Easy VPN "Phase I" and 3030 - Compatible Transform Set?
Hi All -
I'm working with a 1710 EZVPN client, using the "Phase I" release 12.2(4)YA. (Unfortunately, the "Phase II" release 12.2(8)YJ is the first release that takes more RAM than the 1710's shipped with a mere 2 months ago).
The question is, is there a compatible set of transforms that will work between this "Phase I" EZVPN client and a 3030? All EZVPN documentation just talks to this magic set of transforms built into the client that will work with a 3030, but they don't, regardless of what I've tried on either end.
Has anybody out there successfully gotten this combination to work?
Well, let me answer my own question...(and add a lesson learned or two).
The 12.2(4)YA2 version will indeed work with the 3030. Specifically, it works with 3.6.1, but probably would have worked with the older code too. In fact, the problem has nothing to do with the transforms at all -- once it worked, it worked with just about every transform I threw at it. I was getting faked out on the debugs, when in reality the problem was way back early in Phase I. The "public" side of the 3030 is behind a NAT'ing router, so the client was calling up with a pre-shared key to the public address, but then the 3030 was answering back with a a pre-shared key that appeared to come from the RFC address. Occasionally, the router would recognize that and flag it as "no pre-shared key for peer 192.168.x.x", but usually it would just press on and attempt to negotiate (and fail).
Though there has to be a better way to work around it, I just added a static "crypto isakmp key" for the RFC/private address, identical to the EZVPN group pre-shared key, and it works fine. I don't like revealing that correlation between public and private IP addresses in the router (the VPN Concentrator should be able to spoof it), but if it works I'm not arguing.
From everything I can find, there are only two versions that support EZVPN on the 1710. 12.2(4)YA2 supports the original "Phase I" version, and 12.2(8)YJ supports the new "Phase II" version. Supposedly it was going to mainline somewhere along the way, but it doesn't seem to have happened yet. Only problem with the 12.2(8) version is it requires 48MB RAM, while 12.2(4) only needs 32MB (which was the default shipping configuration on the 1710).
There's a pretty good sample configuration in the 12.2(4)YA release notes, as well as screen shots on how to set up the 3000. Otherwise, drop me a note off-line, and I'll see what I can pull together.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :