Solved: CSR1000V 16.03 to 16.09: EasyVPN/Third-Party-IPSEC-Client Problems

Max-Morten Conrad · ‎12-14-2020

Hello everyone,

we are currently facing issues updating one of our CSR1000V from IOS XE 16.03 Denali to 16.09 Fuji, the problem is two-fold:

- configuration 'crypto map MAPNAME isakmp authorization list GROUP-LIST' doesn't seem to be supported anymore and throws an error on boot. The command is responsible for authorizing certain RADIUS groups in our configuration - dynamic configuration is applied from said RADIUS groups as well (split-tunnel acl, pool, etc.). This is used for Easy VPN peers as well as a few third party client connections (Mac OS-inbuilt client and Shrewsoft).

- Phase1 can't be established anymore between Easy VPN peers and the Gateway, even though isakmp policies haven't changed on the device

We have rolled back to 16.03. for now. Does anyone use a similar featureset and has faced similar issues?

Thanks a lot and best regards

Rob Ingram · ‎12-14-2020

Hi @Max-Morten Conrad

EasyVPN has been retired and no longer supported. Reference here

https://www.cisco.com/c/en/us/obsolete/security/cisco-easy-vpn.html

However you can achieve the samething by using FlexVPN, that would require a reconfiguration of your devices to use IKEv2

HTH

View solution in original post

Rob Ingram · ‎12-14-2020

Hi @Max-Morten Conrad

EasyVPN has been retired and no longer supported. Reference here

https://www.cisco.com/c/en/us/obsolete/security/cisco-easy-vpn.html

However you can achieve the samething by using FlexVPN, that would require a reconfiguration of your devices to use IKEv2

HTH

Max-Morten Conrad · ‎12-14-2020

I suspected as much - thanks for the Info @Rob Ingram.