IKE Aggressive mode vulnerability

Similar Messages

• Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

  Hi, I have 10 site-to-site VPN's, they consist of Cisco 837's and 877's. I run a security scan (Qualys vulnerability scanning) against the public IP of the routers and half of them come back with the vulnerability below. They are all using the latest IOS and all connect to a Cisco Concentrator.
  Here is the vulnerability, that means nothing to me, is it anything to worry about, all pre-shared keys are 8 characters or more and have letters, numbers, and symbols and capital letters:
  Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
  THREAT:
  IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
  IMPACT:
  Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.
  SOLUTION:
  IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.
  Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.

  The description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?
  The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.
  HTH
  Rick

• IKE Aggressive Mode on VPN3K

  Hi,
  I have VPN 3005 with 4.7.2 OS (latest one to date). I am looking to disable Aggressive Mode processing (stick to Main Mode only) for Remove VPN clients. Please note, Remote VPN clients and NOT LAN-to-LAN connections.
  So far I cannot see how this can be done.
  TAC engineer is not coming up with good answers as well.
  Anyhow has an idea?
  Thanks!
  David

  I don't think you can make Remote Access VPN on
  the Concentrator work with Main mode, unless
  you decide to use Certificate instead of
  pre-shared key:
  "The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"

• Aggressive Mode IKE

  We used to use IPSEC VPN, but now use Anyconnect SSL VPN. We have a third party scan our firewall externally, and they are recommending that we disable Aggressive Mode IKE. Is this only used for IPSec VPN's? Is it safe to remove this from our configuration on our ASA 5505?
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  Thank You.

  Hi Bill,
  The aggresive mode (3 pkt exchange) is only used for the IPsec remote access. The site to site VPN uses main mode (6 pkt exchange). If you do not have any site to site VPN you can disable these commands however if you do have site to site VPN then removing these will break them.
  There is nothing called aggressive mode in Anyconnect. Anyconnect uses a totally different protocol called SSL (TCP/UDP port 443).
  Hope this answers your question.
  Thanks,
  Vishnu Sharma

• Aggressive Mode and Encryption

  Hi Everyone.
  I read below
  Aggressive mode does not give identity protection of the two IKE peers, unless digital certificates are used. This means VPN peers exchange their identities without encryption (clear text). It is not as secure as main mode.
  Currently we have setup RA VPN without digital certs sp does it mean that pre shared keys which are exchanged between client and ASA are
  clear text without any encryption.?
  Regards
  MAhesh

  Mahesh,
  RFC answers those questions
  start with
  http://tools.ietf.org/html/rfc2409
  Just to make a simple quote (a bit out of context, but here goes)
     While the last roundtrip of Main Mode (and optionally the last
     message of Aggressive Mode) is encrypted it is not, strictly
     speaking, authenticated.
  To encrypt you need to agree on a key. have a look at aggresive mode exchange :-)
  M.

• Aggressive mode PSK hash attack

  Hello All,
  I am wondering if Aggressive Mode PSK hash attack can be applied to Main Mode negotiation while using wildacrd crypto IKE  like:
  crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0?
  I know that using ike-scan tool there is a possibility of obtaining hashed PSK from remote peer while using aggressive mode for IKE, so wondering if the same applies for wildcard PSK, but using Main Mode.
  Thanks!

  To exchange Identities (i.e. perform authnetication) you would need to have already SKEYID calculated, which requires PSK, and DH exchange.
  Thus you cannot properly protect MM5 or MM6, if you had wrong PSK. Those are the only moments AFAIR where PSK is being used in exchange.
  The weakness of using one wildcard PSK is that once it's compromised entire domain is at risk.
  I don't see any practical means of getting PSK from MM exchange.

• How to verify ISAKMP Aggressive mode using show command only?

  How to verify ISAKMP Aggressive mode using show command only?

  Ah OK, my mistake. I was thinking ASA - I believe you are using an IOS-based VPN.
  The state after establishment should be "QM Idle" (quick mode) - whether the Phase 1 was MM or AM.
  I think you'll only see the AM in the debugs (like you have) or if you watch the output of the "show cry isa sa" command during establishment of the Phase 1 SA. If you're quick, you may see it cycle through as shown in this reference:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s3.html#wp5743341910

• Phase I Main Mode Vs. Aggressive Mode

  Hi,
  I have a quick question; if I have site-to-site VPN and one side is configured for Phase I Main Mode and the other is configured for Aggressive mode, will the VPN work?
  Regards,
  Haitham

  Hi Haitham
  AFAIK no it should not work because aggresive mode uses just 3 packets in the exchange and main mode uses 6 packets so the information contained in the exchanges between the two peers would not match.
  HTH
  Jon

• Disable aggressive mode

  We wanted to know if there is a way to disable “Aggressive mode” on the VPN concentrator.
  For example, on the ASA, we can do it using the command “isakmp am-disable”
  On a router we can do it using the command “crypto isakmp aggressive-mode disable”.
  Is there a similar command on the VPN concentrator ?
  Your help is appriciated.

  Fadi,
  Are you using Pre-Shared Keys or Certificates for Authentication. Please refer the below link for information on VPN Client AM and MM.
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet090
  0aecd801a9de9.html
  Aggressive Mode is the default and the only mode available for Pre-shared key and Main Mode is only available for the Cert authentication.
  So, it is my understanding that it is not possible for VPN clients to use main mode to authenticate to the VPN3000 with pre-shared keys.
  Regards,
  Arul
  *Pls rate if it helps*

• VPN Aggressive Mode

                     I have a 5510 ASA with  one site to site vpn and about 200 users on vpn client.  I was curious if I remove Aggressive Mode or disable it. How will that effect the site to site and vpn clients? Will there be an outage by disabling? To my understanding the only thing i need to do on the firewall is add the crypto isakmp am-disable command. Do I need to reconfigure anything else or just disable aggressive mode? How will the change affect the end-users or network? Do I need to edit the PCF file on the client?
  ASA Software
  Device Manager Version 6.2(5) Cisco Adaptive Security Appliance Software Version 8.0(5)
  VPN Client
  5.0.0.7.0290

  You can disable the Aggressive mode for L2L tunnel however if you disable aggresive mode in Dynamic map as well then all VPN clients will fails since remote user can connect only in Aggressive mode only unless client is using Certificate based authentication. This is as per design.
  Hope this helps.
  Regards,
  Anuj

• IKE Main Mode Configuration

  Hi
  I have a client that i set up an IPSec VPN for remote access, but it seems their IPS is blocking me. The reason they gave was the IPS doesn't like the IKE agressive mode that we're using, and instead of opening a potential security risk, they've requested i switch to Main Mode. After looking around on google results, i havent found much of anything config wise for Main Mode except the command isakmp am-disable, which ends up killing the IPSec VPN.
  The ASA is running 8.4.5
  Any help is appreciated.
  -Steve

  I ended up dropping the IP Sec remote access VPN in favor of an SSL VPN.

• Recommendation of UDLD aggressive mode on the Basic VSS.

                    Hello
  I would like to confirm the following informatino below.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1.0/Borderless_Campus_1.0_Design_Guide.pdf
  (omit)
  It is recommended to avoid implementing UDLD in aggressive mode as well as fast UDLD on the Cisco
  Catalyst switches deployed with redundant supervisor modules.
  According to this information, I think the UDLD mode above is not reconmeded the redundant SUP in one chassis.
  However how about using Basic-VSS (not Quad-VSS) ? Is it also recomended to avoid UDLD aggressive mode and Fast UDLD?
  Best Regards,
  Masanobu Hiyoshi

  VPN clients ONLY use aggressive mode. That's
  just the way it is. If you want to use Main
  Mode in remote access clients, use other
  vendors besides Cisco

• Qualys Vulnerability Scanner

  Hi Cisco Experts,
  Good day! We preparing to implement the Qualy Vulnerability Scanner to our VoIP network. However, we need to verify what Cisco UC devices are supported. The currently UC devices installed on our VoIP network are Cisco IP phones, Routers (2821/2811/2921) and Cisco Unified Communication Manager (CUCM).
  Thank you.
  Best regards,
  RJ

  The description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?
  The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.
  HTH
  Rick

• Pre shared keys used in IKE Phase 1

  Hi Everyone,
  Need to confirm if we can use the Pre shared keys in Aggressive mode and also in Main mode during IKE Phase1
  Regards
  MAhesh

  The pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same pre-shared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the pre-shared key.

• 881 VPN fails after 24hrs/IKE key lifetime

  Hi all,
  This is my first post on the support forms and I only just got my CCNA, so please bear with me and don't shoot me if I pose a slightly newbish perspective on things. Thanks in advance.       
  We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.
  The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).
  I have examined all I can. It took me two weeks to make sure I exhausted all my options before I post my issue here.
  Here is a brief list of things I've done.
  - Checked configuration of central router (which is a Mikrotik RB800 btw)
  - Verified that the central router is not the cause of the VPN not coming back. Rebooted it as a last resort; VPN stays down. Rebooted 881, VPN comes back.
  - I've downgraded the 881 firmware image from version 152.4.M2 to 151.4.M4 (the succesful 881 was running the 151.4.M4 image, and I found some Ipsec issues in the caveat for version 152.4.M2), but to no avail.
  - I've tried to clear several crypto components hoping to restore key exchanging, also to no avail. Only a reload will suffice.
  I've included the 881's config:
  Building configuration...Current configuration : 7795 bytes
  ! Last configuration change at 15:37:50 Paris Tue May 28 2013 by admin
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname <<removed>>
  boot-start-marker
  boot system flash c880data-universalk9-mz.151-4.M4.bin
  boot-end-marker
  logging buffered 102400
  enable secret 4 <<removed>>
  no aaa new-model
  memory-size iomem 10
  clock timezone Paris 1 0
  clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
  crypto pki token default removal timeout 0
  !no ip source-route
  ip dhcp excluded-address 192.168.4.1 192.168.4.9
  ip dhcp excluded-address 192.168.4.199 192.168.4.254
  ip dhcp pool Main
  network 192.168.4.0 255.255.255.0
  dns-server 192.168.4.250 8.8.4.4
  default-router 192.168.4.250
  lease infinite
  ip cef
  ip domain lookup source-interface Dialer1
  ip domain name <<removed>>
  ip name-server 8.8.4.4
  ip name-server 192.168.58.199
  no ipv6 cef
  password encryption aes!
  object-group network SUBNET_DUITSLAND
  description Hele subnet IC Duitsland
  192.168.4.0 255.255.255.0
  object-group network SUBNET_IC_ARNHEM
  description Hele subnet IC Arnhem
  192.168.58.0 255.255.255.0
  object-group network WAN_IC_ARNHEM
  description Het WAN IP adres van IC Arnhem
  host <<removed>>
  vtp mode transparent
  username <<removed>> privilege 15 view root secret 4 <<removed>>
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
  match access-group 102
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
  match access-group 105
  class-map type inspect match-all ccp-cls--1
  match access-group name Outgoing
  class-map type inspect match-all ccp-cls--2
  match access-group name Incoming
  policy-map type inspect ccp-policy-ccp-cls--1
  class type inspect ccp-cls--1
    pass
  class class-default
    drop
  policy-map type inspect ccp-policy-ccp-cls--2
  class type inspect ccp-cls--2
    pass
  class type inspect sdm-cls-VPNOutsideToInside-1
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class class-default
    drop
  zone security Inside
  zone security Outside
  zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
  service-policy type inspect ccp-policy-ccp-cls--1
  zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
  service-policy type inspect ccp-policy-ccp-cls--2
  crypto logging ezvpn
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key <<removed>> address <<removed>>
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to CO
  set peer <<removed>>
  set transform-set ESP-AES256-SHA
  set pfs group5
  match address 104
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description DeutscheTelekom$ETH-WAN$
  no ip address
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  interface Vlan1
  description $FW_INSIDE$
  ip address 192.168.4.250 255.255.255.0
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security Inside
  ip tcp adjust-mss 1412
  interface Dialer1
  description $FW_OUTSIDE$
  mtu 1492
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  zone-member security Outside
  encapsulation ppp
  no ip route-cache
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp chap hostname <<removed>>
  ppp chap password 7 <<removed>>
  ppp pap sent-username <<removed>> password 7 <<removed>>
  ppp ipcp dns request
  ppp ipcp address accept
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  no ip http server
  ip http access-class 2
  ip http authentication local
  ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
  ip access-list extended Incoming
  remark CCP_ACL Category=128
  permit ip any object-group SUBNET_DUITSLAND
  ip access-list extended Outgoing
  remark CCP_ACL Category=128
  permit ip object-group SUBNET_DUITSLAND any
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=1
  permit tcp any any eq 443
  ip access-list extended SDM_SHELL
  remark CCP_ACL Category=1
  permit tcp any any eq cmd
  ip access-list extended SDM_SSH
  remark CCP_ACL Category=1
  permit tcp any any eq 22
  no logging trap
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 2 permit <<removed>>
  access-list 2 remark Auto generated by SDM Management Access feature
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 192.168.4.0 0.0.0.255
  access-list 2 permit 192.168.58.0 0.0.0.255
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark CCP_ACL Category=1
  access-list 101 permit ip 192.168.4.0 0.0.0.255 any
  access-list 101 permit ip host <<removed>> any
  access-list 101 permit ip 192.168.58.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
  access-list 103 remark CCP_ACL Category=2
  access-list 103 remark IPSec Rule
  access-list 103 deny   ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
  access-list 103 permit ip 192.168.4.0 0.0.0.255 any
  access-list 104 remark CCP_ACL Category=4
  access-list 104 remark IPSec Rule
  access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
  access-list 105 remark CCP_ACL Category=0
  access-list 105 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address 103
  line con 0
  line aux 0
  line vty 0 4
  access-class 101 in
  privilege level 15
  password 7 <<removed>>
  login local
  transport input ssh
  ntp update-calendar
  ntp server de.pool.ntp.org prefer
  end
  Also, I have some ISAKMP debug output (when the VPN fails, I can still reach the router via the internet):
  .May 29 08:31:22.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:28.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:30.016: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:31:30.016: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
  .May 29 08:31:30.016: ISAKMP: Error while processing SA request: Failed to initialize SA
  .May 29 08:31:30.016: ISAKMP: Error while processing KMI message 0, error 2.
  .May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:31:30.016: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
  .May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:31:30.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:31:30.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:31:34.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:31:40.016: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  .May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:31:40.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:31:40.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:31:40.844: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:46.380: ISAKMP:(0):purging node 297623767
  .May 29 08:31:46.380: ISAKMP:(0):purging node -1266458641
  .May 29 08:31:46.452: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:49.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
  .May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:31:50.016: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  .May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:31:50.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:31:50.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:31:52.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:56.381: ISAKMP:(0):purging SA., sa=874CF15C, delme=874CF15C
  .May 29 08:31:58.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:00.017: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:00.017: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:32:00.017: ISAKMP: Unlocking peer struct 0x874792E0 for isadb_mark_sa_deleted(), count 0
  .May 29 08:32:00.017: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 874792E0
  .May 29 08:32:00.017: ISAKMP:(0):deleting node -118750948 error FALSE reason "IKE deleted"
  .May 29 08:32:00.017: ISAKMP:(0):deleting node -1193365643 error FALSE reason "IKE deleted"
  .May 29 08:32:00.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  .May 29 08:32:00.017: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA.May 29 08:32:02.037: ISAKMP:(0): SA request profile is (NULL)
  .May 29 08:32:02.037: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
  .May 29 08:32:02.037: ISAKMP: New peer created peer = 0x875BF6B8 peer_handle = 0x8000000A
  .May 29 08:32:02.037: ISAKMP: Locking peer struct 0x875BF6B8, refcount 1 for isakmp_initiator
  .May 29 08:32:02.037: ISAKMP: local port 500, remote port 500
  .May 29 08:32:02.037: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:32:02.037: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85C6B420
  .May 29 08:32:02.037: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  .May 29 08:32:02.037: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
  .May 29 08:32:02.037: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  .May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-07 ID
  .May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-03 ID
  .May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-02 ID
  .May 29 08:32:02.041: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  .May 29 08:32:02.041: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1.May 29 08:32:02.041: ISAKMP:(0): beginning Main Mode exchange
  .May 29 08:32:02.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:02.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:04.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:10.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:12.041: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  .May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:12.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:12.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:16.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:22.041: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  .May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:22.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:22.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:22.449: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:28.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:32.038: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:32:32.038: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
  .May 29 08:32:32.038: ISAKMP: Error while processing SA request: Failed to initialize SA
  .May 29 08:32:32.038: ISAKMP: Error while processing KMI message 0, error 2.
  .May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:32.042: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
  .May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:32.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:32.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:34.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:40.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:42.042: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  .May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:42.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:42.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:46.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:50.018: ISAKMP:(0):purging node -118750948
  .May 29 08:32:50.018: ISAKMP:(0):purging node -1193365643
  .May 29 08:32:51.346: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
  .May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:52.042: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  .May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:52.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:52.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:52.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:58.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:33:00.019: ISAKMP:(0):purging SA., sa=875BE8B8, delme=875BE8B8
  .May 29 08:33:02.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:33:02.043: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:33:02.043: ISAKMP: Unlocking peer struct 0x875BF6B8 for isadb_mark_sa_deleted(), count 0
  .May 29 08:33:02.043: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 875BF6B8
  .May 29 08:33:02.043: ISAKMP:(0):deleting node 1839947115 error FALSE reason "IKE deleted"
  .May 29 08:33:02.043: ISAKMP:(0):deleting node -1221586275 error FALSE reason "IKE deleted"
  .May 29 08:33:02.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  .May 29 08:33:02.043: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA.May 29 08:33:02.455: ISAKMP:(0): SA request profile is (NULL)
  .May 29 08:33:02.455: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
  .May 29 08:33:02.455: ISAKMP: New peer created peer = 0x874792E0 peer_handle = 0x8000000B
  .May 29 08:33:02.455: ISAKMP: Locking peer struct 0x874792E0, refcount 1 for isakmp_initiator
  .May 29 08:33:02.455: ISAKMP: local port 500, remote port 500
  .May 29 08:33:02.455: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:33:02.455: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87060E68
  .May 29 08:33:02.455: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  .May 29 08:33:02.455: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-07 ID
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-03 ID
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-02 ID
  .May 29 08:33:02.455: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  .May 29 08:33:02.455: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1.May 29 08:33:02.455: ISAKMP:(0): beginning Main Mode exchange
  .May 29 08:33:02.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:33:02.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:33:04.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>ndebug crypto isakmp
  .May 29 08:33:10.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>o debug crypto isakmp
  Crypto ISAKMP debugging is off
  IC-Deutschland#
  .May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:33:12.455: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  .May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:33:12.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:33:12.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Can anyone shed some light as what could be going on?
  Much obliged!

  Unfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.
  However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.
  Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?
  If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure.