Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
3
Replies

VPN client 3.6.3(A)

pgasol
Level 1
Level 1

‎10-13-2003 12:37 AM - edited ‎02-21-2020 12:49 PM

Hi, I have a problem with this client. I can't connect with a router 837 with this IOS c837-k9o3sy6-mz.122-13.ZH.bin.

The configuration of the router is:

Router_Adsl#sh run

version 12.2

no service pad

hostname Router_Adsl

!

username xxxx password 0 xxxx

aaa new-model

!

!

aaa authorization network administradores local

aaa session-id common

ip subnet-zero

ip domain name racing.es

!

crypto isakmp policy 18

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration address-pool local mipool

!

crypto isakmp client configuration group administradores

key 0 xxxx

dns 192.168.200.2

domain racing.es

pool mipool

!

!

crypto ipsec transform-set mitrans esp-3des esp-sha-hmac

crypto ipsec transform-set lasegtrans esp-des esp-md5-hmac

!

crypto dynamic-map mapadinamico 20

set transform-set mitrans

reverse-route

!

crypto dynamic-map elsegmapa 30

set transform-set lasegtrans

!

!

crypto map mapaestatico isakmp authorization list administradores

crypto map mapaestatico client configuration address respond

crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico

crypto map mapaestatico 20 ipsec-isakmp dynamic elsegmapa

!

!

interface Loopback0

ip address x.x.x.2 255.255.255.255

!

interface Ethernet0

ip address 192.168.200.251 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

ip address xx.x.9 255.255.255.252

ip access-group 100 in

ip nat outside

no ip route-cache

no ip mroute-cache

pvc 1/32

protocol ip 10.0.80.10 broadcast

vbr-nrt 384 384 32

encapsulation aal5mux ip

!

crypto map mapaestatico

!

ip local pool mipool 192.168.200.218 192.168.200.220

ip nat inside source list 1 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.80.10

ip access-list extended default-domain

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended save-password

access-list 1 permit 192.168.200.0 0.0.0.255

radius-server authorization permit missing Service-Type

!

scheduler max-task-time 5000

!

end

When I put debug crypto ipsec I get:

*Mar 1 01:51:55.215: IPSEC(key_engine): got a queue event...

*Mar 1 01:51:55.727: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.727: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.731: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.731: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.735: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.735: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.739: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2

*Mar 1 01:51:55.739: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.743: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.743: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2

*Mar 1 01:51:55.743: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 01:51:55.743: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.747: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.747: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.751: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

*Mar 1 01:51:55.751: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

*Mar 1 01:51:55.751: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2

*Mar 1 01:51:55.755: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

The log viewer of the client tell me:

The lenght of the mode Config option is invalid

Received malformed message or negotiation no longer active

Can can I do?

I need your help please.

Many thanks

Labels:
0 Helpful
3 Replies 3

owillins
Level 6
Level 6

‎10-17-2003 07:46 AM

This could happen if IP/protocol filters set up on the router. Also check if you have the latest version of the VPN client running.

0 Helpful

rvdoever
Level 1
Level 1

‎11-04-2003 10:46 PM

This seems to be your problem:

*Mar 1 01:51:55.755: IPSEC(validate_transform_proposal): invalid local address

22.81.27.2

This is probably the address you use on the loopback interface?

ip nat inside source list 1 interface Loopback0 overload

You need to define which traffic you want to encrypt:

ip access-list extended VPNRANGE

permit ip any 192.168.200.218 0.0.0.1

permit ip any 192.168.200.220 0.0.0.0

deny ip any any

crypto dynamic-map mapadinamico 10

set transform-set mitrans

match address VPNRANGE

0 Helpful

d-garnett
Level 3
Level 3

‎11-06-2003 12:21 PM

i haven't worked with the 827 or 837 for a long while, but try....

int loopback0

ip address x.x.x.2

crypto map mapaestatico local-address x.x.x.2 (whatever loopback is, if it is truly a static address)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents