Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
1
Replies

EZVPN client on Cisco 2851 and DH Group 5

Clifford McGlamry
Spotlight
Spotlight

‎01-28-2020 02:04 PM - edited ‎01-28-2020 02:04 PM

Customer has a 2851 router that runs the EZVPN client connected back to a Cisco ASA based EZVPN server.

 

Tunnel went down today, and everyone claims no configuration changes have been made.  Troubleshooting has narrowed this down to the Server end is rejecting the connection because it will not allow AES-128 with DH Group 2.  

 

It will allow AES-256 with Group 2, or AES-128 with Group 5.  

I can find no way to configure the transform set or the group on the EZVPN client.  

My questions:

1. Is there a way to do this?

2. If it is because of the router type (2851), is there a later model that will support either by setting or automatically, the above combinations?

 

TIA,

 

Cliff

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎01-28-2020 02:24 PM

Hi,

Have a look at the isakmp policy on the router, which should be configured something like this....

 

Router example:

crypto isakmp policy 10
 encr aes 128
 group 5

 

On the ASA isakmp is probably referred to as IKEv1 (depending on your version), something like this....

 

ASA example:

crypto ikev1 policy 10
 encryption aes-128
 group 5

The policy number is not so important, it will process/prioritise the lowest number first.

 

The algorithms need to match, the policy number does not. Make amendments if required, if still an issue please run debugs and upload the output "debug crypto isakmp|ikev1"

 

HTH

0 Helpful
Customers Also Viewed These Support Documents