No worries.
You can also disable all default ISAKMP policies so your configurations
are more deterministic.
A.
On 8/5/2012 4:29 PM, Eugene Pefti wrote:
I learnt my lesson, guys, thanks a lot to everyone.
It was mostly because I was in the habit to trust what I remember from
my real life experience and this made rely on the default ISAKMP policies.
There's a big difference in default ISAKMP policies on version
12.4(24) and 12.4(15)
*/-====On 12.4(15)====-/*
R5#sh cry isa pol
Global IKE policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
*/-====On 12.4(24)====-/*
GIBSGW(config)#do sh cry isa pol
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
*From:*Alexei Monastyrnyi [mailto:[email protected]]
*Sent:* Saturday, August 04, 2012 8:38 PM
*To:* Eugene Pefti
*Cc:* [email protected]
*Subject:* Re: [OSL | CCIE_Security] EzVPN - once again
Eugene,
what is your exact configuration on EZ server and IOS remote sides?
If proposals are not accepted is what you see in debug crypto isakmp,
then you need to see what exactly clients are sending for phase 1. The
just add a policy matching it on server side.
As you know, if some lines are not shown in your policy-map
configured, they are taking some default value. To some extent the
TAC engineer was right saying that client my not have exactly THAT set
of proposals (havign a mix of default and non-default settings) which
you have defined on your EZ server.
HTH
A.
On 8/5/2012 11:57 AM, Eugene Pefti wrote:
Have been beating my head over something trivial that drove me
absolutely mad.
There's EzVPN server on the router. It was configured in classical
crypto map mode and Dynamic VTI.
There are two EzVPN clients -- Cisco software IPSec client and a
router configured as EzVPN remote.
No matter what I did I ended up with "proposals not accepted" on
phase 1 and "Processing of Aggressive mode failed with peer".
I use real gear and the amount of my frustration made me open the
TAC case.
I couldn't believe my ears when the engineer said that my crypto
isakmp policy was missing hash and encryption parameters when he
saw only two lines:
crypto isakmp policy 10
authentication pre-share
When I showed him the output of "show crypto isakmp policy" with a
complete set of proposals he said that I still have to add
different combinations of encryption and hash manually.
Then I was surprised when the software IPSec client finally
connected was still able to connect over and over again.
So-o-o-o funny when the engineer said that I have to upgrade to
the newer software which leaves me in doubt about version 12.4(15).
Do it next time if you have something similar.
Eugene
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visitwww.ipexpert.com <http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check outwww.PlatinumPlacement.com
<http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
