Thanks!
Johan Bornman Integrated Systems Consulting (Pty) Ltd Cell: 082 783 3635 On 05 Aug 2012, at 8:29, Eugene Pefti <[email protected]> wrote: > I learnt my lesson, guys, thanks a lot to everyone. > It was mostly because I was in the habit to trust what I remember from my > real life experience and this made rely on the default ISAKMP policies. > There’s a big difference in default ISAKMP policies on version 12.4(24) and > 12.4(15) > > -====On 12.4(15)====- > R5#sh cry isa pol > > Global IKE policy > Default protection suite > encryption algorithm: DES - Data Encryption Standard (56 bit keys). > hash algorithm: Secure Hash Standard > authentication method: Rivest-Shamir-Adleman Signature > Diffie-Hellman group: #1 (768 bit) > lifetime: 86400 seconds, no volume limit > > -====On 12.4(24)====- > GIBSGW(config)#do sh cry isa pol > > Default IKE policy > Protection suite of priority 65507 > encryption algorithm: AES - Advanced Encryption Standard (128 bit > keys). > hash algorithm: Secure Hash Standard > authentication method: Rivest-Shamir-Adleman Signature > Diffie-Hellman group: #5 (1536 bit) > lifetime: 86400 seconds, no volume limit > Protection suite of priority 65508 > encryption algorithm: AES - Advanced Encryption Standard (128 bit > keys). > hash algorithm: Secure Hash Standard > authentication method: Pre-Shared Key > Diffie-Hellman group: #5 (1536 bit) > lifetime: 86400 seconds, no volume limit > Protection suite of priority 65509 > encryption algorithm: AES - Advanced Encryption Standard (128 bit > keys). > hash algorithm: Message Digest 5 > authentication method: Rivest-Shamir-Adleman Signature > Diffie-Hellman group: #5 (1536 bit) > lifetime: 86400 seconds, no volume limit > Protection suite of priority 65510 > encryption algorithm: AES - Advanced Encryption Standard (128 bit > keys). > hash algorithm: Message Digest 5 > authentication method: Pre-Shared Key > Diffie-Hellman group: #5 (1536 bit) > lifetime: 86400 seconds, no volume limit > Protection suite of priority 65511 > encryption algorithm: Three key triple DES > hash algorithm: Secure Hash Standard > authentication method: Rivest-Shamir-Adleman Signature > Diffie-Hellman group: #2 (1024 bit) > lifetime: 86400 seconds, no volume limit > Protection suite of priority 65512 > encryption algorithm: Three key triple DES > hash algorithm: Secure Hash Standard > authentication method: Pre-Shared Key > Diffie-Hellman group: #2 (1024 bit) > lifetime: 86400 seconds, no volume limit > Protection suite of priority 65513 > encryption algorithm: Three key triple DES > hash algorithm: Message Digest 5 > authentication method: Rivest-Shamir-Adleman Signature > Diffie-Hellman group: #2 (1024 bit) > lifetime: 86400 seconds, no volume limit > Protection suite of priority 65514 > encryption algorithm: Three key triple DES > hash algorithm: Message Digest 5 > authentication method: Pre-Shared Key > Diffie-Hellman group: #2 (1024 bit) > lifetime: 86400 seconds, no volume limit > > > From: Alexei Monastyrnyi [mailto:[email protected]] > Sent: Saturday, August 04, 2012 8:38 PM > To: Eugene Pefti > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] EzVPN - once again > > Eugene, > what is your exact configuration on EZ server and IOS remote sides? > > If proposals are not accepted is what you see in debug crypto isakmp, then > you need to see what exactly clients are sending for phase 1. The just add a > policy matching it on server side. > > As you know, if some lines are not shown in your policy-map configured, they > are taking some default value. To some extent the TAC engineer was right > saying that client my not have exactly THAT set of proposals (havign a mix of > default and non-default settings) which you have defined on your EZ server. > > HTH > A. > > On 8/5/2012 11:57 AM, Eugene Pefti wrote: > Have been beating my head over something trivial that drove me absolutely mad. > There’s EzVPN server on the router. It was configured in classical crypto map > mode and Dynamic VTI. > There are two EzVPN clients – Cisco software IPSec client and a router > configured as EzVPN remote. > No matter what I did I ended up with “proposals not accepted” on phase 1 and > “Processing of Aggressive mode failed with peer”. > I use real gear and the amount of my frustration made me open the TAC case. > I couldn’t believe my ears when the engineer said that my crypto isakmp > policy was missing hash and encryption parameters when he saw only two lines: > > crypto isakmp policy 10 > authentication pre-share > > When I showed him the output of “show crypto isakmp policy” with a complete > set of proposals he said that I still have to add different combinations of > encryption and hash manually. > Then I was surprised when the software IPSec client finally connected was > still able to connect over and over again. > > So-o-o-o funny when the engineer said that I have to upgrade to the newer > software which leaves me in doubt about version 12.4(15). > Do it next time if you have something similar. > > Eugene > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
