08-08-2005 01:11 PM - edited 02-21-2020 01:54 PM
Hi all,
I have set up easy VPN server from a 837 router running the 12.3(2)XC2 IOS version. and connection from a Cisco VPN client (ver 4.0.1) fails with producing very weird debugs on the router...
IKE Phase 1 seems ok.
IKE phase 2 finds acceptable transforms but refuses to build the SA.
I have attached part of the debug output below, notice the message "IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400"...
I've been digging almost everywhere on cisco.com and the rest of the web but could not find any helpful info... therefore big thanks to anyone helping me on this one.
Aurélien
########################################
ISAKMP (0:3): Checking IPSec proposal 11
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:3): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= MY.ROUTER.IP.ADDR, remote= VPN.CLIENT.IP.ADDR,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= VPN.REMOTE.POOL.13/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400
ISAKMP (0:3): IPSec policy invalidated proposal
08-12-2005 12:10 PM
This could be an issue with either the wrong subnet mask given, or, it could be the match of access list that could be including the incorrect IP. By the way, did you do any upgrade of the OS on your cisco box that started giving problem. If so, you could check for the caveats of that particular os.
08-16-2005 02:40 PM
hi,
thx for your answer. This issue was solved with help of Cisco expert Haseeb Niazi in this forum. It needed PFS removed from the dynamic crypto map. It is now working.
regards,
Aurelien
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: