For the life of me I can NOT get this working and it is driving me nuts: Setup is EZVPN server with traditional crypto map method with EZVPN client using traditional method (no DVTI). For some reason, Phase 1 REFUSES to negotiate. If I change to DVTI configuration on the server only it works fine with NO other modifications. I have tried this in dynamips and on real gear. On my real gear the server is a 2811 running 12.4(22)T3 and the client is an 1841 running 12.4(24)T.
Apparently, the reason it fails is because the server thinks the pre-shared key (configured under the EZVPN group) does not match. When the server matches the ISAKMP policy on the server, I get this in the isakmp debug *Mar 12 05:19:02.227: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy *Mar 12 05:19:02.227: ISAKMP: encryption AES-CBC *Mar 12 05:19:02.227: ISAKMP: keylength of 256 *Mar 12 05:19:02.227: ISAKMP: hash SHA *Mar 12 05:19:02.227: ISAKMP: default group 2 *Mar 12 05:19:02.227: ISAKMP: auth XAUTHInitPreShared *Mar 12 05:19:02.227: ISAKMP: life type in seconds *Mar 12 05:19:02.227: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Mar 12 05:19:02.231: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy! The keys definitely, 100% match. I have retyped them at least 5 times on both ends. There are no magical hidden spaces either. I have also tried many different phase 1 parameters like 3DES/MD5, 3DES/SHA with the same results. Here are the relevant configurations. Any ideas? Am I doing something wrong, or is the "legacy" configuration just no longer doable? Thanks guys! server --------- aaa new-model aaa authentication login default none aaa authentication login EZVPN local aaa authorization network EZVPN local ! username ezvpnuser password 0 cisco ! crypto isakmp policy 10 encr aes 256 hash sha authentication pre-share group 2 ! crypto isakmp identity hostname crypto isakmp client configuration group EZVPN key cisco domain cisco.com pool POOL acl 199 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map DYN 10 set transform-set ESP-3DES-SHA ! crypto map DYN client authentication list EZVPN crypto map DYN isakmp authorization list EZVPN crypto map DYN client configuration address respond crypto map STATIC 65535 ipsec-isakmp dynamic DYN ! interface s0/2/0 crypto map STATIC Client ---------- crypto ipsec client ezvpn EZVPN connect manual group EZVPN key cisco mode client peer 25.25.25.2 username ezvpnuser password cisco xauth userid mode interactive ! interface fa0/1 crypto ipsec client ezvpn EZVPN ! interface fa0/0 crypto ipsec client ezvpn EZVPN inside -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
