Bruno,
I actually figured out what the issue was.
I did have group 2 configured, as you can see from the above configuration.
The problem though was right here:
aaa
authorization *exec* EZVPN local
It should actually be: aaa authorization
network EZVPN local
I've done this config countless times, but for some reason when
troubleshooting and looking at my configs, I was pretty much only focusing
on the "crypto" config and nothing else. I'd never come across the error
message in the debugs, but I'm glad I got this problem now and not in the
lab.
By the way, while scratching my head trying to figure this out, I came
across a post online that may be useful when troubleshooting IOS ezVPN
server configs. Here it is:
http://blog.routeip.net/2010/09/09/cisco-ezvpn-server
On Wed, Jun 15, 2011 at 6:03 PM, Bruno <[email protected]> wrote:
> I could bet you're offering either DES or group1 as phase1
>
> hardcode group2 and at least 3des for phase1
>
> On Wed, Jun 15, 2011 at 9:01 PM, Mark Senteza <[email protected]>wrote:
>
>> Hey all,
>>
>> I'm having an issue that I cant figure out. I've done this config
>> countless times and I successfully test the config. Today though I can not
>> bring the tunnel up and the Cisco VPN Client login screen to pop up which
>> usually confirms to me that at the very least the connection is establishing
>> and is awaiting Phase 1.5.
>>
>> This is the error message that I get:
>>
>> *%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with
>> peer at 10.100.22.10*
>>
>> The layout is as follows:
>>
>> ------subnet 10.100.10.0/24------------------fa0/0.10-*R1*-fa0/0.11
>> (10.100.11.1)--------------*SW01*--Vlan22
>> (10.100.22.11)-----------------|----------------------*TEST PC*(10.100.22.10)
>>
>> The EZVPN Server (R1) config is:
>>
>> ip local pool EZVPN 20.0.0.1 20.0.0.254
>>
>> ip access-list standard SPLIT-TUNNEL
>> permit 10.100.10.0 0.0.0.255
>>
>> aaa authentication login EZVPN local
>> aaa authorization exec EZVPN local
>>
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>>
>> crypto isakmp client configuration group EZVPN
>> key CISCO
>> pool EZVPN
>> acl SPLIT-TUNNEL
>>
>> crypto isakmp profile EZVPN-ISAKMP-PROFILE
>> match identity group EZVPN
>> client authentication list EZVPN
>> isakmp authorization list EZVPN
>> client configuration address respond
>>
>> crypto ipsec transform-set EZVPN esp-3des esp-md5-hmac
>>
>> crypto dynamic-map DYNAMIC 10
>> set transform-set EZVPN
>> reverse-route
>>
>> crypto map EZVPN 10 ipsec-isakmp dynamic DYNAMIC
>>
>> interface fa0/0.11
>> crypto map EZVPN
>>
>> router ospf 1
>> redistribute static subnets
>>
>>
>> What could I be doing wrong
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
>
> --
> Bruno Fagioli (by Jaunty Jackalope)
> Cisco Security Professional
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
