w2k client --> cisco pix l2tp ipsec vpn

w2k client --> cisco pix l2tp ipsec vpn: Posted by daniel on November 20th, 2003; hi,

could anyone help me and shed some light on a problem i am having?
i am trying to setup a remote access vpn as follows

w2k client --> cisco pix 515e using l2tp/ipsec

w2k client is connected to the net via an adsl router with a lan net of
192.168.0.0 255.255.255.0 and an external ip s.s.s.s (in the debug)
pix is (d.d.d.d)

i have installed the ms cert server and have installed a cert onto the cisco
and the w2k client. i have read just about everything i can find and have
hit the following problem.

the vpn connection from the w2k client hangs and the pix seems to be showing
a debug message;
"invalid transform proposal flags"

the only ref to this error seems to point to the pix being incorrectly
configured to use tunnel mode, but i have set

"crypto ipsec transform-set trans01 mode transport"

(ike seems to be working in the debug)

im stumped and have spent 2 weeks getting this far :O(

help

Dan

debug follows;
########

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 6
type : 2
protocol : 17
port : 500
length : 32
ISAKMP (0): Total payload length: 36
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src s.s.s.s, dest d.d.d.d
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2952273358

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
dest_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
src_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= d.d.d.d, src= s.s.s.s,
dest_proxy= 192.168.0.3/255.255.255.255/17/1701 (type=1),
src_proxy= d.d.d.d/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x0

ISAKMP: IPSec policy invalidated proposal
ISAKMP : Checking IPSec proposal 2

########

setup follows

########

vpdn group vpn01 accept dialin l2tp
vpdn group vpn01 ppp authentication mschap

vpdn group vpn01 client authentication local
vpdn username xxxxxxxx password xxxxxxxx

ip local pool vpn01_pool 10.1.111.1-10.1.111.100

vpdn group vpn01 client configuration address local vpn01_pool
vpdn group vpn01 client configuration dns 10.1.50.125 10.1.50.127
vpdn group vpn01 client configuration wins 10.1.50.22 10.1.50.46
vpdn enable outside

access-list acl_vpn01_inside_outbound_nat0 permit ip any 10.1.111.0
255.255.255.0
nat (inside) 0 access-list acl_vpn01_inside_outbound_nat0

isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp enable outside

access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip any 10.1.111.0
255.255.255.0
access-list acl_vpn01_outside_cryptomap_dyn_20 permit ip host <d.d.d.d>
192.168.0.0 255.255.255.0

crypto ipsec transform-set trans01 esp-3des esp-sha-hmac
crypto ipsec transform-set trans01 mode transport
crypto ipsec transform-set trans02 esp-3des esp-md5-hmac
crypto ipsec transform-set trans02 mode transport
crypto ipsec transform-set trans03 esp-des esp-sha-hmac
crypto ipsec transform-set trans03 mode transport
crypto ipsec transform-set trans04 esp-des esp-md5-hmac
crypto ipsec transform-set trans04 mode transport

crypto dynamic-map outside_dyn_map 20 match address
acl_vpn01_outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set trans01 trans02
trans03 trans04
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
seconds 3600

crypto map outside_map 200 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-l2tp

Similar Posts

L2TP/IPSec VPN Conection (Working Remotely) by Carlos Jones
IPSec link not working with Cisco VPN Client 4.0.2 D (Help and Support) by Francisco
L2TP/IPSec VPN Connection (Routers) by Walter Lee
win2k client --> cisco pix l2tp ipsec vpn (Internet & Broadband) by Daniel
IPsec with L2tp (Computer Security) by Hieu Nguyen