I wanted to add a correction. The command ' username ezvpnuser password cisco" on the client is no longer there. It was there at some stage but was removed.
On Mon, Mar 12, 2012 at 1:11 AM, Joe Astorino <[email protected]> wrote: > For the life of me I can NOT get this working and it is driving me > nuts: Setup is EZVPN server with traditional crypto map method with > EZVPN client using traditional method (no DVTI). For some reason, > Phase 1 REFUSES to negotiate. If I change to DVTI configuration on > the server only it works fine with NO other modifications. I have > tried this in dynamips and on real gear. On my real gear the server > is a 2811 running 12.4(22)T3 and the client is an 1841 running > 12.4(24)T. > > Apparently, the reason it fails is because the server thinks the > pre-shared key (configured under the EZVPN group) does not match. > When the server matches the ISAKMP policy on the server, I get this in > the isakmp debug > > *Mar 12 05:19:02.227: ISAKMP:(0):Checking ISAKMP transform 5 against > priority 10 policy > *Mar 12 05:19:02.227: ISAKMP: encryption AES-CBC > *Mar 12 05:19:02.227: ISAKMP: keylength of 256 > *Mar 12 05:19:02.227: ISAKMP: hash SHA > *Mar 12 05:19:02.227: ISAKMP: default group 2 > *Mar 12 05:19:02.227: ISAKMP: auth XAUTHInitPreShared > *Mar 12 05:19:02.227: ISAKMP: life type in seconds > *Mar 12 05:19:02.227: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B > *Mar 12 05:19:02.231: ISAKMP:(0):Xauth authentication by pre-shared > key offered but does not match policy! > > The keys definitely, 100% match. I have retyped them at least 5 times > on both ends. There are no magical hidden spaces either. I have also > tried many different phase 1 parameters like 3DES/MD5, 3DES/SHA with > the same results. Here are the relevant configurations. Any ideas? > Am I doing something wrong, or is the "legacy" configuration just no > longer doable? Thanks guys! > > server > --------- > > > aaa new-model > aaa authentication login default none > aaa authentication login EZVPN local > aaa authorization network EZVPN local > ! > username ezvpnuser password 0 cisco > ! > crypto isakmp policy 10 > encr aes 256 > hash sha > authentication pre-share > group 2 > ! > crypto isakmp identity hostname > crypto isakmp client configuration group EZVPN > key cisco > domain cisco.com > pool POOL > acl 199 > ! > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > ! > crypto dynamic-map DYN 10 > set transform-set ESP-3DES-SHA > ! > crypto map DYN client authentication list EZVPN > crypto map DYN isakmp authorization list EZVPN > crypto map DYN client configuration address respond > crypto map STATIC 65535 ipsec-isakmp dynamic DYN > ! > interface s0/2/0 > crypto map STATIC > > > Client > ---------- > > crypto ipsec client ezvpn EZVPN > connect manual > group EZVPN key cisco > mode client > peer 25.25.25.2 > username ezvpnuser password cisco > xauth userid mode interactive > ! > interface fa0/1 > crypto ipsec client ezvpn EZVPN > ! > interface fa0/0 > crypto ipsec client ezvpn EZVPN inside > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
