[c-nsp] IPSec problem: invalid transform proposal

Jim McBurnett jim at tgasolutions.com
Mon Feb 13 08:52:28 EST 2006 

See if this helps:
http://tinyurl.com/a3z4k

jim 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of szilard csordas
Sent: Monday, February 13, 2006 7:55 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSec problem: invalid transform proposal

hello,

I want to establish IPSec tunnel between 6500 (122-18.SXD6) with vpnsm
(WS-SVC-IPSEC-1) and pix
(6.3.4)

the configuration seems okay, but the tunnel doesn't come up.

the isakmp is working, but SA is missing.
policy, transform-set, pfs group, key, hash, encapsulation etc. is fine
too.

one of the last line from debug says this:
" invalid transform proposal flags -- 0x2"   Where can I check what this
flag means?


any advice is appreciated
thanx,
szilard csordas


router#sh crypto isakmp sa
dst             src             state          conn-id slot
XXX           XXX         QM_IDLE              1    0


debug output:

....
Feb 13 12:17:29.638 CET: ISAKMP (0:268435457): received packet from XXX
dport 500 sport 500 Global (R) QM_IDLE Feb 13 12:17:29.638 CET: ISAKMP:
set new node 221041643 to QM_IDLE Feb 13 12:17:29.638 CET:
ISAKMP:(0:1:HW:2): processing HASH payload. message ID = 221041643 Feb
13 12:17:29.638 CET: ISAKMP:(0:1:HW:2): processing SA payload. message
ID = 221041643 Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):Checking IPSec
proposal 1 Feb 13 12:17:29.642 CET: ISAKMP: transform 1, ESP_3DES
Feb 13 12:17:29.642 CET: ISAKMP:   attributes in transform:
Feb 13 12:17:29.642 CET: ISAKMP:      encaps is 1
Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in seconds
Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (basic) of 28800
Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in kilobytes
Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (VPI) of  0x0
0x46
0x50 0x0
Feb 13 12:17:29.642 CET: ISAKMP:      authenticator is HMAC-SHA
Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):atts are acceptable.
Feb 13 12:17:29.642 CET: IPSEC(validate_proposal_request): proposal part
#1,
  (key eng. msg.) INBOUND local= XXX, remote= XXX,
    local_proxy= XXX/255.255.255.128/0/0 (type=4),
    remote_proxy= XXX/255.255.255.240/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 Feb 13 12:17:29.642
CET: IPSEC(kei_proxy): head = MAPNAME, map-*>ivrf = ,
kei->ivrf = *
Feb 13 12:17:29.642 CET: IPSEC(validate_transform_proposal): invalid
transform proposal flags -- 0x2 Feb 13 12:17:29.642 CET:
ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal Feb 13 12:17:29.642
CET: ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local XXX
remote XXX) _______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list