Thx Tyson. True, with VPN client it always happens.
With regards Kings On Mon, Oct 11, 2010 at 9:55 PM, Tyson Scott <[email protected]> wrote: > I find that with the VPN client if I add the first policy it tries to > negotiate it works a lot faster > > > > Policy 1 that you have is a good choice also you can do > > > > crypto isakmp policy 1 > > enc aes 256 > > group 5 > > hash sha > > > > For version 5 of the client that is the first attempt it sends. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Monday, October 11, 2010 11:36 AM > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ISAKMP policy for EzVPN client > > > > I think, there some big issue with the IOS. Always there is a problem in > the ISAKMP policy negotiation. I am doing the VPN labs on IPexpert. > Initially, I am spending lot of time on getting the correct policy. Even > though in the debugs, I see the policy sent by the client is configured, the > IOS server says can't find > a matching policy. This issue is both the IOS and VPN client. I tried > configuring 6 polices but still in vain nothing was matched. I have reloaded > the routers twice. > > How are we expected to handle this consistent issue in the real lab. It > takes a lot of time :-( > > crypto isakmp policy 1 > encr 3des > authentication pre-share > group 2 > ! > crypto isakmp policy 2 > authentication pre-share > group 2 > ! > crypto isakmp policy 3 > encr 3des > hash md5 > authentication pre-share > group 2 > ! > crypto isakmp policy 4 > hash md5 > authentication pre-share > group 2 > ! > crypto isakmp policy 5 > encr aes 192 > hash md5 > authentication pre-share > group 2 > ! > crypto isakmp policy 6 > encr aes 192 > authentication pre-share > group 2 > > > With regards > Kings > > On Tue, Oct 5, 2010 at 7:28 PM, Tyson Scott <[email protected]> wrote: > > isakmp policy 1 > > authentication rsa-sig > > hash sha > > encryption aes (not sure about 192 and 256) > > group 2 > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, October 05, 2010 9:01 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] ISAKMP policy for EzVPN client > > > > Hi all > > I have always hit this. Only some ISAKMP policies combination are sent by > VPN client. Following are list of Remote VPN cases: > > VPN client + ASA server > VPN client + IOS server > IOS client + ASA server > IOS client + IOS server > > I observed that policy is accepted by ASA from the VPN client > > crypto isakmp policy 1 > authentication pre-share > encryption des > hash md5 > group 2 > > > Can anyone suggest the best ISAKMP policy combination that will work fine > for all the four cases that I have mentioned above. > > > With regards > Kings > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
