Sorry I meant to say DH "group 2" below. With Cisco VPN and hardware clients you always need to use group 2 DH. You can see from the following debug that what I gave below (with group 2 fix) is the first attempted
Oct 11 13:42:08: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy Oct 11 13:42:08: ISAKMP: encryption AES-CBC Oct 11 13:42:08: ISAKMP: hash SHA Oct 11 13:42:08: ISAKMP: default group 2 Oct 11 13:42:08: ISAKMP: auth XAUTHInitPreShared Oct 11 13:42:08: ISAKMP: life type in seconds Oct 11 13:42:08: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Oct 11 13:42:08: ISAKMP: keylength of 256 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Monday, October 11, 2010 1:31 PM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ISAKMP policy for EzVPN client The same policy doesn't work for pre-shared, the following is stable. crypto isakmp policy 1 encr 3des authentication pre-share hash sha group 2 On Mon, Oct 11, 2010 at 10:36 PM, Kingsley Charles <[email protected]> wrote: Thx Tyson. True, with VPN client it always happens. With regards Kings On Mon, Oct 11, 2010 at 9:55 PM, Tyson Scott <[email protected]> wrote: I find that with the VPN client if I add the first policy it tries to negotiate it works a lot faster Policy 1 that you have is a good choice also you can do crypto isakmp policy 1 enc aes 256 group 5 hash sha For version 5 of the client that is the first attempt it sends. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Kingsley Charles [mailto:[email protected]] Sent: Monday, October 11, 2010 11:36 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ISAKMP policy for EzVPN client I think, there some big issue with the IOS. Always there is a problem in the ISAKMP policy negotiation. I am doing the VPN labs on IPexpert. Initially, I am spending lot of time on getting the correct policy. Even though in the debugs, I see the policy sent by the client is configured, the IOS server says can't find a matching policy. This issue is both the IOS and VPN client. I tried configuring 6 polices but still in vain nothing was matched. I have reloaded the routers twice. How are we expected to handle this consistent issue in the real lab. It takes a lot of time :-( crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 4 hash md5 authentication pre-share group 2 ! crypto isakmp policy 5 encr aes 192 hash md5 authentication pre-share group 2 ! crypto isakmp policy 6 encr aes 192 authentication pre-share group 2 With regards Kings On Tue, Oct 5, 2010 at 7:28 PM, Tyson Scott <[email protected]> wrote: isakmp policy 1 authentication rsa-sig hash sha encryption aes (not sure about 192 and 256) group 2 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, October 05, 2010 9:01 AM To: [email protected] Subject: [OSL | CCIE_Security] ISAKMP policy for EzVPN client Hi all I have always hit this. Only some ISAKMP policies combination are sent by VPN client. Following are list of Remote VPN cases: VPN client + ASA server VPN client + IOS server IOS client + ASA server IOS client + IOS server I observed that policy is accepted by ASA from the VPN client crypto isakmp policy 1 authentication pre-share encryption des hash md5 group 2 Can anyone suggest the best ISAKMP policy combination that will work fine for all the four cases that I have mentioned above. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
