[OSL | CCIE_Security] Task 4.6 Easy VPN server IOS

Sat, 21 Jul 2012 11:57:18 -0700 

Guys,
I am at a dead end here. I have this task configured as per the solution
and I have gone thru the DOC and cannot figure out what I am missing.

When I run the Easy server on R4 and use the Test PC to connect using
certificates I cannot get past the ISAKMP proposals. It wont accept any
proposal.

I have 3des/md5/gr 2 and rsa-sig.

The moment I change the group setting to key based and change that on the
TEST PC to connect via group authentication it works without any issues.

Has anyone seen this before?

Config below

!
aaa new-model
!
!
aaa authentication login default none
aaa authentication login EZ local
aaa authorization network EZ local
!
!

clock timezone GMT+1 1
!
crypto pki trustpoint R2
 enrollment url http://8.9.50.2:8080
 subject-name CN=R4.ipexpert.com, OU=CCIE, C=PL
 revocation-check none
!
!
!
crypto pki certificate map CERTMAP 10
 subject-name co ou = ccie
!
crypto pki certificate chain R2
.................Certificate details here


username ipexpert password 0 ipexpert

!
!
crypto isakmp policy 5
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 hash md5
 group 2
!
crypto isakmp policy 20
 encr 3des
 group 2
!
crypto isakmp policy 30
 encr aes
 group 2
!
crypto isakmp policy 40
 encr 3des
 hash md5
 group 2

crypto isakmp client configuration group CCIE
 pool EZPOOL
 acl SPLIT
crypto isakmp profile ISAKMP_PROF
   match identity group CCIE
   client authentication list EZ
   isakmp authorization list EZ
   client configuration address respond
   virtual-template 2
!
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_PROF
 set transform-set ESP-3DES-MD5
 set reverse-route distance 15
 set isakmp-profile ISAKMP_PROF
!
!
!
!
interface Virtual-Template2 type tunnel
 ip unnumbered Serial1/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROF
!
!
!
ip local pool EZPOOL 8.9.100.1 8.9.100.254

!
ip access-list extended SPLIT
 permit ip 10.4.4.0 0.0.0.255 any
!

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to