The same policy doesn't work for pre-shared, the following is stable.
crypto isakmp policy 1 encr 3des authentication pre-share hash sha group 2 On Mon, Oct 11, 2010 at 10:36 PM, Kingsley Charles < [email protected]> wrote: > Thx Tyson. > > True, with VPN client it always happens. > > With regards > Kings > > > On Mon, Oct 11, 2010 at 9:55 PM, Tyson Scott <[email protected]> wrote: > >> I find that with the VPN client if I add the first policy it tries to >> negotiate it works a lot faster >> >> >> >> Policy 1 that you have is a good choice also you can do >> >> >> >> crypto isakmp policy 1 >> >> enc aes 256 >> >> group 5 >> >> hash sha >> >> >> >> For version 5 of the client that is the first attempt it sends. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Managing Partner / Sr. Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* Monday, October 11, 2010 11:36 AM >> *To:* Tyson Scott >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] ISAKMP policy for EzVPN client >> >> >> >> I think, there some big issue with the IOS. Always there is a problem in >> the ISAKMP policy negotiation. I am doing the VPN labs on IPexpert. >> Initially, I am spending lot of time on getting the correct policy. Even >> though in the debugs, I see the policy sent by the client is configured, the >> IOS server says can't find >> a matching policy. This issue is both the IOS and VPN client. I tried >> configuring 6 polices but still in vain nothing was matched. I have reloaded >> the routers twice. >> >> How are we expected to handle this consistent issue in the real lab. It >> takes a lot of time :-( >> >> crypto isakmp policy 1 >> encr 3des >> authentication pre-share >> group 2 >> ! >> crypto isakmp policy 2 >> authentication pre-share >> group 2 >> ! >> crypto isakmp policy 3 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> ! >> crypto isakmp policy 4 >> hash md5 >> authentication pre-share >> group 2 >> ! >> crypto isakmp policy 5 >> encr aes 192 >> hash md5 >> authentication pre-share >> group 2 >> ! >> crypto isakmp policy 6 >> encr aes 192 >> authentication pre-share >> group 2 >> >> >> With regards >> Kings >> >> On Tue, Oct 5, 2010 at 7:28 PM, Tyson Scott <[email protected]> wrote: >> >> isakmp policy 1 >> >> authentication rsa-sig >> >> hash sha >> >> encryption aes (not sure about 192 and 256) >> >> group 2 >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Managing Partner / Sr. Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Tuesday, October 05, 2010 9:01 AM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] ISAKMP policy for EzVPN client >> >> >> >> Hi all >> >> I have always hit this. Only some ISAKMP policies combination are sent by >> VPN client. Following are list of Remote VPN cases: >> >> VPN client + ASA server >> VPN client + IOS server >> IOS client + ASA server >> IOS client + IOS server >> >> I observed that policy is accepted by ASA from the VPN client >> >> crypto isakmp policy 1 >> authentication pre-share >> encryption des >> hash md5 >> group 2 >> >> >> Can anyone suggest the best ISAKMP policy combination that will work fine >> for all the four cases that I have mentioned above. >> >> >> With regards >> Kings >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
