This issue occurs due to the presence of Cisco bug ID CSCsd27617.
The Advanced Encryption Standard (AES) password encryption corrupts the existing pre-shared key (PSK) on the router as described by Cisco bug ID CSCsd27617.
If a router's EzVPN Group name contains a "_" such as group ezvpn_myclient key mytest and you add password encryption aes then IKE consistently fails with the wrong group PSK.
In order to resolve this issue, delete and recreate the PSK (without " _ ") after you apply the AES password encryption.
Issue these commands:
Router(config)#key config-key password-encryption [master key] Router(config)#password encryption aes
Note: Delete and re-create the PSK in the group configuration.