Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
2
Helpful
2
Replies

Strange IPSec debug... Anyone ever seen that ?

augeiss
Level 1
Level 1

‎08-08-2005 01:11 PM - edited ‎02-21-2020 01:54 PM

Hi all,

I have set up easy VPN server from a 837 router running the 12.3(2)XC2 IOS version. and connection from a Cisco VPN client (ver 4.0.1) fails with producing very weird debugs on the router...

IKE Phase 1 seems ok.

IKE phase 2 finds acceptable transforms but refuses to build the SA.

I have attached part of the debug output below, notice the message "IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400"...

I've been digging almost everywhere on cisco.com and the rest of the web but could not find any helpful info... therefore big thanks to anyone helping me on this one.

Aurélien

########################################

ISAKMP (0:3): Checking IPSec proposal 11

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 61443

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP (0:3): atts are acceptable.

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= MY.ROUTER.IP.ADDR, remote= VPN.CLIENT.IP.ADDR,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= VPN.REMOTE.POOL.13/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400

ISAKMP (0:3): IPSec policy invalidated proposal

Labels:
Preview file
34 KB
0 Helpful
2 Replies 2

smalkeric
Level 6
Level 6

‎08-12-2005 12:10 PM

This could be an issue with either the wrong subnet mask given, or, it could be the match of access list that could be including the incorrect IP. By the way, did you do any upgrade of the OS on your cisco box that started giving problem. If so, you could check for the caveats of that particular os.

augeiss
Level 1
Level 1
In response to smalkeric

‎08-16-2005 02:40 PM

hi,

thx for your answer. This issue was solved with help of Cisco expert Haseeb Niazi in this forum. It needed PFS removed from the dynamic crypto map. It is now working.

regards,

Aurelien

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents