Core issue
This issue occurs due to the presence of Cisco bug ID CSCsd27617.
The Advanced Encryption Standard (AES) password encryption corrupts the existing pre-shared key (PSK) on the router as described by Cisco bug ID CSCsd27617.
If a router's EzVPN Group name contains a "_" such as group ezvpn_myclient key mytest and you add password encryption aes then IKE consistently fails with the wrong group PSK.
Resolution
In order to resolve this issue, delete and recreate the PSK (without " _ ") after you apply the AES password encryption.
Issue these commands:
Router(config)#key config-key password-encryption [master key]
Router(config)#password encryption aes
Note: Delete and re-create the PSK in the group configuration.