11-28-2002 06:01 AM - edited 02-21-2020 12:12 PM
Can anyone help?
I am currently setting up our PIX to be able to accept VPN tunneling from VPN Client s/w ver 3.5.4.
From the debug on the PIX I can see the connection gets through the first level of authentication but then when it finds the atts acceptable during the second level it returns the following error and then continues trying to find acceptable attributes until it hangs and returns an error at the VPN client side
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 187.45.225.2, src= 155.147.89.212,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 10.200.100.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
The VPN client gives the following error:
Sev=Warning/3 IKE0xA3000058
Received malformed message or negotiation no longer active
Can anyone give any pointers. I have seen similar problems in the forum but nothing exactly matching this.
The additional config to the PIX is below
access-list nat0vpn permit ip 10.200.0.0 255.255.0.0 10.200.100.0 255.255.255.0
access-list VPDN permit ip 10.200.0.0 255.255.0.0 10.200.100.0
255.255.255.0
ip local pool vpdnpool 10.200.100.1-10.200.100.254
nat (inside) 0 access-list nat0vpn
route outside 10.200.100.0 255.255.255.0 187.45.225.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set tripledesmd5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 match address VPDN
crypto dynamic-map dynmap 1 set transform-set tripledesmd5
crypto map mapname 1 ipsec-isakmp dynamic dynmap
crypto map mapname interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup vpngroup address-pool vpdnpool
vpngroup vpngroup dns-server 10.200.155.9
vpngroup vpngroup wins-server 10.200.155.11
vpngroup vpngroup default-domain test.com
vpngroup vpngroup idle-time 1800
vpngroup vpngroup max-time 86400
vpngroup vpngroup password ********
11-28-2002 07:26 AM
Before anyone replies to this please don't bother as the answer has turned out to be an access-list issue.
Cheers
01-31-2003 01:45 PM
What exactly was the issue with the acl?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide