10-13-2003 12:37 AM - edited 02-21-2020 12:49 PM
Hi, I have a problem with this client. I can't connect with a router 837 with this IOS c837-k9o3sy6-mz.122-13.ZH.bin.
The configuration of the router is:
Router_Adsl#sh run
version 12.2
no service pad
hostname Router_Adsl
!
username xxxx password 0 xxxx
aaa new-model
!
!
aaa authorization network administradores local
aaa session-id common
ip subnet-zero
ip domain name racing.es
!
crypto isakmp policy 18
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration address-pool local mipool
!
crypto isakmp client configuration group administradores
key 0 xxxx
dns 192.168.200.2
domain racing.es
pool mipool
!
!
crypto ipsec transform-set mitrans esp-3des esp-sha-hmac
crypto ipsec transform-set lasegtrans esp-des esp-md5-hmac
!
crypto dynamic-map mapadinamico 20
set transform-set mitrans
reverse-route
!
crypto dynamic-map elsegmapa 30
set transform-set lasegtrans
!
!
crypto map mapaestatico isakmp authorization list administradores
crypto map mapaestatico client configuration address respond
crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico
crypto map mapaestatico 20 ipsec-isakmp dynamic elsegmapa
!
!
interface Loopback0
ip address x.x.x.2 255.255.255.255
!
interface Ethernet0
ip address 192.168.200.251 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address xx.x.9 255.255.255.252
ip access-group 100 in
ip nat outside
no ip route-cache
no ip mroute-cache
pvc 1/32
protocol ip 10.0.80.10 broadcast
vbr-nrt 384 384 32
encapsulation aal5mux ip
!
crypto map mapaestatico
!
ip local pool mipool 192.168.200.218 192.168.200.220
ip nat inside source list 1 interface Loopback0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.80.10
ip access-list extended default-domain
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended save-password
access-list 1 permit 192.168.200.0 0.0.0.255
radius-server authorization permit missing Service-Type
!
scheduler max-task-time 5000
!
end
When I put debug crypto ipsec I get:
*Mar 1 01:51:55.215: IPSEC(key_engine): got a queue event...
*Mar 1 01:51:55.727: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2
*Mar 1 01:51:55.727: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:51:55.731: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
*Mar 1 01:51:55.731: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2
*Mar 1 01:51:55.735: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:51:55.735: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
*Mar 1 01:51:55.739: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar 1 01:51:55.739: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:51:55.743: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
*Mar 1 01:51:55.743: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar 1 01:51:55.743: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:51:55.743: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
*Mar 1 01:51:55.747: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2
*Mar 1 01:51:55.747: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
*Mar 1 01:51:55.751: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2
*Mar 1 01:51:55.751: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
*Mar 1 01:51:55.751: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 212.81.207.2, remote= 62.83.244.84,
local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar 1 01:51:55.755: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
The log viewer of the client tell me:
The lenght of the mode Config option is invalid
Received malformed message or negotiation no longer active
Can can I do?
I need your help please.
Many thanks
10-17-2003 07:46 AM
This could happen if IP/protocol filters set up on the router. Also check if you have the latest version of the VPN client running.
11-04-2003 10:46 PM
This seems to be your problem:
*Mar 1 01:51:55.755: IPSEC(validate_transform_proposal): invalid local address
22.81.27.2
This is probably the address you use on the loopback interface?
ip nat inside source list 1 interface Loopback0 overload
You need to define which traffic you want to encrypt:
ip access-list extended VPNRANGE
permit ip any 192.168.200.218 0.0.0.1
permit ip any 192.168.200.220 0.0.0.0
deny ip any any
crypto dynamic-map mapadinamico 10
set transform-set mitrans
match address VPNRANGE
11-06-2003 12:21 PM
i haven't worked with the 827 or 837 for a long while, but try....
int loopback0
ip address x.x.x.2
crypto map mapaestatico local-address x.x.x.2 (whatever loopback is, if it is truly a static address)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: