Eugene,
what is your exact configuration on EZ server and IOS remote sides?
If proposals are not accepted is what you see in debug crypto isakmp,
then you need to see what exactly clients are sending for phase 1. The
just add a policy matching it on server side.
As you know, if some lines are not shown in your policy-map configured,
they are taking some default value. To some extent the TAC engineer was
right saying that client my not have exactly THAT set of proposals
(havign a mix of default and non-default settings) which you have
defined on your EZ server.
HTH
A.
On 8/5/2012 11:57 AM, Eugene Pefti wrote:
Have been beating my head over something trivial that drove me
absolutely mad.
There's EzVPN server on the router. It was configured in classical
crypto map mode and Dynamic VTI.
There are two EzVPN clients -- Cisco software IPSec client and a
router configured as EzVPN remote.
No matter what I did I ended up with "proposals not accepted" on phase
1 and "Processing of Aggressive mode failed with peer".
I use real gear and the amount of my frustration made me open the TAC
case.
I couldn't believe my ears when the engineer said that my crypto
isakmp policy was missing hash and encryption parameters when he saw
only two lines:
crypto isakmp policy 10
authentication pre-share
When I showed him the output of "show crypto isakmp policy" with a
complete set of proposals he said that I still have to add different
combinations of encryption and hash manually.
Then I was surprised when the software IPSec client finally connected
was still able to connect over and over again.
So-o-o-o funny when the engineer said that I have to upgrade to the
newer software which leaves me in doubt about version 12.4(15).
Do it next time if you have something similar.
Eugene
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
