A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

win2k client -- cisco pix l2tp ipsec vpn



 
 
Thread Tools Display Modes
  #1  
Old December 2nd 03, 12:17 AM posted to uk.telecom.broadband
Daniel
external usenet poster
 
Posts: 4
Default win2k client -- cisco pix l2tp ipsec vpn

hi,

could anyone help me and shed some light on a problem i am having?
i am trying to setup a remote access vpn as follows

w2k client -- cisci pix 515e using l2tp/ipsec

w2k client is connected to the net via an adsl router with a lan net of
192.168.0.0 255.255.255.0 and an external ip s.s.s.s (in the debug)
pix is (d.d.d.d)

i have installed the ms cert server and have installed a cert onto the cisco
and the w2k client. i have read just about everything i can find and have
hit the following problem.

the vpn connection from the w2k client hangs and the pix seems to be showing
a debug message;
"invalid transform proposal flags"

the only ref to this error seems to point to the pix being incorrectly
configured to use tunnel mode, but i have set

"crypto ipsec transform-set trans01 mode transport"

(ike seems to be working in the debug)

im stumped and have spent 2 weeks getting this far :O(

help

Dan

debug follows;
########

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 6
type : 2
protocol : 17
port : 500
length : 32
ISAKMP (0): Total payload length: 36
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src s.s.s.s, dest d.d.d.d
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2952273358

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
dest_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
src_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
dest_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
src_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0

ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2

########

setup follows

########

vpdn group vpn01 accept dialin l2tp
vpdn group vpn01 ppp authentication mschap

vpdn group vpn01 client authentication local
vpdn username xxxxxxxx password xxxxxxxx

ip local pool vpn01_pool 10.1.111.1-10.1.111.100

vpdn group vpn01 client configuration address local vpn01_pool
vpdn group vpn01 client configuration dns 10.1.50.125 10.1.50.127
vpdn group vpn01 client configuration wins 10.1.50.22 10.1.50.46
vpdn enable outside

access-list acl_vpn01_inside_outbound_nat0 permit ip any 10.1.111.0
255.255.255.0
nat (inside) 0 access-list acl_vpn01_inside_outbound_nat0

isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp enable outside

access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip any 10.1.111.0
255.255.255.0
access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip host d.d.d.d
192.168.0.0 255.255.255.0

crypto ipsec transform-set trans01 esp-3des esp-sha-hmac
crypto ipsec transform-set trans01 mode transport
crypto ipsec transform-set trans02 esp-3des esp-md5-hmac
crypto ipsec transform-set trans02 mode transport
crypto ipsec transform-set trans03 esp-des esp-sha-hmac
crypto ipsec transform-set trans03 mode transport
crypto ipsec transform-set trans04 esp-des esp-md5-hmac
crypto ipsec transform-set trans04 mode transport

crypto dynamic-map outside_dyn_map 20 match address
acl_vpn01_outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set trans01 trans02
trans03 trans04
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
seconds 3600

crypto map outside_map 200 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-l2tp

--
Daniel




 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
NETGEAR DG834 ADSL and CISCO VPN Client Alan uk.telecom.broadband (UK broadband) 0 December 1st 03 09:31 PM
NETGEAR DG834 ADSL and CISCO VPN Client Alan Fay uk.telecom.broadband (UK broadband) 2 December 1st 03 08:14 AM
adsl vpn ipsec passthru Mark Anyon uk.telecom.broadband (UK broadband) 1 November 28th 03 06:52 AM
NETGEAR DG834 ADSL and CISCO VPN Client Alan Fay uk.telecom.broadband (UK broadband) 0 November 27th 03 11:27 PM
Dm/IP 3031-A- PCI release 5.1.1 WIN2K emanuele uk.telecom.broadband (UK broadband) 2 August 3rd 03 05:27 PM


All times are GMT +1. The time now is 05:08 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2020 BroadbanterBanter.
The comments are property of their posters.