 50001
Dec 18 12:42:32.278: ISAKMP: Trying to insert a peer 192.168.0.1/200.247.229.53/50001/, and inserted successfully 285F5FBC.
Dec 18 12:42:32.278: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 18 12:42:32.278: ISAKMP:(1028):Old State = IKE_R_MM5 New State = IKE_R_MM5
Dec 18 12:42:32.278: ISAKMP:(1028):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Dec 18 12:42:32.278: ISAKMP (1028): ID payload
next-payload : 8
type : 1
address : 192.168.0.1
protocol : 17
port : 0
length : 12
Dec 18 12:42:32.278: ISAKMP:(1028):Total payload length: 12
Dec 18 12:42:32.278: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 4500 peer_port 50001 (R) MM_KEY_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:32.278: ISAKMP:(1028):Returning Actual lifetime: 3600
Dec 18 12:42:32.278: ISAKMP: set new node 662318345 to QM_IDLE
Dec 18 12:42:32.278: ISAKMP:(1028):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 672252680, message ID = 662318345
Dec 18 12:42:32.278: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 4500 peer_port 50001 (R) MM_KEY_EXCH
Dec 18 12:42:32.278: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:32.278: ISAKMP:(1028):purging node 662318345
Dec 18 12:42:32.278: ISAKMP: Sending phase 1 responder lifetime 3600
Dec 18 12:42:32.278: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 18 12:42:32.278: ISAKMP:(1028):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Dec 18 12:42:32.278: ISAKMP:(1028):IKE_DPD is enabled, initializing timers
Dec 18 12:42:32.282: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Dec 18 12:42:32.282: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 18 12:42:32.834: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50001 Global (R) QM_IDLE
Dec 18 12:42:32.834: ISAKMP: set new node -647285005 to QM_IDLE
Dec 18 12:42:32.834: ISAKMP:(1028): processing HASH payload. message ID = -647285005
Dec 18 12:42:32.834: ISAKMP:(1028): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -647285005, sa = 28840894
Dec 18 12:42:32.834: ISAKMP:(1028):SA authentication status:
authenticated
Dec 18 12:42:32.834: ISAKMP:(1028): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.0.1 remote 200.247.229.53 remote port 50001
Dec 18 12:42:32.834: ISAKMP:(1028):deleting node -647285005 error FALSE reason "Informational (in) state 1"
Dec 18 12:42:32.834: ISAKMP:(1028):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 18 12:42:32.834: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 18 12:42:32.834: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 18 12:42:34.222: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:34.222: ISAKMP: set new node -725923158 to QM_IDLE
Dec 18 12:42:34.222: ISAKMP:(1028): processing HASH payload. message ID = -725923158
Dec 18 12:42:34.222: ISAKMP:(1028): processing SA payload. message ID = -725923158
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 1, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 256
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 2, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 256
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 3, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 128
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 4, ESP_AES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.222: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.222: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.222: ISAKMP: key length is 128
Dec 18 12:42:34.222: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.222: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.222: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.222: ISAKMP: transform 5, ESP_3DES
Dec 18 12:42:34.222: ISAKMP: attributes in transform:
Dec 18 12:42:34.222: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.226: ISAKMP: transform 6, ESP_3DES
Dec 18 12:42:34.226: ISAKMP: attributes in transform:
Dec 18 12:42:34.226: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.226: ISAKMP: transform 7, ESP_DES
Dec 18 12:42:34.226: ISAKMP: attributes in transform:
Dec 18 12:42:34.226: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-SHA
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: ISAKMP:(1028):Checking IPSec proposal 1
Dec 18 12:42:34.226: ISAKMP: transform 8, ESP_DES
Dec 18 12:42:34.226: ISAKMP: attributes in transform:
Dec 18 12:42:34.226: ISAKMP: SA life type in seconds
Dec 18 12:42:34.226: ISAKMP: SA life duration (basic) of 28800
Dec 18 12:42:34.226: ISAKMP: encaps is 4 (Transport-UDP)
Dec 18 12:42:34.226: ISAKMP: authenticator is HMAC-MD5
Dec 18 12:42:34.226: ISAKMP:(1028):atts are acceptable.
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x800
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 1024
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-des esp-sha-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1
Dec 18 12:42:34.226: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.1, remote= 200.247.229.53,
local_proxy= 201.229.58.242/255.255.255.255/17/1701 (type=1),
remote_proxy= 200.247.229.53/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Dec 18 12:42:34.226: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-des esp-md5-hmac }
Dec 18 12:42:34.226: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
Dec 18 12:42:34.226: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 192.168.0.1 remote 200.247.229.53)
Dec 18 12:42:34.226: ISAKMP: set new node 924420306 to QM_IDLE
Dec 18 12:42:34.226: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 672251800, message ID = 924420306
Dec 18 12:42:34.226: ISAKMP:(1028): sending packet to 200.247.229.53 my_port 4500 peer_port 50001 (R) QM_IDLE
Dec 18 12:42:34.226: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Dec 18 12:42:34.226: ISAKMP:(1028):purging node 924420306
Dec 18 12:42:34.226: ISAKMP:(1028):deleting node -725923158 error TRUE reason "QM rejected"
Dec 18 12:42:34.226: ISAKMP:(1028):Node -725923158, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Dec 18 12:42:34.226: ISAKMP:(1028):Old State = IKE_QM_READY New State = IKE_QM_READY
Dec 18 12:42:36.558: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:36.558: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:36.558: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:36.558: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:40.670: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:40.670: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:40.670: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:40.670: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:42.566: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:42.566: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:42.566: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:42.566: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:47.262: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:47.262: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:47.262: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:47.262: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:49.414: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:49.414: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:49.414: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:49.414: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:52.466: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:52.466: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:52.466: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:52.466: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:54.574: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:54.574: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:54.574: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:54.574: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:42:58.738: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:42:58.738: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:42:58.738: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:42:58.738: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:43:00.626: ISAKMP (1028): received packet from 200.247.229.53 dport 4500 sport 50004 Global (R) QM_IDLE
Dec 18 12:43:00.626: ISAKMP:(1028): phase 2 packet is a duplicate of a previous packet.
Dec 18 12:43:00.626: ISAKMP:(1028): retransmitting due to retransmit phase 2
Dec 18 12:43:00.626: ISAKMP:(1028): ignoring retransmission,because phase2 node marked dead -725923158
Dec 18 12:43:04.274: L2X:pak tableid 0 set for vrf
Dec 18 12:43:04.274: L2X:Punting to L2TP control message queue
Dec 18 12:43:04.274: L2X:pak tableid 0 set for vrf
Dec 18 12:43:04.274: L2X:Punting to L2TP control message queue
Dec 18 12:43:04.278: L2TP _____:________: ERROR: Found NULL l2x cc with handle [32787]
Solved! Go to Solution.
12-23-2015 02:32 PM
In fact the main problem is NAT-T, if avoid the connection to pass through a NAT-T should work.
The loopback solution seems to be a possible workaround.
Enjoy the holidays!
-Randy-
12-20-2015 11:03 AM
Hi adrianopinaffo1,
It seems to eb a problem with the transform set configured, have your tried the TS with esp-aes 256 esp-sha-hmac ? it seems to be the one the Android is trying to negotiate.
Hope it helps
-Randy-
12-21-2015 04:50 AM
Hello rvarelac,
I did try that TS, and in fact, I tried many of them separately and altogether. It seems Android is actually trying several TSs, no? esp-aes 256 esp-sha-hmac seems to be only the first one. and then the others are tried as well.
12-21-2015 03:18 PM
Hey,
I think you might be matching the defect.
https://tools.cisco.com/bugsearch/bug/CSCth50464/?reffering_site=dumpcr
It says it apply for Windows connections, but checking some internal notes, this behavior is also reproducible with Android devices.
The Android devices does'not support NAT-OA, so It's unable to build a tunnel which traverse NAT, especially if the headend is behind NAT.
If your router is behind NAT, you should be matching this behavior, looks like moving to IPSEC or Anyconnect will be desirable on this situation.
Hope it helps
-Randy-
12-22-2015 05:07 AM
The page you sent is not available. It says:
12-23-2015 02:32 PM
In fact the main problem is NAT-T, if avoid the connection to pass through a NAT-T should work.
The loopback solution seems to be a possible workaround.
Enjoy the holidays!
-Randy-
11-15-2016 04:23 AM
You solved the problem?
I have about the same problem, could you give a working config?
12-21-2016 11:53 AM
Hello notomyto1,
I solved the problem by following rvarelac tips. I stopped using vpdn and used pure IPSEC instead. Maybe I could have used that vpdn if I configured the loopback interface but since IPSEC worked, I was ok with it.
10-16-2017 02:36 AM
I am facing similar problem when access L2TP VPN From Android device.
Could you tech more detail how to configure pure IPSEC ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide