Jump to content
Sign in to follow this  

How to config IOS EZVPN Client Mode(PKI)

Recommended Posts

i got cert successfully at VPN Client and EZVPN Server

R2 is CA, its address is

But I can't dial VPN Server to access

It seems that IKE Phase 1 doesn't work. Please Help

R3 is EZVPN Server, WinXP is VPN Client

Here is config file


crypto pki trustpoint CA

enrollment url

Hidden Content

    Give reaction to this post to see the hidden content.


ip-address none

subject-name CN=R3, OU=EZ_GROUP

revocation-check crl

crypto pki certificate chain CA

certificate 04

308201E7 30820150 A0030201 02020104 300D0609 2A864886 F70D0101 04050030

1A310B30 09060355 040B1302 5232310B 30090603 55040313 02434130 1E170D31

36303630 37313631 3333355A 170D3137 30363037 31363133 33355A30 4C311130

0F060355 040B0C08 455A5F47 524F5550 310B3009 06035504 03130252 33312A30

12060355 0405130B 46545830 39343557 304D5930 1406092A 864886F7 0D010902

16075261 636B3152 33305C30 0D06092A 864886F7 0D010101 0500034B 00304802

41009F0B 54CE14A2 50076067 3F3BBB68 B023328B B45FC98C BEC625A0 B8CA924E

27AAE65F 21D154D5 04BCF7DB FF613E61 8ACCC4C8 F5FD47E0 1789EC3B 63A07151

04E70203 010001A3 4F304D30 0B060355 1D0F0404 030205A0 301F0603 551D2304

18301680 14B8F93E 1EC13CC1 6261C112 AC8B9C16 FA06DA6D 80301D06 03551D0E

04160414 27418DCF 53C7EA9F D37F2736 9FAE4DD7 1D17EA26 300D0609 2A864886

F70D0101 04050003 81810064 3FA5A659 CE0CCA2E 6D0EBBA6 C6DC0317 42DCD340

9A9F6C36 3B327E31 3F5FCC69 C72025CD 5F26D151 D6798F9D A7F89817 DE7FA65B

30D08FB5 281F5C47 D0010FCF D7E2A2A7 AB9D7E26 AA59C44D 78DB8323 48ED4FC6

F2C6378D 37EC9797 D82E174D 2B87AB1B DF995939 266AD0DE 8BA4B463 A283D847

7526D922 FB285D67 B77034


certificate ca 01

3082020D 30820176 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

1A310B30 09060355 040B1302 5232310B 30090603 55040313 02434130 1E170D31

36303630 37313630 3335385A 170D3139 30363037 31363033 35385A30 1A310B30

09060355 040B1302 5232310B 30090603 55040313 02434130 819F300D 06092A86

4886F70D 01010105 0003818D 00308189 02818100 C4015175 CE486DA3 99AD8554

AC5BA46D 924F2C74 26EE0E2D F30CC942 5EEDCC9A FD3EAD74 30B31532 C93C4FE7

B9921000 FD728710 31CFCBF6 24A2CA80 5496AA96 3EAFE907 CEC03FB2 8DFD7B28

86EA0D5E F9AB6BE6 A4432715 E23A120E 7ABFCDD1 F5D21F46 D198627D 333AC053

7C6251F3 8046B4C5 50C439F9 E5F9FB4D B90B07AB 02030100 01A36330 61300F06

03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F

0603551D 23041830 168014B8 F93E1EC1 3CC16261 C112AC8B 9C16FA06 DA6D8030

1D060355 1D0E0416 0414B8F9 3E1EC13C C16261C1 12AC8B9C 16FA06DA 6D80300D

06092A86 4886F70D 01010405 00038181 0021D303 730EA573 D5ED8AA9 FE4A4BF4

F2D27F12 79233749 7B32753C FC6D25D5 F5A65E4C 239D8996 A6CF1508 35FFC794

17D32BAF B9E11532 35A4EB95 448F312C A0A4E414 681F1E6A 9BC2A966 8F530A42

ABA143A0 A23A4AC6 87CDAA6D 82046CB9 7B5D0798 59A0BF45 1D1229C7 5CC1A366

C5D8C47E 45FADE92 3E58E70D 6FB72120 35



crypto isakmp policy 10

encr 3des

group 2



aaa new-model

aaa authentication login USER_AUTHEN local

aaa authorization network USER_AUTHOR local



ip local pool EZ_POOL


ip access-list standard EZ_ACL



crypto isakmp client configuration group EZ_GROUP

pool EZ_POOL

acl EZ_ACL

crypto isakmp profile IKEv1_PRO

match identity group EZ_GROUP

client authentication list USER_AUTHEN

isakmp authorization list USER_AUTHOR

virtual-template 1

crypto ipsec transform-set EZ_SET esp-3des esp-sha-hmac

crypto ipsec profile EZ_PRO

set transform-set EZ_SET

set isakmp-profile IKEv1_PRO



interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/0

tunnel source FastEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile EZ_PRO



VPN Client config


Hidden Content

    Give reaction to this post to see the hidden content.




And this is debug error I got.


.Jun 7 16:40:01.759: ISAKMP:(0):Hash algorithm offered does not match policy!

.Jun 7 16:40:01.759: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Jun 7 16:40:02.223: ISAKMP:(1017):Profile has no keyring, aborting key search

.Jun 7 16:40:02.695: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

Hidden Content

    Give reaction to this post to see the hidden content.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...