I have a Cisco 2901 running c2900-universalk9-mz.SPA.155-3.M7.bin. I'm getting the following errors when using AnyConnect Security Mobility Client version 4.8.03052. This was working and now it's not.
%IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
%IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
%IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
%IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed
Below is the configuration
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local
!
crypto ikev2 authorization policy ikev2-auth-policy
pool VPN-clients
route set access-list split_tunnel
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKEv2-pol
proposal IKEv2-prop1
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id xxxxxxx
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint CERT-NAME
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
interface Loopback100
ip address 10.0.0.1 255.255.255.255
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
ip local pool VPN-clients 192.168.20.1 192.168.20.2
!
ip access-list standard split_tunnel
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 192.168.3.0 0.0.0.255
permit 192.168.4.0 0.0.0.255
!
Any ideas?
Thank you
GW
