[c-nsp] IPSec problem: invalid transform proposal

szilard csordas redmond at freemail.hu
Mon Feb 13 07:54:42 EST 2006


hello,

I want to establish IPSec tunnel between 6500 (122-18.SXD6) with vpnsm
(WS-SVC-IPSEC-1) and pix
(6.3.4)

the configuration seems okay, but the tunnel doesn't come up.

the isakmp is working, but SA is missing.
policy, transform-set, pfs group, key, hash, encapsulation etc. is fine too.

one of the last line from debug says this:
" invalid transform proposal flags -- 0x2"   Where can I check what this
flag means?


any advice is appreciated
thanx,
szilard csordas


router#sh crypto isakmp sa
dst             src             state          conn-id slot
XXX           XXX         QM_IDLE              1    0


debug output:

....
Feb 13 12:17:29.638 CET: ISAKMP (0:268435457): received packet from XXX
dport 500 sport 500 Global (R) QM_IDLE
Feb 13 12:17:29.638 CET: ISAKMP: set new node 221041643 to QM_IDLE
Feb 13 12:17:29.638 CET: ISAKMP:(0:1:HW:2): processing HASH payload. message
ID = 221041643
Feb 13 12:17:29.638 CET: ISAKMP:(0:1:HW:2): processing SA payload. message
ID = 221041643
Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
Feb 13 12:17:29.642 CET: ISAKMP: transform 1, ESP_3DES
Feb 13 12:17:29.642 CET: ISAKMP:   attributes in transform:
Feb 13 12:17:29.642 CET: ISAKMP:      encaps is 1
Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in seconds
Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (basic) of 28800
Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in kilobytes
Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (VPI) of  0x0 0x46
0x50 0x0
Feb 13 12:17:29.642 CET: ISAKMP:      authenticator is HMAC-SHA
Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):atts are acceptable.
Feb 13 12:17:29.642 CET: IPSEC(validate_proposal_request): proposal
part #1,
  (key eng. msg.) INBOUND local= XXX, remote= XXX,
    local_proxy= XXX/255.255.255.128/0/0 (type=4),
    remote_proxy= XXX/255.255.255.240/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Feb 13 12:17:29.642 CET: IPSEC(kei_proxy): head = MAPNAME, map-*>ivrf = ,
kei->ivrf = *
Feb 13 12:17:29.642 CET: IPSEC(validate_transform_proposal): invalid
transform proposal flags -- 0x2
Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2): IPSec policy invalidated
proposal
Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2): phase 2 SA policy not
acceptable! (local XXX remote XXX)


More information about the cisco-nsp mailing list