[c-nsp] IPSec problem: invalid transform proposal

szilard csordas redmond at freemail.hu
Tue Feb 14 02:09:40 EST 2006 

hello, 

thank you for advices, (Jim too).

After troubleshooting the whole day, i have asked one of my collegues 
to check the configuration. maybe he would notice something that i 
hadn't. 
10minutes later he simply removed the "set pfs group2" command from 
the crypto map and the IPSec SA created. :)
 
It is a little confusing for me, because i specified in ipsec policy "group 2" 
and I thought I can use it in crypto map too.

thnx,
szilard



Piestaga <piestaga at aster.pl> írta:

> Hello szilard,
> 
> try to remove the crypto map from the interface and assigne it again.
> 
> I experienced such error when changing something within ISAKMP or
> IPSec suit and do not re-assigned the crypto map.
> 
> hope, this will help
> sebastian
> 
> 
> Monday, February 13, 2006, 1:54:42 PM, you wrote:
> 
> > hello,
> 
> > I want to establish IPSec tunnel between 6500 (122-18.SXD6) with 
vpnsm
> > (WS-SVC-IPSEC-1) and pix
> > (6.3.4)
> 
> > the configuration seems okay, but the tunnel doesn't come up.
> 
> > the isakmp is working, but SA is missing.
> > policy, transform-set, pfs group, key, hash, encapsulation etc. is fine 
too.
> 
> > one of the last line from debug says this:
> > " invalid transform proposal flags -- 0x2"   Where can I check what 
this
> > flag means?
> 
> 
> > any advice is appreciated
> > thanx,
> > szilard csordas
> 
> 
> > router#sh crypto isakmp sa
> > dst             src             state          conn-id slot
> > XXX           XXX         QM_IDLE              1    0
> 
> 
> > debug output:
> 
> > ....
> > Feb 13 12:17:29.638 CET: ISAKMP (0:268435457): received packet 
from XXX
> > dport 500 sport 500 Global (R) QM_IDLE
> > Feb 13 12:17:29.638 CET: ISAKMP: set new node 221041643 to 
QM_IDLE
> > Feb 13 12:17:29.638 CET: ISAKMP:(0:1:HW:2): processing HASH 
payload. message
> > ID = 221041643
> > Feb 13 12:17:29.638 CET: ISAKMP:(0:1:HW:2): processing SA 
payload. message
> > ID = 221041643
> > Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):Checking IPSec 
proposal 1
> > Feb 13 12:17:29.642 CET: ISAKMP: transform 1, ESP_3DES
> > Feb 13 12:17:29.642 CET: ISAKMP:   attributes in transform:
> > Feb 13 12:17:29.642 CET: ISAKMP:      encaps is 1
> > Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in seconds
> > Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (basic) of 
28800
> > Feb 13 12:17:29.642 CET: ISAKMP:      SA life type in kilobytes
> > Feb 13 12:17:29.642 CET: ISAKMP:      SA life duration (VPI) of  0x0 
0x46
> > 0x50 0x0
> > Feb 13 12:17:29.642 CET: ISAKMP:      authenticator is HMAC-SHA
> > Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2):atts are acceptable.
> > Feb 13 12:17:29.642 CET: IPSEC(validate_proposal_request): 
proposal
> > part #1,
> >   (key eng. msg.) INBOUND local= XXX, remote= XXX,
> >     local_proxy= XXX/255.255.255.128/0/0 (type=4),
> >     remote_proxy= XXX/255.255.255.240/0/0 (type=4),
> >     protocol= ESP, transform= esp-3des esp-sha-hmac ,
> >     lifedur= 0s and 0kb,
> >     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
> > Feb 13 12:17:29.642 CET: IPSEC(kei_proxy): head = MAPNAME, 
map-*>ivrf = ,
> kei->>ivrf = *
> > Feb 13 12:17:29.642 CET: IPSEC(validate_transform_proposal): 
invalid
> > transform proposal flags -- 0x2
> > Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2): IPSec policy 
invalidated
> > proposal
> > Feb 13 12:17:29.642 CET: ISAKMP:(0:1:HW:2): phase 2 SA policy 
not
> > acceptable! (local XXX remote XXX)
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


___________________________________________________________________________
Digitális fényképezőgépek, videokamerák, MP3 lejátszók a legszélesebb választékban!
FotoMarket - http://www.fotomarket.hu

More information about the cisco-nsp mailing list