cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
0
Helpful
0
Replies

EzVPN - IKE policy

Hi,

 

I am using an EzVPN architecture, and I have tried to force the EzVPN clients to use specific security settings for both IKE and IPsec (AES256/SHA256/DH14).

It works without issue for IPsec, however I have not been able to make it work for IKE.

Here is the problem : the EzVPN client has a list of "EZVPN IKE policy" and a list of "Global IKE policy". We can see them using the cmd sh crypto isakmp policy:

Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard 2 (256 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #14 (2048 bit)
lifetime: 86400 seconds, no volume limit

EZVPN IKE policy
Protection suite of priority 65515
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method:
Diffie-Hellman group: #2 (1024 bit)
lifetime: 2147483 seconds, no volume limit
Protection suite of priority 65516
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method:
Diffie-Hellman group: #2 (1024 bit)
lifetime: 2147483 seconds, no volume limit

 ...

The policy from the "Global IKE policy" comes from this configuration:

crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 14

And the policies from the "EZVPN IKE policy" are there by default.

During the phase 1, the EzVPN client does only propose the "EZVPN IKE policies, and as you have probably guessed no SHA256 or DH14 inside the default EZVPN policies, so as my HUB is configured to only accept that, negotiation fails with the following message "atts are not acceptable"

 

I did try both the legacy and enhanced EzVPN, but without success. So, I am trying to find a way to either add new policies inside the "EZVPN IKE policy"or to have the EzVPN client proposing the "Global IKE policy" when establishing the phase 1. Or if anyone has a better idea, feel free to let me know.

 

Any help would be appreciated :)

 

Thanks!

 

 

Everyone's tags (7)