[c-nsp] IPSec problem: invalid transform proposal

Piestaga piestaga at aster.pl
Mon Feb 13 08:49:40 EST 2006


Hello szilard,

try to remove the crypto map from the interface and assigne it again.

I experienced such error when changing something within ISAKMP or
IPSec suit and do not re-assigned the crypto map.

hope, this will help
sebastian


Monday, February 13, 2006, 1:54:42 PM, you wrote:

> hello,

> I want to establish IPSec tunnel between 6500 (122-18.SXD6) with vpnsm
> (WS-SVC-IPSEC-1) and pix
> (6.3.4)

> the configuration seems okay, but the tunnel doesn't come up.

> the isakmp is working, but SA is missing.
> policy, transform-set, pfs group, key, hash, encapsulation etc. is fine too.

> one of the last line from debug says this:
> " invalid transform proposal flags -- 0x2"   Where can I check what this
> flag means?


> any advice is appreciated
> thanx,
> szilard csordas


> router#sh crypto isakmp sa
> dst             src             state          conn-id slot
> XXX           XXX         QM_IDLE              1    0


> debug output:

> ....
> Feb 13 12:17:29.638 CET: ISAKMP (0:268435457): received packet from XXX
> dport 500 sport 500 Global (R) QM_IDLE
> Feb 13 12:17:29.638 CET: ISAKMP: set new node 221041643 to QM_IDLE
> Feb 13 12:17:29.638 CET: ISAKMP:(0:1:HW:2): processing HASH payload. message
> ID = 221041643
> Feb 13 12:17:29.638 CET: ISAKMP:(0:1:HW:2): processing SA payload. message
> ID = 221041643
> Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
> Feb 13 12:17:29.642 CET: ISAKMP: transform 1, ESP_3DES
> Feb 13 12:17:29.642 CET: ISAKMP:   attributes in transform:
> Feb 13 12:17:29.642 CET: ISAKMP:      encaps is 1
> Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in seconds
> Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (basic) of 28800
> Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in kilobytes
> Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (VPI) of  0x0 0x46
> 0x50 0x0
> Feb 13 12:17:29.642 CET: ISAKMP:      authenticator is HMAC-SHA
> Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):atts are acceptable.
> Feb 13 12:17:29.642 CET: IPSEC(validate_proposal_request): proposal
> part #1,
>   (key eng. msg.) INBOUND local= XXX, remote= XXX,
>     local_proxy= XXX/255.255.255.128/0/0 (type=4),
>     remote_proxy= XXX/255.255.255.240/0/0 (type=4),
>     protocol= ESP, transform= esp-3des esp-sha-hmac ,
>     lifedur= 0s and 0kb,
>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
> Feb 13 12:17:29.642 CET: IPSEC(kei_proxy): head = MAPNAME, map-*>ivrf = ,
kei->>ivrf = *
> Feb 13 12:17:29.642 CET: IPSEC(validate_transform_proposal): invalid
> transform proposal flags -- 0x2
> Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2): IPSec policy invalidated
> proposal
> Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2): phase 2 SA policy not
> acceptable! (local XXX remote XXX)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





More information about the cisco-nsp mailing list