Problem solved: I had:
crypto dynamic-map DYN 10 set transform-set ESP-3DES-SHA ! crypto map DYN client authentication list EZVPN crypto map DYN isakmp authorization list EZVPN crypto map DYN client configuration address respond crypto map STATIC 65535 ipsec-isakmp dynamic DYN My crypto map was wrong. I needed to put the ISAKMP 1.5 related stuff on the STATIC crypto map and not the DYNAMIC crypto map. It is rather confusing because Cisco in all their wisdom decided to use the same crypto map name "mode" for both the static and dynamic crypto map in the documentation ..go figure. Awesome! On Mon, Mar 12, 2012 at 1:11 AM, Joe Astorino <[email protected]> wrote: > For the life of me I can NOT get this working and it is driving me > nuts: Setup is EZVPN server with traditional crypto map method with > EZVPN client using traditional method (no DVTI). For some reason, > Phase 1 REFUSES to negotiate. If I change to DVTI configuration on > the server only it works fine with NO other modifications. I have > tried this in dynamips and on real gear. On my real gear the server > is a 2811 running 12.4(22)T3 and the client is an 1841 running > 12.4(24)T. > > Apparently, the reason it fails is because the server thinks the > pre-shared key (configured under the EZVPN group) does not match. > When the server matches the ISAKMP policy on the server, I get this in > the isakmp debug > > *Mar 12 05:19:02.227: ISAKMP:(0):Checking ISAKMP transform 5 against > priority 10 policy > *Mar 12 05:19:02.227: ISAKMP: encryption AES-CBC > *Mar 12 05:19:02.227: ISAKMP: keylength of 256 > *Mar 12 05:19:02.227: ISAKMP: hash SHA > *Mar 12 05:19:02.227: ISAKMP: default group 2 > *Mar 12 05:19:02.227: ISAKMP: auth XAUTHInitPreShared > *Mar 12 05:19:02.227: ISAKMP: life type in seconds > *Mar 12 05:19:02.227: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B > *Mar 12 05:19:02.231: ISAKMP:(0):Xauth authentication by pre-shared > key offered but does not match policy! > > The keys definitely, 100% match. I have retyped them at least 5 times > on both ends. There are no magical hidden spaces either. I have also > tried many different phase 1 parameters like 3DES/MD5, 3DES/SHA with > the same results. Here are the relevant configurations. Any ideas? > Am I doing something wrong, or is the "legacy" configuration just no > longer doable? Thanks guys! > > server > --------- > > > aaa new-model > aaa authentication login default none > aaa authentication login EZVPN local > aaa authorization network EZVPN local > ! > username ezvpnuser password 0 cisco > ! > crypto isakmp policy 10 > encr aes 256 > hash sha > authentication pre-share > group 2 > ! > crypto isakmp identity hostname > crypto isakmp client configuration group EZVPN > key cisco > domain cisco.com > pool POOL > acl 199 > ! > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > ! > crypto dynamic-map DYN 10 > set transform-set ESP-3DES-SHA > ! > crypto map DYN client authentication list EZVPN > crypto map DYN isakmp authorization list EZVPN > crypto map DYN client configuration address respond > crypto map STATIC 65535 ipsec-isakmp dynamic DYN > ! > interface s0/2/0 > crypto map STATIC > > > Client > ---------- > > crypto ipsec client ezvpn EZVPN > connect manual > group EZVPN key cisco > mode client > peer 25.25.25.2 > username ezvpnuser password cisco > xauth userid mode interactive > ! > interface fa0/1 > crypto ipsec client ezvpn EZVPN > ! > interface fa0/0 > crypto ipsec client ezvpn EZVPN inside > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
