I learnt my lesson, guys, thanks a lot to everyone.
It was mostly because I was in the habit to trust what I remember from my real
life experience and this made rely on the default ISAKMP policies.
There's a big difference in default ISAKMP policies on version 12.4(24) and
12.4(15)
-====On 12.4(15)====-
R5#sh cry isa pol
Global IKE policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
-====On 12.4(24)====-
GIBSGW(config)#do sh cry isa pol
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit
keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit
keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
From: Alexei Monastyrnyi [mailto:[email protected]]
Sent: Saturday, August 04, 2012 8:38 PM
To: Eugene Pefti
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] EzVPN - once again
Eugene,
what is your exact configuration on EZ server and IOS remote sides?
If proposals are not accepted is what you see in debug crypto isakmp, then you
need to see what exactly clients are sending for phase 1. The just add a policy
matching it on server side.
As you know, if some lines are not shown in your policy-map configured, they
are taking some default value. To some extent the TAC engineer was right
saying that client my not have exactly THAT set of proposals (havign a mix of
default and non-default settings) which you have defined on your EZ server.
HTH
A.
On 8/5/2012 11:57 AM, Eugene Pefti wrote:
Have been beating my head over something trivial that drove me absolutely mad.
There's EzVPN server on the router. It was configured in classical crypto map
mode and Dynamic VTI.
There are two EzVPN clients - Cisco software IPSec client and a router
configured as EzVPN remote.
No matter what I did I ended up with "proposals not accepted" on phase 1 and
"Processing of Aggressive mode failed with peer".
I use real gear and the amount of my frustration made me open the TAC case.
I couldn't believe my ears when the engineer said that my crypto isakmp policy
was missing hash and encryption parameters when he saw only two lines:
crypto isakmp policy 10
authentication pre-share
When I showed him the output of "show crypto isakmp policy" with a complete set
of proposals he said that I still have to add different combinations of
encryption and hash manually.
Then I was surprised when the software IPSec client finally connected was still
able to connect over and over again.
So-o-o-o funny when the engineer said that I have to upgrade to the newer
software which leaves me in doubt about version 12.4(15).
Do it next time if you have something similar.
Eugene
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
