Site to Site VPN Setup: Error processing payload: Payload ID: 1

Similar Messages

• Site to site VPN RV215W and SRP521: malformed ISAKMP Hash Payload

  Hi
  I have been struggeling with this problem for one week and tried all configuration (except the right one)
  I have Two Cisco (one RV215W and one SRP521)
  the SRP521 was used as client - server configuration and works fine
  I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)
  On Site G
   (LAN)192.168.25.0/24  ===  192.168.25.1(CISCO RV215X)192.168.10.161   192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G
  On Site R
   (LAN)192.168.15.0/24  ===  192.168.15.1(CISCO SRP521)192.168.1.2   192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
   So I have NAT (So I have activated NAT traveral on both side)
   On the RV215W (Site G)
   IKE Policy Table
   Mode:main
   Local identifier : 192.168.10.161
   Remote identifier 192.168.1.2
   AES128/SHA1
   DH Group2
   xauth disabled
   VPN policy table
   Type:autopolicy
   remote endpoint 41.F.G.H
   Local 192.168.25.1/255.255.255.0
   remote 192.168.15.1/255.255.255.0
   AES128/SHA1
   PFS Keygroup: disable
   On site R (SRP521W)
   IKE
   Policy Name    gnt
  Exchange Mode    Main
  Encryption Algorithm    AES128
  Authentication Algorithm    SHA-1
  Diffie-Hellman (DH) Group    Group 2 (1024 bit)
  Auto Pre-Shared Key    XXXXXXXXXX
  Enable Dead Peer Detection    Enable
  DPD Interval    3600
  DPD Timeout    3600
  XAUTH client     Disable
  IP Sec
  Status    Enable
  Policy Name    rabat
  Local Group Type    IP Address & Subnet
  Local Group IP Address    192.168.15.1
  Local Group IP Subnet    255.255.255.0
  Remote Endpoint    IP Address
  Remote security gateway address    192.168.10.161
  Remote security domain name    
  Remote group type    IP Address & Subnet
  Remote group IP    192.168.25.1
  Remote group Subnet Mask    255.255.255.0
  Encrypted algorithm    3DES
  Integrity algorithm    SHA-1
  Police type    Auto
  Manual encryption key    
  Manual auth key    
  Inbound SPI    
  Outbound SPI    
  PFS    Disable
  Key life time    7800
  Now using IKE police    gnt
  This are the logs
  6    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500    
  7    2014-04-02 0:08:05 AM    debug    pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad    
  8    2014-04-02 0:08:05 AM    debug    pluto[22201]: | payload malformed after IV    
  9    2014-04-02 0:08:05 AM    info    pluto[22201]: "rabat" #2: malformed payload in packet    
  10    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: malformed payload in packet    
  11    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not    
  12    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled    
  13    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}    
  14    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500    
  15    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3    
  16    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'    
  17    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3    
  18    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2    
  19    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed    
  20    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2    
  21    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1    
  22    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: responding to Main Mode    
  23    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]    
  24    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109    
  25    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109    
  26    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109    
  27    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109     
  28    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]    
  29    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]
  I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not    
  I could not find any real hint on the internet/forums about this error

  Hi
  I have been struggeling with this problem for one week and tried all configuration (except the right one)
  I have Two Cisco (one RV215W and one SRP521)
  the SRP521 was used as client - server configuration and works fine
  I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)
  On Site G
   (LAN)192.168.25.0/24  ===  192.168.25.1(CISCO RV215X)192.168.10.161   192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G
  On Site R
   (LAN)192.168.15.0/24  ===  192.168.15.1(CISCO SRP521)192.168.1.2   192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
   So I have NAT (So I have activated NAT traveral on both side)
   On the RV215W (Site G)
   IKE Policy Table
   Mode:main
   Local identifier : 192.168.10.161
   Remote identifier 192.168.1.2
   AES128/SHA1
   DH Group2
   xauth disabled
   VPN policy table
   Type:autopolicy
   remote endpoint 41.F.G.H
   Local 192.168.25.1/255.255.255.0
   remote 192.168.15.1/255.255.255.0
   AES128/SHA1
   PFS Keygroup: disable
   On site R (SRP521W)
   IKE
   Policy Name    gnt
  Exchange Mode    Main
  Encryption Algorithm    AES128
  Authentication Algorithm    SHA-1
  Diffie-Hellman (DH) Group    Group 2 (1024 bit)
  Auto Pre-Shared Key    XXXXXXXXXX
  Enable Dead Peer Detection    Enable
  DPD Interval    3600
  DPD Timeout    3600
  XAUTH client     Disable
  IP Sec
  Status    Enable
  Policy Name    rabat
  Local Group Type    IP Address & Subnet
  Local Group IP Address    192.168.15.1
  Local Group IP Subnet    255.255.255.0
  Remote Endpoint    IP Address
  Remote security gateway address    192.168.10.161
  Remote security domain name    
  Remote group type    IP Address & Subnet
  Remote group IP    192.168.25.1
  Remote group Subnet Mask    255.255.255.0
  Encrypted algorithm    3DES
  Integrity algorithm    SHA-1
  Police type    Auto
  Manual encryption key    
  Manual auth key    
  Inbound SPI    
  Outbound SPI    
  PFS    Disable
  Key life time    7800
  Now using IKE police    gnt
  This are the logs
  6    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500    
  7    2014-04-02 0:08:05 AM    debug    pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad    
  8    2014-04-02 0:08:05 AM    debug    pluto[22201]: | payload malformed after IV    
  9    2014-04-02 0:08:05 AM    info    pluto[22201]: "rabat" #2: malformed payload in packet    
  10    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: malformed payload in packet    
  11    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not    
  12    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled    
  13    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}    
  14    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500    
  15    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3    
  16    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'    
  17    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3    
  18    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2    
  19    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed    
  20    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2    
  21    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1    
  22    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: responding to Main Mode    
  23    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]    
  24    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109    
  25    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109    
  26    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109    
  27    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109     
  28    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]    
  29    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]
  I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not    
  I could not find any real hint on the internet/forums about this error

• Advice with Site-toSite VPN Setup

  Hi all
  I'm needing to set up a site to site VPN specifically for deploying multiple IP phones at a remote site.  I need help selecting the right hardware.
  At my central site with the phone system (Samsung 7100) I have an ADSL connection using a Linksys AG300 dedicated to the phone connection.  At my remote site I currently do not have a device, though have been playing with a DLink dir-130 that refuses to play nice with the AG300.  The remote site connects to the interweb via a router I don't control but will do VPN passthrough.
  My central site is a static IP, but the remote site is not.
  Can anyone suggest the right peace of kit.  The rv042 looks like it may be OK, but I need to be certain.  Note that the devices either end will be the VPN endpoints ie no servers/firewall appliances either end.
  TIA

  Hi Nigel,.
  I will give you some choices and some basic reasons for my selection. There are a lot more routers in the portfolio, but from your posting you seem to intinate you want to check out the  lower priced Cisco Small Business products. 
  1.SR520-FE-K9
  A very very low cost Cisco IOS based router.
  it offers the advantages of Cisco IOS CLI in a low low price
  excellent debugging
  excellent counters
  can be managed by the free utility Cisco Configuration Assistant
  supported by Cisco TAC
  Allows for site to site IPSec VPN tunnels
  There are two  ADSL variants   SR520-ADSL-K9 SR520-ADSLI-K9
  Wireless versions as well..but check datasheet.
  2. RV220W  or RV120W (relatively new)
  Gui only configuration
  provides IPSec tunnel between gateways
  enhanced software  compared to older WRV2XX
  VLAN and trunk support
  PPTP server (with RV220W)
  Gig wan and LAN ports on the RV220w
  supported by Cisco Small Business Support Center
  3. RV042  (refresh of a popular router , newly released Version 3 hardware and new firmware)
  Gui only configuration
  provides IPSec tunnel between gateways
  impoved software
  VLAN and trunk support
  PPTP server as well
  supported by Cisco Small Business Support Center
  Moving up in features and price, you could check out the;
  4. SA500 series ( with newly released version 2 firmware)
  A very capable box offering IPSec tunnels as well as
  termination for SSL client vpn tunnels
  option for IPS, content filtering , trend integration
  But spend some time and really  and check out the dataheets on all these products.
  Also, If you are a cisco partner there is a management GUI  emulator for the RV220W, RV120W, SA500.  It does go too deeply into the configuration as it only is a emulator, but it provides a great insight into how easy these products are to configure via their built in GUI's.
  https://supportforums.cisco.com/community/netpro/small-business/onlinedemos?view=overview%20target=
  regards Dave

• Site to site VPN re-connection issue

  Hi I done site -to -site VPN between two UC 560 and I am able to make call too. Both site I am using DDNS FQDN. Now I am facing these problems,
  1. When ever any of the site gone down , it is taking around 45 minute to get reconnect the VPN. 
  2. With in 2 minute Dialer interface is getting WAN  IP address from service provider and it is updating with Dyndns also. But while checking crypto session details from my local UC I can see the peer address is not changing or showing none.
  please help me to overcome this issue
  I tested by restarting ROUTER-A  UC560
  Please find the status of remote site:
  ROUTER-B#sh crypto isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  2.50.37.13      86.99.72.10     MM_NO_STATE       2004 ACTIVE (deleted)
  ROUTER-B#sh crypto isa saIPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  ROUTER-A#sh crypto isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  ROUTER-B#sho crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Session status: UP-NO-IKE
  Peer: 86.99.72.10 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.50.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 12452 drop 0 life (KB/Sec) 4477633/1050
          Outbound: #pkts enc'ed 15625 drop 228 life (KB/Sec) 4477628/1050
  ROUTER-A# sho crypto session det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Virtual-Access2
  Session status: DOWN
  Peer:  port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Interface: Dialer0
  Session status: DOWN
  Peer:  port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 23 life (KB/Sec) 0/0
  **** Here I can see the peer IP is 86.99.72.10, but address had been changed to  92.98.211.242 in ROUTER-A
  Please see the debug crypto isakpm
  ROUTER-A#debug crypto isakmp
  Crypto ISAKMP debugging is on
  ROUTER-A#terminal monitor
  000103: Aug  6 18:40:48.083: ISAKMP:(0): SA request profile is (NULL)
  000104: Aug  6 18:40:48.083: ISAKMP: Created a peer struct for , peer port 500
  000105: Aug  6 18:40:48.083: ISAKMP: New peer created peer = 0x86682AAC peer_handle = 0x80000031
  000106: Aug  6 18:40:48.083: ISAKMP: Locking peer struct 0x86682AAC, refcount 1 for isakmp_initiator
  000107: Aug  6 18:40:48.083: ISAKMP: local port 500, remote port 500
  000108: Aug  6 18:40:48.083: ISAKMP: set new node 0 to QM_IDLE
  000109: Aug  6 18:40:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EBE04
  000110: Aug  6 18:40:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000111: Aug  6 18:40:48.083: ISAKMP:(0):No pre-shared key with !
  000112: Aug  6 18:40:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000113: Aug  6 18:40:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000114: Aug  6 18:40:48.083: ISAKMP: Unlocking peer struct 0x86682AAC for isadb_unlock_peer_delete_sa(), count 0
  000115: Aug  6 18:40:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682AAC
  000116: Aug  6 18:40:48.083: ISAKMP:(0):purging SA., sa=8B4EBE04, delme=8B4EBE04
  000117: Aug  6 18:40:48.083: ISAKMP:(0):purging node 2113438140
  000118: Aug  6 18:40:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000119: Aug  6 18:40:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000120: Aug  6 18:41:18.083: ISAKMP:(0): SA request profile is (NULL)
  000121: Aug  6 18:41:18.083: ISAKMP: Created a peer struct for , peer port 500
  000122: Aug  6 18:41:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000032
  000123: Aug  6 18:41:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
  000124: Aug  6 18:41:18.083: ISAKMP: local port 500, remote port 500
  000125: Aug  6 18:41:18.083: ISAKMP: set new node 0 to QM_IDLE
  000126: Aug  6 18:41:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
  000127: Aug  6 18:41:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000128: Aug  6 18:41:18.083: ISAKMP:(0):No pre-shared key with !
  000129: Aug  6 18:41:18.083: ISAKMP:(0): No Cert or pre-shared address key.
  000130: Aug  6 18:41:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000131: Aug  6 18:41:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
  000132: Aug  6 18:41:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
  000133: Aug  6 18:41:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
  000134: Aug  6 18:41:18.083: ISAKMP:(0):purging node 379490091
  000135: Aug  6 18:41:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000136: Aug  6 18:41:18.083: ISAKMP: Error while processing KMI message 0, error 2.
  000137: Aug  6 18:42:48.083: ISAKMP:(0): SA request profile is (NULL)
  000138: Aug  6 18:42:48.083: ISAKMP: Created a peer struct for , peer port 500
  000139: Aug  6 18:42:48.083: ISAKMP: New peer created peer = 0x86691200 peer_handle = 0x80000033
  000140: Aug  6 18:42:48.083: ISAKMP: Locking peer struct 0x86691200, refcount 1for isakmp_initiator
  000141: Aug  6 18:42:48.083: ISAKMP: local port 500, remote port 500
  000142: Aug  6 18:42:48.083: ISAKMP: set new node 0 to QM_IDLE
  000143: Aug  6 18:42:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
  000144: Aug  6 18:42:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000145: Aug  6 18:42:48.083: ISAKMP:(0):No pre-shared key with !
  000146: Aug  6 18:42:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000147: Aug  6 18:42:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000148: Aug  6 18:42:48.083: ISAKMP: Unlocking peer struct 0x86691200 for isadb_unlock_peer_delete_sa(), count 0
  000149: Aug  6 18:42:48.083: ISAKMP: Deleting peer node by peer_reap for : 86691200
  000150: Aug  6 18:42:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
  000151: Aug  6 18:42:48.083: ISAKMP:(0):purging node -309783810
  000152: Aug  6 18:42:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000153: Aug  6 18:42:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000154: Aug  6 18:43:18.083: ISAKMP:(0): SA request profile is (NULL)
  000155: Aug  6 18:43:18.083: ISAKMP: Created a peer struct for , peer port 500
  000156: Aug  6 18:43:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000034
  000157: Aug  6 18:43:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
  000158: Aug  6 18:43:18.083: ISAKMP: local port 500, remote port 500
  000159: Aug  6 18:43:18.083: ISAKMP: set new node 0 to QM_IDLE
  000160: Aug  6 18:43:18.083: ISAKMP:(0):insert sa successfully sa = 8B4AB780
  000161: Aug  6 18:43:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000162: Aug  6 18:43:18.083: ISAKMP:(0):No pre-shared key with !
  000163: Aug  6 18:43:18.083: ISAKMP:(0): No Cert or pre-shared address key.
  000164: Aug  6 18:43:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000165: Aug  6 18:43:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb _unlock_peer_delete_sa(), count 0
  000166: Aug  6 18:43:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
  000167: Aug  6 18:43:18.083: ISAKMP:(0):purging SA., sa=8B4AB780, delme=8B4AB78 0
  000168: Aug  6 18:43:18.083: ISAKMP:(0):purging node 461611358
  000169: Aug  6 18:43:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000170: Aug  6 18:43:18.083: ISAKMP: Error while processing KMI message 0, erro r 2.
  000171: Aug  6 18:44:48.083: ISAKMP:(0): SA request profile is (NULL)
  000172: Aug  6 18:44:48.083: ISAKMP: Created a peer struct for , peer port 500
  000173: Aug  6 18:44:48.083: ISAKMP: New peer created peer = 0x8B4A25C8 peer_handle = 0x80000035
  000174: Aug  6 18:44:48.083: ISAKMP: Locking peer struct 0x8B4A25C8, refcount 1 for isakmp_initiator
  000175: Aug  6 18:44:48.083: ISAKMP: local port 500, remote port 500
  000176: Aug  6 18:44:48.083: ISAKMP: set new node 0 to QM_IDLE
  000177: Aug  6 18:44:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EC7E8
  000178: Aug  6 18:44:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000179: Aug  6 18:44:48.083: ISAKMP:(0):No pre-shared key with !
  000180: Aug  6 18:44:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000181: Aug  6 18:44:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000182: Aug  6 18:44:48.083: ISAKMP: Unlocking peer struct 0x8B4A25C8 for isadb_unlock_peer_delete_sa(), count 0
  000183: Aug  6 18:44:48.083: ISAKMP: Deleting peer node by peer_reap for : 8B4A25C8
  000184: Aug  6 18:44:48.083: ISAKMP:(0):purging SA., sa=8B4EC7E8, delme=8B4EC7E8
  000185: Aug  6 18:44:48.083: ISAKMP:(0):purging node -1902909277
  000186: Aug  6 18:44:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000187: Aug  6 18:44:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000188: Aug  6 18:45:18.083: ISAKMP:(0): SA request profile is (NULL)
  000189: Aug  6 18:45:18.083: ISAKMP: Created a peer struct for , peer port 500
  000190: Aug  6 18:45:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000036
  000191: Aug  6 18:45:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
  000192: Aug  6 18:45:18.083: ISAKMP: local port 500, remote port 500
  000193: Aug  6 18:45:18.083: ISAKMP: set new node 0 to QM_IDLE
  000194: Aug  6 18:45:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
  000195: Aug  6 18:45:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000196: Aug  6 18:45:18.083: ISAKMP:(0):No pre-shared key with !
  000197: Aug  6 18:45:18.083: ISAKMP:(0): No Cert or pre-shared address key.
  000198: Aug  6 18:45:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000199: Aug  6 18:45:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
  000200: Aug  6 18:45:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
  000201: Aug  6 18:45:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
  000202: Aug  6 18:45:18.083: ISAKMP:(0):purging node 1093064733
  000203: Aug  6 18:45:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000204: Aug  6 18:45:18.083: ISAKMP: Error while processing KMI message 0, error 2.
  000205: Aug  6 18:46:48.083: ISAKMP:(0): SA request profile is (NULL)
  000206: Aug  6 18:46:48.083: ISAKMP: Created a peer struct for , peer port 500
  000207: Aug  6 18:46:48.083: ISAKMP: New peer created peer = 0x86682BE0 peer_handle = 0x80000037
  000208: Aug  6 18:46:48.083: ISAKMP: Locking peer struct 0x86682BE0, refcount 1 for isakmp_initiator
  000209: Aug  6 18:46:48.083: ISAKMP: local port 500, remote port 500
  000210: Aug  6 18:46:48.083: ISAKMP: set new node 0 to QM_IDLE
  000211: Aug  6 18:46:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
  000212: Aug  6 18:46:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000213: Aug  6 18:46:48.083: ISAKMP:(0):No pre-shared key with !
  000214: Aug  6 18:46:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000215: Aug  6 18:46:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000216: Aug  6 18:46:48.083: ISAKMP: Unlocking peer struct 0x86682BE0 for isadb_unlock_peer_delete_sa(), count 0
  000217: Aug  6 18:46:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682BE0
  000218: Aug  6 18:46:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
  000219: Aug  6 18:46:48.083: ISAKMP:(0):purging node -1521272284
  000220: Aug  6 18:46:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000221: Aug  6 18:46:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000222: Aug  6 18:47:03.131: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (N) NEW SA
  000223: Aug  6 18:47:03.131: ISAKMP: Created a peer struct for 2.50.37.13, peer port 500
  000224: Aug  6 18:47:03.131: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000038
  000225: Aug  6 18:47:03.131: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for crypto_isakmp_process_block
  000226: Aug  6 18:47:03.131: ISAKMP: local port 500, remote port 500
  000227: Aug  6 18:47:03.131: ISAKMP:(0):insert sa successfully sa = 8B4C1924
  000228: Aug  6 18:47:03.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  000229: Aug  6 18:47:03.131: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
  000230: Aug  6 18:47:03.131: ISAKMP:(0): processing SA payload. message ID = 0
  000231: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000232: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  000233: Aug  6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T RFC 3947
  000234: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000235: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  000236: Aug  6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T v7
  000237: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000238: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  000239: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v3
  000240: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000241: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  000242: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v2
  000243: Aug  6 18:47:03.131: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
  000244: Aug  6 18:47:03.131: ISAKMP:(0): local preshared key found
  000245: Aug  6 18:47:03.131: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1
  000246: Aug  6 18:47:03.131: ISAKMP:(0): Authentication by xauth preshared
  000247: Aug  6 18:47:03.131: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  000248: Aug  6 18:47:03.131: ISAKMP:      encryption 3DES-CBC
  000249: Aug  6 18:47:03.131: ISAKMP:      hash SHA
  000250: Aug  6 18:47:03.131: ISAKMP:      default group 2
  000251: Aug  6 18:47:03.131: ISAKMP:      auth pre-share
  000252: Aug  6 18:47:03.131: ISAKMP:      life type in seconds
  000253: Aug  6 18:47:03.131: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  000254: Aug  6 18:47:03.135: ISAKMP:(0):atts are acceptable. Next payload is 0
  000255: Aug  6 18:47:03.135: ISAKMP:(0):Acceptable atts:actual life: 1800
  000256: Aug  6 18:47:03.135: ISAKMP:(0):Acceptable atts:life: 0
  000257: Aug  6 18:47:03.135: ISAKMP:(0):Fill atts in sa vpi_length:4
  000258: Aug  6 18:47:03.135: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  000259: Aug  6 18:47:03.135: ISAKMP:(0):Returning Actual lifetime: 1800
  000260: Aug  6 18:47:03.135: ISAKMP:(0)::Started lifetime timer: 1800.
  000261: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000262: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  000263: Aug  6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T RFC 3947
  000264: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000265: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  000266: Aug  6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T v7
  000267: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000268: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  000269: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v3
  000270: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000271: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  000272: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v2
  000273: Aug  6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  000274: Aug  6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
  000275: Aug  6 18:47:03.135: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  000276: Aug  6 18:47:03.135: ISAKMP:(0): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_SA_SETUP
  000277: Aug  6 18:47:03.135: ISAKMP:(0):Sending an IKE IPv4 Packet.
  000278: Aug  6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  000279: Aug  6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
  000280: Aug  6 18:47:03.191: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_SA_SETUP
  000281: Aug  6 18:47:03.191: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  000282: Aug  6 18:47:03.191: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3
  000283: Aug  6 18:47:03.191: ISAKMP:(0): processing KE payload. message ID = 0
  000284: Aug  6 18:47:03.199: ISAKMP:(0): processing NONCE payload. message ID = 0
  000285: Aug  6 18:47:03.203: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
  000286: Aug  6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
  000287: Aug  6 18:47:03.203: ISAKMP:(2001): vendor ID is DPD
  000288: Aug  6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
  000289: Aug  6 18:47:03.203: ISAKMP:(2001): speaking to another IOS box!
  000290: Aug  6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
  000291: Aug  6 18:47:03.203: ISAKMP:(2001): vendor ID seems Unity/DPD but major 223 mismatch
  000292: Aug  6 18:47:03.203: ISAKMP:(2001): vendor ID is XAUTH
  000293: Aug  6 18:47:03.203: ISAKMP:received payload type 20
  000294: Aug  6 18:47:03.203: ISAKMP (2001): His hash no match - this node outside NAT
  000295: Aug  6 18:47:03.203: ISAKMP:received payload type 20
  000296: Aug  6 18:47:03.203: ISAKMP (2001): No NAT Found for self or peer
  000297: Aug  6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  000298: Aug  6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3  New State = IKE_R_MM3
  000299: Aug  6 18:47:03.203: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  000300: Aug  6 18:47:03.203: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000301: Aug  6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  000302: Aug  6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3  New State = IKE_R_MM4
  000303: Aug  6 18:47:03.295: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_KEY_EXCH
  000304: Aug  6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  000305: Aug  6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM4  New State = IKE_R_MM5
  000306: Aug  6 18:47:03.295: ISAKMP:(2001): processing ID payload. message ID = 0
  000307: Aug  6 18:47:03.295: ISAKMP (2001): ID payload
          next-payload : 8
          type         : 1
          address      : 2.50.37.13
          protocol     : 17
          port         : 500
          length       : 12
  000308: Aug  6 18:47:03.295: ISAKMP:(0):: peer matches *none* of the profiles
  000309: Aug  6 18:47:03.295: ISAKMP:(2001): processing HASH payload. message ID = 0
  000310: Aug  6 18:47:03.295: ISAKMP:(2001): processing NOTIFY INITIAL_CONTACT protocol 1
          spi 0, message ID = 0, sa = 0x8B4C1924
  000311: Aug  6 18:47:03.295: ISAKMP:(2001):SA authentication status:
          authenticated
  000312: Aug  6 18:47:03.295: ISAKMP:(2001):SA has been authenticated with 2.50.37.13
  000313: Aug  6 18:47:03.295: ISAKMP:(2001):SA authentication status:
          authenticated
  000314: Aug  6 18:47:03.295: ISAKMP:(2001): Process initial contact,
  bring down existing phase 1 and 2 SA's with local 92.98.211.242 remote 2.50.37.13 remote port 500
  000315: Aug  6 18:47:03.295: ISAKMP: Trying to insert a peer 92.98.211.242/2.50.37.13/500/,  and inserted successfully 8668106C.
  000316: Aug  6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  000317: Aug  6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM5  New State = IKE_R_MM5
  000318: Aug  6 18:47:03.295: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  000319: Aug  6 18:47:03.295: ISAKMP (2001): ID payload
          next-payload : 8
          type         : 1
          address      : 92.98.211.242
          protocol     : 17
          port         : 500
          length       : 12
  000320: Aug  6 18:47:03.295: ISAKMP:(2001):Total payload length: 12
  000321: Aug  6 18:47:03.295: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  000322: Aug  6 18:47:03.295: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000323: Aug  6 18:47:03.295: ISAKMP:(2001):Returning Actual lifetime: 1800
  000324: Aug  6 18:47:03.299: ISAKMP: set new node -1235582904 to QM_IDLE
  000325: Aug  6 18:47:03.299: ISAKMP:(2001):Sending NOTIFY RESPONDER_LIFETIME protocol 1
          spi 2291695856, message ID = 3059384392
  000326: Aug  6 18:47:03.299: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  000327: Aug  6 18:47:03.299: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000328: Aug  6 18:47:03.299: ISAKMP:(2001):purging node -1235582904
  000329: Aug  6 18:47:03.299: ISAKMP: Sending phase 1 responder lifetime 1800
  000330: Aug  6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  000331: Aug  6 18:47:03.299: ISAKMP:(2001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
  000332: Aug  6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  000333: Aug  6 18:47:03.299: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  000334: Aug  6 18:47:03.307: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
  000335: Aug  6 18:47:03.307: ISAKMP: set new node -687536412 to QM_IDLE
  000336: Aug  6 18:47:03.307: ISAKMP:(2001): processing HASH payload. message ID = 3607430884
  000337: Aug  6 18:47:03.307: ISAKMP:(2001): processing SA payload. message ID = 3607430884
  000338: Aug  6 18:47:03.307: ISAKMP:(2001):Checking IPSec proposal 1
  000339: Aug  6 18:47:03.307: ISAKMP: transform 1, ESP_3DES
  000340: Aug  6 18:47:03.307: ISAKMP:   attributes in transform:
  000341: Aug  6 18:47:03.307: ISAKMP:      encaps is 1 (Tunnel)
  000342: Aug  6 18:47:03.307: ISAKMP:      SA life type in seconds
  000343: Aug  6 18:47:03.307: ISAKMP:      SA life duration (basic) of 3600
  000344: Aug  6 18:47:03.307: ISAKMP:      SA life type in kilobytes
  000345: Aug  6 18:47:03.307: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  000346: Aug  6 18:47:03.307: ISAKMP:      authenticator is HMAC-SHA
  000347: Aug  6 18:47:03.307: ISAKMP:(2001):atts are acceptable.
  000348: Aug  6 18:47:03.307: ISAKMP:(2001): processing NONCE payload. message ID = 3607430884
  000349: Aug  6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
  000350: Aug  6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
  000351: Aug  6 18:47:03.311: ISAKMP:(2001):QM Responder gets spi
  000352: Aug  6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  000353: Aug  6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
  000354: Aug  6 18:47:03.311: ISAKMP:(2001): Creating IPSec SAs
  000355: Aug  6 18:47:03.311:         inbound SA from 2.50.37.13 to 92.98.211.242 (f/i)  0/ 0
          (proxy 192.168.10.0 to 192.168.50.0)
  000356: Aug  6 18:47:03.311:         has spi 0x4C5A127C and conn_id 0
  000357: Aug  6 18:47:03.311:         lifetime of 3600 seconds
  000358: Aug  6 18:47:03.311:         lifetime of 4608000 kilobytes
  000359: Aug  6 18:47:03.311:         outbound SA from 92.98.211.242 to 2.50.37.13 (f/i) 0/0
          (proxy 192.168.50.0 to 192.168.10.0)
  000360: Aug  6 18:47:03.311:         has spi  0x1E83EC91 and conn_id 0
  000361: Aug  6 18:47:03.311:         lifetime of 3600 seconds
  000362: Aug  6 18:47:03.311:         lifetime of 4608000 kilobytes
  000363: Aug  6 18:47:03.311: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) QM_IDLE
  000364: Aug  6 18:47:03.311: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000365: Aug  6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
  000366: Aug  6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
  000367: Aug  6 18:47:03.323: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
  000368: Aug  6 18:47:03.323: ISAKMP:(2001):deleting node -687536412 error FALSE reason "QM done (await)"
  000369: Aug  6 18:47:03.323: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  000370: Aug  6 18:47:03.323: ISAKMP:(2001):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
  000371: Aug  6 18:47:53.323: ISAKMP:(2001):purging node -687536412
  ROUTER-A# sho crypto isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  92.98.211.242   2.50.37.13      QM_IDLE           2001 ACTIVE
  RUNNING CONFIGURATION OF ROUTER-A
  Building configuration...
  Current configuration : 29089 bytes
  ! Last configuration change at 21:31:11 PST Tue Aug 7 2012 by administrator
  version 15.1
  parser config cache interface
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service internal
  service compress-config
  service sequence-numbers
  hostname xxxxxxxxxxXX
  boot-start-marker
  boot-end-marker
  enable secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
  aaa new-model
  aaa authentication login default local
  aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
  aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
  aaa session-id common
  clock timezone ZP4 4 0
  clock summer-time PST recurring
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-4070447007
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4070447007
  revocation-check none
  rsakeypair TP-self-signed-4070447007
  crypto pki certificate chain TP-self-signed-4070447007
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34303730 34343730 3037301E 170D3132 30373331 30353139
    30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373034
    34373030 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100BBA6 F2C9A163 B7EAB25D 6C538A5B 29832F58 6B95D2C0 1FBE0E72 BD4E9585
    6230CAD1 8DA4E337 5A11332C 36EAFF86 02D8C977 6CD2AA50 D76FB97F 52AE73AD
    E777194B 011C95EB E2A588B4 3A7D618E F1D03E3F EF1A60FB 26372B63 9395002D
    38126CC5 EA79E23C 40E0F331 76E7731E D03E2CE8 F1A0B5E9 B83AA780 D566A679
    599F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14C8BC47 90602FB0 18A8821A 85A3444F 874E2292 27301D06
    03551D0E 04160414 C8BC4790 602FB018 A8821A85 A3444F87 4E229227 300D0609
    2A864886 F70D0101 05050003 8181001B D0EA74FE 7EDD03FE 68733D87 6434D20B
    80481807 DD4A488E FFEFA631 245F396F 5CADF523 1438A70B CA113994 9798483D
    F59221EA 09EDB8FC 6D1DBBAE FE7FE4B9 E79F064F E930F347 B1CAD19B 01F5989A
    8BCFDB1D 906163A4 C467E809 E988B610 FE613177 A815DFB0 97839F92 4A682E8F
    43F08787 E08CBE70 E98DEBE7 BCD8B8
              quit
  dot11 syslog
  ip source-route
  ip cef
  ip dhcp relay information trust-all
  ip dhcp excluded-address 10.1.1.1 10.1.1.9
  ip dhcp excluded-address 10.1.1.241 10.1.1.255
  ip dhcp excluded-address 192.168.50.1 192.168.50.9
  ip dhcp excluded-address 192.168.50.241 192.168.50.255
  ip dhcp pool phone
  network 10.1.1.0 255.255.255.0
  default-router 10.1.1.1
  option 150 ip 10.1.1.1
  ip dhcp pool data
  import all
  network 192.168.50.0 255.255.255.0
  default-router 192.168.50.1
  ip inspect WAAS flush-timeout 10
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp router-traffic
  ip inspect name SDM_LOW udp router-traffic
  ip inspect name SDM_LOW vdolive
  ip ddns update method sdm_ddns1
  HTTP
    add http://xxxxxxxs:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
    remove http://xxxxxxx:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
  interval maximum 2 0 0 0
  interval minimum 1 0 0 0
  no ipv6 cef
  multilink bundle-name authenticated
  stcapp ccm-group 1
  stcapp
  trunk group ALL_FXO
  max-retry 5
  voice-class cause-code 1
  hunt-scheme longest-idle
  voice call send-alert
  voice rtp send-recv
  voice service voip
  allow-connections h323 to h323
  allow-connections h323 to sip
  allow-connections sip to h323
  allow-connections sip to sip
  no supplementary-service h450.2
  no supplementary-service h450.3
  supplementary-service h450.12
  sip
    no update-callerid
  voice class codec 1
  codec preference 1 g711ulaw
  codec preference 2 g729r8
  voice class h323 1
    call start slow
  voice class cause-code 1
  no-circuit
  voice register global
  mode cme
  source-address 10.1.1.1 port 5060
  load 9971 sip9971.9-2-2
  load 9951 sip9951.9-2-2
  load 8961 sip8961.9-2-2
  voice translation-rule 1000
  rule 1 /.*/ //
  voice translation-rule 1112
  rule 1 /^9/ //
  voice translation-rule 1113
  rule 1 /^82\(...\)/ /\1/
  voice translation-rule 1114
  rule 1 /\(^...$\)/ /82\1/
  voice translation-rule 2002
  rule 1 /^6/ //
  voice translation-rule 2222
  rule 1 /^91900......./ //
  rule 2 /^91976......./ //
  voice translation-profile CALLER_ID_TRANSLATION_PROFILE
  translate calling 1111
  voice translation-profile CallBlocking
  translate called 2222
  voice translation-profile OUTGOING_TRANSLATION_PROFILE
  translate called 1112
  voice translation-profile XFER_TO_VM_PROFILE
  translate redirect-called 2002
  voice translation-profile multisiteInbound
  translate called 1113
  voice translation-profile multisiteOutbound
  translate calling 1114
  voice translation-profile nondialable
  translate called 1000
  voice-card 0
  dspfarm
  dsp services dspfarm
  fax interface-type fax-mail
  license udi pid UC560-FXO-K9 sn FHK1445F43M
  archive
  log config
    logging enable
    logging size 600
    hidekeys
  username administrator privilege 15 secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
  username pingerID password 7 06505D771B185F
  ip tftp source-interface Vlan90
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  lifetime 1800
  crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
  crypto isakmp client configuration group EZVPN_GROUP_1
  key xxxxxxx
  dns 213.42.20.20
  pool SDM_POOL_1
  save-password
  max-users 20
  crypto isakmp profile sdm-ike-profile-1
     match identity group EZVPN_GROUP_1
     client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
     isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile SDM_Profile1
  set transform-set ESP-3DES-SHA
  set isakmp-profile sdm-ike-profile-1
  crypto map multisite 1 ipsec-isakmp
  description XXXXXXX
  set peer xxxxxxxxxx.dyndns.biz dynamic
  set transform-set ESP-3DES-SHA
  match address 105
  qos pre-classify
  interface GigabitEthernet0/0
  description $ETH-WAN$
  no ip address
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface Integrated-Service-Engine0/0
  description Interface used to manage integrated application modulecue is initialized with default IMAP group
  ip unnumbered Vlan90
  ip nat inside
  ip virtual-reassembly in
  service-module ip address 10.1.10.1 255.255.255.252
  service-module ip default-gateway 10.1.10.2
  interface GigabitEthernet0/1/0
  switchport mode trunk
  switchport voice vlan 100
  no ip address
  macro description cisco-switch
  interface GigabitEthernet0/1/1
  switchport voice vlan 100
  no ip address
  macro description cisco-phone
  spanning-tree portfast
  interface GigabitEthernet0/1/2
  no ip address
  macro description cisco-desktop
  spanning-tree portfast
  interface GigabitEthernet0/1/3
  description Interface used to communicate with integrated service module
  switchport access vlan 90
  no ip address
  service-module ip address 10.1.10.1 255.255.255.252
  service-module ip default-gateway 10.1.10.2
  interface Virtual-Template1 type tunnel
  ip unnumbered Vlan1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile SDM_Profile1
  interface Vlan1
  description $FW_INSIDE$
  ip address 192.168.50.1 255.255.255.0
  ip access-group 101 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1412
  h323-gateway voip bind srcaddr 192.168.50.1
  interface Vlan90
  description $FW_INSIDE$
  ip address 10.1.10.2 255.255.255.252
  ip access-group 103 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1412
  interface Vlan100
  description $FW_INSIDE$
  ip address 10.1.1.1 255.255.255.0
  ip access-group 102 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1412
  interface Dialer0
  description $FW_OUTSIDE$
  mtu 1492
  ip ddns update hostname xxxxxxxxxx.dyndns.biz
  ip ddns update sdm_ddns1
  ip address negotiated
  ip access-group 104 in
  ip mtu 1452
  ip nat outside
  ip inspect SDM_LOW out
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname CCCCCC
  ppp chap password 7 071739545611015445
  ppp pap sent-username CCCCC password 7 122356324SDFDBDB
  ppp ipcp dns request
  ppp ipcp route default
  crypto map multisite
  ip local pool SDM_POOL_1 192.168.50.150 192.168.50.160
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http path flash:/gui
  ip dns server
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 10.1.10.1 255.255.255.255 Vlan90
  access-list 100 remark auto generated by SDM firewall configuration
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip any any
  access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_5##
  access-list 101 remark SDM_ACL Category=1
  access-list 101 permit udp any host 192.168.50.1 eq non500-isakmp
  access-list 101 permit udp any host 192.168.50.1 eq isakmp
  access-list 101 permit esp any host 192.168.50.1
  access-list 101 permit ahp any host 192.168.50.1
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any
  access-list 101 permit ip any any
  access-list 101 permit ip 10.1.10.0 0.0.0.3 any
  access-list 101 permit ip 10.1.1.0 0.0.0.255 any
  access-list 101 permit ip host 255.255.255.255 any
  access-list 101 permit ip 127.0.0.0 0.255.255.255 any
  access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
  access-list 102 remark SDM_ACL Category=1
  access-list 102 permit udp any host 10.1.1.1 eq non500-isakmp
  access-list 102 permit udp any host 10.1.1.1 eq isakmp
  access-list 102 permit esp any host 10.1.1.1
  access-list 102 permit ahp any host 10.1.1.1
  access-list 102 permit ip any any
  access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
  access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
  access-list 102 permit ip 192.168.50.0 0.0.0.255 any
  access-list 102 permit ip 10.1.10.0 0.0.0.3 any
  access-list 102 permit ip host 255.255.255.255 any
  access-list 102 permit ip 127.0.0.0 0.255.255.255 any
  access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##
  access-list 103 remark SDM_ACL Category=1
  access-list 103 permit udp any host 10.1.10.2 eq non500-isakmp
  access-list 103 permit udp any host 10.1.10.2 eq isakmp
  access-list 103 permit esp any host 10.1.10.2
  access-list 103 permit ahp any host 10.1.10.2
  access-list 103 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
  access-list 103 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
  access-list 103 permit ip 192.168.50.0 0.0.0.255 any
  access-list 103 permit ip 10.1.1.0 0.0.0.255 any
  access-list 103 permit ip host 255.255.255.255 any
  access-list 103 permit ip 127.0.0.0 0.255.255.255 any
  access-list 103 permit ip any any
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_13##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 104 permit udp any any eq non500-isakmp
  access-list 104 permit udp any any eq isakmp
  access-list 104 permit esp any any
  access-list 104 permit ahp any any
  access-list 104 permit ip any any
  access-list 104 permit ip 192.168.50.0 0.0.0.255 any
  access-list 104 permit ip 10.1.10.0 0.0.0.3 any
  access-list 104 permit ip 10.1.1.0 0.0.0.255 any
  access-list 104 permit icmp any any echo-reply
  access-list 104 permit icmp any any time-exceeded
  access-list 104 permit icmp any any unreachable
  access-list 104 permit ip 10.0.0.0 0.255.255.255 any
  access-list 104 permit ip 172.16.0.0 0.15.255.255 any
  access-list 104 permit ip 192.168.0.0 0.0.255.255 any
  access-list 104 permit ip 127.0.0.0 0.255.255.255 any
  access-list 104 permit ip host 255.255.255.255 any
  access-list 104 permit ip host 0.0.0.0 any
  access-list 105 remark CryptoACL for xxxxxxxxxx
  access-list 105 remark SDM_ACL Category=4
  access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
  access-list 106 remark SDM_ACL Category=2
  access-list 106 deny   ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
  access-list 106 permit ip 10.1.10.0 0.0.0.3 any
  access-list 106 permit ip 192.168.50.0 0.0.0.255 any
  access-list 106 permit ip 10.1.1.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  snmp-server community public RO
  tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin
  tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw
  tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw
  tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw
  tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml
  tftp-server flash:/ringtones/RingList.xml alias RingList.xml
  tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw
  tftp-server flash:/ringtones/Bass.raw alias Bass.raw
  tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw
  tftp-server flash:/ringtones/Chime.raw alias Chime.raw
  tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw
  tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw
  tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw
  tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw
  tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw
  tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw
  tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw
  tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw
  tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw
  tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw
  tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw
  tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw
  tftp-server flash:/ringtones/Pop.raw alias Pop.raw
  tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw
  tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw
  tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw
  tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw
  tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw
  tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw
  tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw
  tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw
  tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw
  tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw
  tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw
  tftp-server flash:/Desktops/CampusNight.png
  tftp-server flash:/Desktops/TN-CampusNight.png
  tftp-server flash:/Desktops/CiscoFountain.png
  tftp-server flash:/Desktops/TN-CiscoFountain.png
  tftp-server flash:/Desktops/CiscoLogo.png
  tftp-server flash:/Desktops/TN-CiscoLogo.png
  tftp-server flash:/Desktops/Fountain.png
  tftp-server flash:/Desktops/TN-Fountain.png
  tftp-server flash:/Desktops/MorroRock.png
  tftp-server flash:/Desktops/TN-MorroRock.png
  tftp-server flash:/Desktops/NantucketFlowers.png
  tftp-server flash:/Desktops/TN-NantucketFlowers.png
  tftp-server flash:Desktops/320x212x16/List.xml
  tftp-server flash:Desktops/320x212x12/List.xml
  tftp-server flash:Desktops/320x216x16/List.xml
  tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au
  tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au
  tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
  tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
  tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
  tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au
  tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au
  tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au
  radius-server attribute 31 send nas-port-detail
  control-plane
  voice-port 0/0/0
  station-id number 401
  caller-id enable
  voice-port 0/0/1
  station-id number 402
  caller-id enable
  voice-port 0/0/2
  station-id number 403
  caller-id enable
  voice-port 0/0/3
  station-id number 404
  caller-id enable
  voice-port 0/1/0
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/0-OP
  caller-id enable
  voice-port 0/1/1
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/1-OP
  caller-id enable
  voice-port 0/1/2
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/2-OP
  caller-id enable
  voice-port 0/1/3
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/3-OP
  caller-id enable
  voice-port 0/4/0
  auto-cut-through
  signal immediate
  input gain auto-control -15
  description Music On Hold Port
  sccp local Vlan90
  sccp ccm 10.1.1.1 identifier 1 version 4.0
  sccp
  sccp ccm group 1
  associate ccm 1 priority 1
  associate profile 2 register mtpd0d0fd057a40
  dspfarm profile 2 transcode 
  description CCA transcoding for SIP Trunk Multisite Only
  codec g729abr8
  codec g729ar8
  codec g711alaw
  codec g711ulaw
  maximum sessions 10
  associate application SCCP
  dial-peer cor custom
  name internal
  name local
  name local-plus
  name international
  name national
  name national-plus
  name emergency
  name toll-free
  dial-peer cor list call-internal
  member internal
  dial-peer cor list call-local
  member local
  dial-peer cor list call-local-plus
  member local-plus
  dial-peer cor list call-national
  member national
  dial-peer cor list call-national-plus
  member national-plus
  dial-peer cor list call-international
  member international
  dial-peer cor list call-emergency
  member emergency
  dial-peer cor list call-toll-free
  member toll-free
  dial-peer cor list user-internal
  member internal
  member emergency
  dial-peer cor list user-local
  member internal
  member local
  member emergency
  member toll-free
  dial-peer cor list user-local-plus
  member internal
  member local
  member local-plus
  member emergency
  member toll-free
  dial-peer cor list user-national
  member internal
  member local
  member local-plus
  member national
  member emergency
  member toll-free
  dial-peer cor list user-national-plus
  member internal
  member local
  member local-plus
  member national
  member national-plus
  member emergency
  member toll-free
  dial-peer cor list user-international
  member internal
  member local
  member local-plus
  member international
  member national
  member national-plus
  member emergency
  member toll-free
  dial-peer voice 1 pots
  destination-pattern 401
  port 0/0/0
  no sip-register
  dial-peer voice 2 pots
  destination-pattern 402
  port 0/0/1
  no sip-register
  dial-peer voice 3 pots
  destination-pattern 403
  port 0/0/2
  no sip-register
  dial-peer voice 4 pots
  destination-pattern 404
  port 0/0/3
  no sip-register
  dial-peer voice 5 pots
  description ** MOH Port **
  destination-pattern ABC
  port 0/4/0
  no sip-register
  dial-peer voice 6 pots
  description ôcatch all dial peer for BRI/PRIö
  translation-profile incoming nondialable
  incoming called-number .%
  direct-inward-dial
  dial-peer voice 50 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/0
  dial-peer voice 51 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/1
  dial-peer voice 52 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/2
  dial-peer voice 53 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/3
  dial-peer voice 54 pots
  description ** FXO pots dial-peer **
  destination-pattern A0
  port 0/1/0
  no sip-register
  dial-peer voice 55 pots
  description ** FXO pots dial-peer **
  destination-pattern A1
  port 0/1/1
  no sip-register
  dial-peer voice 56 pots
  description ** FXO pots dial-peer **
  destination-pattern A2
  port 0/1/2
  no sip-register
  dial-peer voice 57 pots
  description ** FXO pots dial-peer **
  destination-pattern A3
  port 0/1/3
  no sip-register
  dial-peer voice 2000 voip
  description ** cue voicemail pilot number **
  translation-profile outgoing XFER_TO_VM_PROFILE
  destination-pattern 399
  b2bua
  session protocol sipv2
  session target ipv4:10.1.10.1
  voice-class sip outbound-proxy ipv4:10.1.10.1 
  dtmf-relay rtp-nte
  codec g711ulaw
  no vad
  dial-peer voice 58 pots
  trunkgroup ALL_FXO
  corlist outgoing call-emergency
  description **CCA*North American-7-Digit*Emergency**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9911
  forward-digits all
  no sip-register
  dial-peer voice 59 pots
  trunkgroup ALL_FXO
  corlist outgoing call-emergency
  description **CCA*North American-7-Digit*Emergency**
  preference 5
  destination-pattern 911
  forward-digits all
  no sip-register
  dial-peer voice 60 pots
  trunkgroup ALL_FXO
  corlist outgoing call-local
  description **CCA*North American-7-Digit*7-Digit Local**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9[2-9]......
  forward-digits all
  no sip-register
  dial-peer voice 61 pots
  trunkgroup ALL_FXO
  corlist outgoing call-local
  description **CCA*North American-7-Digit*Service Numbers**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9[2-9]11
  forward-digits all
  no sip-register
  dial-peer voice 62 pots
  trunkgroup ALL_FXO
  corlist outgoing call-national
  description **CCA*North American-7-Digit*Long Distance**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91[2-9]..[2-9]......
  forward-digits all
  no sip-register
  dial-peer voice 63 pots
  trunkgroup ALL_FXO
  corlist outgoing call-international
  description **CCA*North American-7-Digit*International**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9011T
  forward-digits all
  no sip-register
  dial-peer voice 64 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91800.......
  forward-digits all
  no sip-register
  dial-peer voice 65 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91888.......
  forward-digits all
  no sip-register
  dial-peer voice 66 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91877.......
  forward-digits all
  no sip-register
  dial-peer voice 67 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91866.......
  forward-digits all
  no sip-register
  dial-peer voice 68 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91855.......
  forward-digits all
  no sip-register
  dial-peer voice 2100 voip
  corlist incoming call-internal
  description **CCA*INTERSITE inbound call to xxxxxxxxxx
  translation-profile incoming multisiteInbound
  incoming called-number 82...
  voice-class h323 1
  dtmf-relay h245-alphanumeric
  fax protocol cisco
  no vad
  dial-peer voice 2101 voip
  corlist incoming call-internal
  description **CCA*INTERSITE outbound calls to xxxxxxxxxx
  translation-profile outgoing multisiteOutbound
  destination-pattern 81...
  session target ipv4:192.168.10.1
  voice-class h323 1
  dtmf-relay h245-alphanumeric
  fax protocol cisco
  no vad
  no dial-peer outbound status-check pots
  telephony-service
  sdspfarm units 5
  sdspfarm transcode sessions 10
  sdspfarm tag 2 mtpd0d0fd057a40
  video
  fxo hook-flash
  max-ephones 138
  max-dn 600
  ip source-address 10.1.1.1 port 2000
  auto assign 1 to 1 type bri
  calling-number initiator
  service phone videoCapability 1
  service phone ehookenable 1
  service dnis overlay
  service dnis dir-lookup
  service dss
  timeouts interdigit 5
  system message Cisco Small Business
  url services http://10.1.10.1/voiceview/common/login.do
  url authentication http://10.1.10.1/voiceview/authentication/authenticate

  On 12/01/12 12:06, JebediahShapnacker wrote:
  >
  > Hello.
  >
  > I would like to setup a site to site VPN between 2 of our site. We have
  > Bordermanager .7 on one end and IPCop on the other.
  i'm not familiar with Bordermanager version but be sure you're using 3.9
  with sp2 and sp2_it1 applied.
  There are not specific documents that i'm aware that explains conf
  between ipcop and bm but if ipcop behaves as standard ipsec device, you
  can use as a guideline some of the docs that explains how to configure
  bm with third party firewalls.
  - AppNote: CISCO IOS 12.2(11) T with NBM 3.8 Server
  Novell Cool Solutions: AppNote
  By Upendra Gopu
  - BorderManager and Novell Security Manager Site-to-Site VPN
  Novell Cool Solutions: Feature
  By Jenn Bitondo
  - Setting Up an IPSec VPN Tunnel between Nortel and an NBM 3.8.4 Server
  Author Info
  8 November 2006 - 7:37pm
  Submitted by: kchendil
  - AppNote: NBM to Openswan: Site-to-site VPN Made Easy
  Novell Cool Solutions: AppNote
  By Gaurav Vaidya
  - AppNote: Interoperability of Cisco PIX 500 and NBM 3.8 VPN
  Novell Cool Solutions: AppNote
  By Sreekanth Settipalli
  Digg This - Slashdot This
  Posted: 28 Oct 2004
  etc

• Site to SIte VPN through a NAT device

  I, i am having some trouble running a site to site vpn between two 3725 routers running c3725-advsecurityk9-mz124-15T1 which i hope i can get some help with, i am probably missing something here. The VPN ran fine when both VPN routers were connected directly to the internet and had public IPs on the WAN interfaces, but i have had to move one of the firewalls inside onto a private IP. The setup is now as below
  VPN router A(192.168.248.253)---Company internal network----Fortigate FW-----internet----(217.155.113.179)VPN router B
  Now the fortigate FW is doing some address translations
  - traffic from 192.168.248.253 to 217.155.113.179 has its source translated to 37.205.62.5
  - traffic from 217.155.113.179 to 37.205.62.5 has its destination translated to 192.168.248.253
  - The firewall rules allow any traffic between the 2 devices, no port lockdown enabled.
  - The 37.205.62.5 address is used by nothing else.
  I basically have a GRE tunnel between the two routers and i am trying to encrypt it.
  Router A is showing the below
  SERVER-RTR#show crypto map
  Crypto Map "S2S_VPN" 10 ipsec-isakmp
  Peer = 217.155.113.179
  Extended IP access list 101
  access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
  Current peer: 217.155.113.179
  Security association lifetime: 4608000 kilobytes/3600 seconds
  PFS (Y/N): N
  Transform sets={
  STRONG,
  Interfaces using crypto map S2S_VPN:
  FastEthernet0/1
  SERVER-RTR#show crypto sessio
  Crypto session current status
  Interface: FastEthernet0/1
  Session status: DOWN
  Peer: 217.155.113.179 port 500
  IPSEC FLOW: permit 47 host 192.168.248.253 host 217.155.113.179
  Active SAs: 0, origin: crypto map
  Interface: FastEthernet0/1
  Session status: UP-IDLE
  Peer: 217.155.113.179 port 4500
  IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
  IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
  IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
  Router B is showing the below
  BSU-RTR#show crypto map
  Crypto Map "S2S_VPN" 10 ipsec-isakmp
  Peer = 37.205.62.5
  Extended IP access list 101
  access-list 101 permit gre host 217.155.113.179 host 37.205.62.5
  Current peer: 37.205.62.5
  Security association lifetime: 4608000 kilobytes/3600 seconds
  PFS (Y/N): N
  Transform sets={
  STRONG,
  Interfaces using crypto map S2S_VPN:
  FastEthernet0/1
  BSU-RTR#show crypto sess
  Crypto session current status
  Interface: FastEthernet0/1
  Session status: DOWN
  Peer: 37.205.62.5 port 500
  IPSEC FLOW: permit 47 host 217.155.113.179 host 37.205.62.5
  Active SAs: 0, origin: crypto map
  Interface: FastEthernet0/1
  Session status: UP-IDLE
  Peer: 37.205.62.5 port 4500
  IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
  IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
  IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
  I can see the counters incrementing over the ACL on both routers so i know GRE traffic is interesting.
  Here are some debugs too
  Router A
  debug crypto isakmp
  *Mar 2 23:07:10.898: ISAKMP:(1024):purging node 940426884
  *Mar 2 23:07:10.898: ISAKMP:(1024):purging node 1837874301
  *Mar 2 23:07:10.898: ISAKMP:(1024):purging node -475409474
  *Mar 2 23:07:20.794: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (N) NEW SA
  *Mar 2 23:07:20.794: ISAKMP: Created a peer struct for 217.155.113.179, peer port 500
  *Mar 2 23:07:20.794: ISAKMP: New peer created peer = 0x64960C04 peer_handle = 0x80000F0E
  *Mar 2 23:07:20.794: ISAKMP: Locking peer struct 0x64960C04, refcount 1 for crypto_isakmp_process_block
  *Mar 2 23:07:20.794: ISAKMP: local port 500, remote port 500
  *Mar 2 23:07:20.794: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6464D3F0
  *Mar 2 23:07:20.794: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Mar 2 23:07:20.794: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
  *Mar 2 23:07:20.794: ISAKMP:(0): processing SA payload. message ID = 0
  *Mar 2 23:07:20.794: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.794: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
  *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
  *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
  *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
  *Mar 2 23:07:20.798: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
  *Mar 2 23:07:20.798: ISAKMP:(0): local preshared key found
  *Mar 2 23:07:20.798: ISAKMP : Scanning profiles for xauth ...
  *Mar 2 23:07:20.798: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Mar 2 23:07:20.798: ISAKMP: encryption DES-CBC
  *Mar 2 23:07:20.798: ISAKMP: hash SHA
  *Mar 2 23:07:20.798: ISAKMP: default group 1
  *Mar 2 23:07:20.798: ISAKMP: auth pre-share
  *Mar 2 23:07:20.798: ISAKMP: life type in seconds
  *Mar 2 23:07:20.798: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
  *Mar 2 23:07:20.798: ISAKMP:(0):atts are acceptable. Next payload is 0
  *Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:actual life: 0
  *Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:life: 0
  *Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa vpi_length:4
  *Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  *Mar 2 23:07:20.798: ISAKMP:(0):Returning Actual lifetime: 86400
  *Mar 2 23:07:20.798: ISAKMP:(0)::Started lifetime timer: 86400.
  *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
  *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
  *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
  *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
  *Mar 2 23:07:20.798: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Mar 2 23:07:20.798: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
  *Mar 2 23:07:20.802: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  *Mar 2 23:07:20.802: ISAKMP:(0): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_SA_SETUP
  *Mar 2 23:07:20.802: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Mar 2 23:07:20.802: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Mar 2 23:07:20.802: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
  *Mar 2 23:07:20.822: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (R) MM_SA_SETUP
  *Mar 2 23:07:20.822: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Mar 2 23:07:20.822: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
  *Mar 2 23:07:20.822: ISAKMP:(0): processing KE payload. message ID = 0
  *Mar 2 23:07:20.850: ISAKMP:(0): processing NONCE payload. message ID = 0
  *Mar 2 23:07:20.854: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
  *Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
  *Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is Unity
  *Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
  *Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is DPD
  *Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
  *Mar 2 23:07:20.854: ISAKMP:(1027): speaking to another IOS box!
  *Mar 2 23:07:20.854: ISAKMP:received payload type 20
  *Mar 2 23:07:20.854: ISAKMP (0:1027): NAT found, the node inside NAT
  *Mar 2 23:07:20.854: ISAKMP:received payload type 20
  *Mar 2 23:07:20.854: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Mar 2 23:07:20.854: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM3
  *Mar 2 23:07:20.854: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  *Mar 2 23:07:20.854: ISAKMP:(1027):Sending an IKE IPv4 Packet.
  *Mar 2 23:07:20.858: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Mar 2 23:07:20.858: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM4
  *Mar 2 23:07:20.898: ISAKMP:(1024):purging SA., sa=64D5723C, delme=64D5723C
  *Mar 2 23:07:20.902: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
  *Mar 2 23:07:20.902: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Mar 2 23:07:20.902: ISAKMP:(1027):Old State = IKE_R_MM4 New State = IKE_R_MM5
  *Mar 2 23:07:20.902: ISAKMP:(1027): processing ID payload. message ID = 0
  *Mar 2 23:07:20.902: ISAKMP (0:1027): ID payload
  next-payload : 8
  type : 1
  address : 217.155.113.179
  protocol : 17
  port : 0
  length : 12
  *Mar 2 23:07:20.902: ISAKMP:(0):: peer matches *none* of the profiles
  *Mar 2 23:07:20.906: ISAKMP:(1027): processing HASH payload. message ID = 0
  *Mar 2 23:07:20.906: ISAKMP:(1027): processing NOTIFY INITIAL_CONTACT protocol 1
  spi 0, message ID = 0, sa = 6464D3F0
  *Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
  authenticated
  *Mar 2 23:07:20.906: ISAKMP:(1027):SA has been authenticated with 217.155.113.179
  *Mar 2 23:07:20.906: ISAKMP:(1027):Detected port floating to port = 4500
  *Mar 2 23:07:20.906: ISAKMP: Trying to find existing peer 192.168.248.253/217.155.113.179/4500/ and found existing peer 648EAD00 to reuse, free 64960C04
  *Mar 2 23:07:20.906: ISAKMP: Unlocking peer struct 0x64960C04 Reuse existing peer, count 0
  *Mar 2 23:07:20.906: ISAKMP: Deleting peer node by peer_reap for 217.155.113.179: 64960C04
  *Mar 2 23:07:20.906: ISAKMP: Locking peer struct 0x648EAD00, refcount 2 for Reuse existing peer
  *Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
  authenticated
  *Mar 2 23:07:20.906: ISAKMP:(1027): Process initial contact,
  bring down existing phase 1 and 2 SA's with local 192.168.248.253 remote 217.155.113.179 remote port 4500
  *Mar 2 23:07:20.906: ISAKMP:(1026):received initial contact, deleting SA
  *Mar 2 23:07:20.906: ISAKMP:(1026):peer does not do paranoid keepalives.
  *Mar 2 23:07:20.906: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
  *Mar 2 23:07:20.906: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
  *Mar 2 23:07:20.906: ISAKMP:(1027):Setting UDP ENC peer struct 0x0 sa= 0x6464D3F0
  *Mar 2 23:07:20.906: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Mar 2 23:07:20.906: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_R_MM5
  *Mar 2 23:07:20.910: ISAKMP: set new node -98987637 to QM_IDLE
  *Mar 2 23:07:20.910: ISAKMP:(1026): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
  *Mar 2 23:07:20.910: ISAKMP:(1026):Sending an IKE IPv4 Packet.
  *Mar 2 23:07:20.910: ISAKMP:(1026):purging node -98987637
  *Mar 2 23:07:20.910: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Mar 2 23:07:20.910: ISAKMP:(1026):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
  *Mar 2 23:07:20.910: ISAKMP:(1027):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  *Mar 2 23:07:20.910: ISAKMP (0:1027): ID payload
  next-payload : 8
  type : 1
  address : 192.168.248.253
  protocol : 17
  port : 0
  length : 12
  *Mar 2 23:07:20.910: ISAKMP:(1027):Total payload length: 12
  *Mar 2 23:07:20.914: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
  *Mar 2 23:07:20.914: ISAKMP:(1027):Sending an IKE IPv4 Packet.
  *Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
  *Mar 2 23:07:20.914: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
  *Mar 2 23:07:20.914: ISAKMP: Unlocking peer struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
  *Mar 2 23:07:20.914: ISAKMP:(1026):deleting node 334747020 error FALSE reason "IKE deleted"
  *Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -1580729900 error FALSE reason "IKE deleted"
  *Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -893929227 error FALSE reason "IKE deleted"
  *Mar 2 23:07:20.914: ISAKMP:(1026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Mar 2 23:07:20.914: ISAKMP:(1026):Old State = IKE_DEST_SA New State = IKE_DEST_SA
  *Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  *Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
  *Mar 2 23:07:20.930: ISAKMP (0:1026): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_NO_STATE
  *Mar 2 23:07:20.934: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
  *Mar 2 23:07:20.934: ISAKMP: set new node 1860263019 to QM_IDLE
  *Mar 2 23:07:20.934: ISAKMP:(1027): processing HASH payload. message ID = 1860263019
  *Mar 2 23:07:20.934: ISAKMP:(1027): processing SA payload. message ID = 1860263019
  *Mar 2 23:07:20.934: ISAKMP:(1027):Checking IPSec proposal 1
  *Mar 2 23:07:20.934: ISAKMP: transform 1, ESP_AES
  *Mar 2 23:07:20.934: ISAKMP: attributes in transform:
  *Mar 2 23:07:20.934: ISAKMP: encaps is 3 (Tunnel-UDP)
  *Mar 2 23:07:20.934: ISAKMP: SA life type in seconds
  *Mar 2 23:07:20.934: ISAKMP: SA life duration (basic) of 3600
  *Mar 2 23:07:20.934: ISAKMP: SA life type in kilobytes
  *Mar 2 23:07:20.934: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
  *Mar 2 23:07:20.934: ISAKMP: key length is 128
  *Mar 2 23:07:20.934: ISAKMP:(1027):atts are acceptable.
  *Mar 2 23:07:20.934: ISAKMP:(1027): IPSec policy invalidated proposal with error 32
  *Mar 2 23:07:20.934: ISAKMP:(1027): phase 2 SA policy not acceptable! (local 192.168.248.253 remote 217.155.113.179)
  *Mar 2 23:07:20.938: ISAKMP: set new node 1961554007 to QM_IDLE
  *Mar 2 23:07:20.938: ISAKMP:(1027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  spi 1688526152, message ID = 1961554007
  *Mar 2 23:07:20.938: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
  *Mar 2 23:07:20.938: ISAKMP:(1027):Sending an IKE IPv4 Packet.
  *Mar 2 23:07:20.938: ISAKMP:(1027):purging node 1961554007
  *Mar 2 23:07:20.938: ISAKMP:(1027):deleting node 1860263019 error TRUE reason "QM rejected"
  *Mar 2 23:07:20.938: ISAKMP:(1027):Node 1860263019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  *Mar 2 23:07:20.938: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_READY
  *Mar 2 23:07:24.510: ISAKMP: set new node 0 to QM_IDLE
  *Mar 2 23:07:24.510: SA has outstanding requests (local 100.100.213.56 port 4500, remote 100.100.213.84 port 4500)
  *Mar 2 23:07:24.510: ISAKMP:(1027): sitting IDLE. Starting QM immediately (QM_IDLE )
  *Mar 2 23:07:24.510: ISAKMP:(1027):beginning Quick Mode exchange, M-ID of 670698820
  *Mar 2 23:07:24.510: ISAKMP:(1027):QM Initiator gets spi
  *Mar 2 23:07:24.510: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
  *Mar 2 23:07:24.510: ISAKMP:(1027):Sending an IKE IPv4 Packet.
  *Mar 2 23:07:24.514: ISAKMP:(1027):Node 670698820, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  *Mar 2 23:07:24.514: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
  *Mar 2 23:07:24.530: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
  *Mar 2 23:07:24.534: ISAKMP: set new node 1318257670 to QM_IDLE
  *Mar 2 23:07:24.534: ISAKMP:(1027): processing HASH payload. message ID = 1318257670
  *Mar 2 23:07:24.534: ISAKMP:(1027): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  spi 3268378219, message ID = 1318257670, sa = 6464D3F0
  *Mar 2 23:07:24.534: ISAKMP:(1027): deleting spi 3268378219 message ID = 670698820
  *Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 670698820 error TRUE reason "Delete Larval"
  *Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 1318257670 error FALSE reason "Informational (in) state 1"
  *Mar 2 23:07:24.534: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  *Mar 2 23:07:24.534: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
  *Mar 2 23:07:40.898: ISAKMP:(1025):purging node -238086324
  *Mar 2 23:07:40.898: ISAKMP:(1025):purging node -1899972726
  *Mar 2 23:07:40.898: ISAKMP:(1025):purging node -321906720
  Router B
  debug crypto isakmp
  1d23h: ISAKMP:(0): SA request profile is (NULL)
  1d23h: ISAKMP: Created a peer struct for 37.205.62.5, peer port 500
  1d23h: ISAKMP: New peer created peer = 0x652C3B54 peer_handle = 0x80000D8C
  1d23h: ISAKMP: Locking peer struct 0x652C3B54, refcount 1 for isakmp_initiator
  1d23h: ISAKMP: local port 500, remote port 500
  1d23h: ISAKMP: set new node 0 to QM_IDLE
  1d23h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 652CBDC4
  1d23h: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
  1d23h: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  1d23h: ISAKMP:(0): constructed NAT-T vendor-07 ID
  1d23h: ISAKMP:(0): constructed NAT-T vendor-03 ID
  1d23h: ISAKMP:(0): constructed NAT-T vendor-02 ID
  1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  1d23h: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
  1d23h: ISAKMP:(0): beginning Main Mode exchange
  1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_NO_STATE
  1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
  1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_NO_STATE
  1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  1d23h: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
  1d23h: ISAKMP:(0): processing SA payload. message ID = 0
  1d23h: ISAKMP:(0): processing vendor id payload
  1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
  1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
  1d23h: ISAKMP:(0): local preshared key found
  1d23h: ISAKMP : Scanning profiles for xauth ...
  1d23h: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  1d23h: ISAKMP: encryption DES-CBC
  1d23h: ISAKMP: hash SHA
  1d23h: ISAKMP: default group 1
  1d23h: ISAKMP: auth pre-share
  1d23h: ISAKMP: life type in seconds
  1d23h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
  1d23h: ISAKMP:(0):atts are acceptable. Next payload is 0
  1d23h: ISAKMP:(0):Acceptable atts:actual life: 0
  1d23h: ISAKMP:(0):Acceptable atts:life: 0
  1d23h: ISAKMP:(0):Fill atts in sa vpi_length:4
  1d23h: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  1d23h: ISAKMP:(0):Returning Actual lifetime: 86400
  1d23h: ISAKMP:(0)::Started lifetime timer: 86400.
  1d23h: ISAKMP:(0): processing vendor id payload
  1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
  1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
  1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_SA_SETUP
  1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
  1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
  1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_SA_SETUP
  1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  1d23h: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
  1d23h: ISAKMP:(0): processing KE payload. message ID = 0
  1d23h: ISAKMP:(0): processing NONCE payload. message ID = 0
  1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
  1d23h: ISAKMP:(1034): processing vendor id payload
  1d23h: ISAKMP:(1034): vendor ID is Unity
  1d23h: ISAKMP:(1034): processing vendor id payload
  1d23h: ISAKMP:(1034): vendor ID is DPD
  1d23h: ISAKMP:(1034): processing vendor id payload
  1d23h: ISAKMP:(1034): speaking to another IOS box!
  1d23h: ISAKMP:received payload type 20
  1d23h: ISAKMP:received payload type 20
  1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
  1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM4
  1d23h: ISAKMP:(1034):Send initial contact
  1d23h: ISAKMP:(1034):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  1d23h: ISAKMP (0:1034): ID payload
  next-payload : 8
  type : 1
  address : 217.155.113.179
  protocol : 17
  port : 0
  length : 12
  1d23h: ISAKMP:(1034):Total payload length: 12
  1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
  1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM5
  1d23h: ISAKMP:(1031):purging SA., sa=652D60C8, delme=652D60C8
  1d23h: ISAKMP (0:1033): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
  1d23h: ISAKMP: set new node 33481563 to QM_IDLE
  1d23h: ISAKMP:(1033): processing HASH payload. message ID = 33481563
  1d23h: ISAKMP:received payload type 18
  1d23h: ISAKMP:(1033):Processing delete with reason payload
  1d23h: ISAKMP:(1033):delete doi = 1
  1d23h: ISAKMP:(1033):delete protocol id = 1
  1d23h: ISAKMP:(1033):delete spi_size = 16
  1d23h: ISAKMP:(1033):delete num spis = 1
  1d23h: ISAKMP:(1033):delete_reason = 11
  1d23h: ISAKMP:(1033): processing DELETE_WITH_REASON payload, message ID = 33481563, reason: Unknown delete reason!
  1d23h: ISAKMP:(1033):peer does not do paranoid keepalives.
  1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
  1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "Informational (in) state 1"
  1d23h: ISAKMP: set new node 1618266182 to QM_IDLE
  1d23h: ISAKMP:(1033): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
  1d23h: ISAKMP:(1033):Sending an IKE IPv4 Packet.
  1d23h: ISAKMP:(1033):purging node 1618266182
  1d23h: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  1d23h: ISAKMP:(1033):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
  1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
  1d23h: ISAKMP:(1034): processing ID payload. message ID = 0
  1d23h: ISAKMP (0:1034): ID payload
  next-payload : 8
  type : 1
  address : 192.168.248.253
  protocol : 17
  port : 0
  length : 12
  1d23h: ISAKMP:(0):: peer matches *none* of the profiles
  1d23h: ISAKMP:(1034): processing HASH payload. message ID = 0
  1d23h: ISAKMP:(1034):SA authentication status:
  authenticated
  1d23h: ISAKMP:(1034):SA has been authenticated with 37.205.62.5
  1d23h: ISAKMP: Trying to insert a peer 217.155.113.179/37.205.62.5/4500/, and found existing one 643BCA10 to reuse, free 652C3B54
  1d23h: ISAKMP: Unlocking peer struct 0x652C3B54 Reuse existing peer, count 0
  1d23h: ISAKMP: Deleting peer node by peer_reap for 37.205.62.5: 652C3B54
  1d23h: ISAKMP: Locking peer struct 0x643BCA10, refcount 2 for Reuse existing peer
  1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  1d23h: ISAKMP:(1034):Old State = IKE_I_MM5 New State = IKE_I_MM6
  1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
  1d23h: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
  1d23h: ISAKMP: Unlocking peer struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
  1d23h: ISAKMP:(1033):deleting node 1267924911 error FALSE reason "IKE deleted"
  1d23h: ISAKMP:(1033):deleting node 1074093103 error FALSE reason "IKE deleted"
  1d23h: ISAKMP:(1033):deleting node -183194519 error FALSE reason "IKE deleted"
  1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "IKE deleted"
  1d23h: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  1d23h: ISAKMP:(1033):Old State = IKE_DEST_SA New State = IKE_DEST_SA
  1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_I_MM6
  1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
  1d23h: ISAKMP:(1034):beginning Quick Mode exchange, M-ID of 1297417008
  1d23h: ISAKMP:(1034):QM Initiator gets spi
  1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
  1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
  1d23h: ISAKMP:(1034):Node 1297417008, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
  1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
  1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
  1d23h: ISAKMP: set new node -874376893 to QM_IDLE
  1d23h: ISAKMP:(1034): processing HASH payload. message ID = -874376893
  1d23h: ISAKMP:(1034): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  spi 56853244, message ID = -874376893, sa = 652CBDC4
  1d23h: ISAKMP:(1034): deleting spi 56853244 message ID = 1297417008
  1d23h: ISAKMP:(1034):deleting node 1297417008 error TRUE reason "Delete Larval"
  1d23h: ISAKMP:(1034):deleting node -874376893 error FALSE reason "Informational (in) state 1"
  1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
  1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
  1d23h: ISAKMP: set new node 439453045 to QM_IDLE
  1d23h: ISAKMP:(1034): processing HASH payload. message ID = 439453045
  1d23h: ISAKMP:(1034): processing SA payload. message ID = 439453045
  1d23h: ISAKMP:(1034):Checking IPSec proposal 1
  1d23h: ISAKMP: transform 1, ESP_AES
  1d23h: ISAKMP: attributes in transform:
  1d23h: ISAKMP: encaps is 3 (Tunnel-UDP)
  1d23h: ISAKMP: SA life type in seconds
  1d23h: ISAKMP: SA life duration (basic) of 3600
  1d23h: ISAKMP: SA life type in kilobytes
  1d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
  1d23h: ISAKMP: key length is 128
  1d23h: ISAKMP:(1034):atts are acceptable.
  1d23h: ISAKMP:(1034): IPSec policy invalidated proposal with error 32
  1d23h: ISAKMP:(1034): phase 2 SA policy not acceptable! (local 217.155.113.179 remote 37.205.62.5)
  1d23h: ISAKMP: set new node 1494356901 to QM_IDLE
  1d23h: ISAKMP:(1034):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  spi 1687353736, message ID = 1494356901
  1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
  1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
  1d23h: ISAKMP:(1034):purging node 1494356901
  1d23h: ISAKMP:(1034):deleting node 439453045 error TRUE reason "QM rejected"
  1d23h: ISAKMP:(1034):Node 439453045, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_READY
  1d23h: ISAKMP:(1032):purging node 1513722556
  1d23h: ISAKMP:(1032):purging node -643121396
  1d23h: ISAKMP:(1032):purging node 1350014243
  1d23h: ISAKMP:(1032):purging node 83247347

  Hi Lei , here are the 2 configs for the VPN routers. Hope it sheds some light.
  Just to add i have removed the crypto map from the fa0/1 interfaces on both routers just so i can continue my work with the GRE tunnel.
  Router A
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SERVER-RTR
  boot-start-marker
  boot-end-marker
  logging buffered 4096
  enable secret 5 $1$RihE$Po9HPkuvEHaspaD5ZC72m0
  no aaa new-model
  memory-size iomem 20
  ip cef
  no ip domain lookup
  ip multicast-routing
  multilink bundle-name authenticated
  archive
  log config
    hidekeys
  crypto isakmp policy 1
  authentication pre-share
  crypto isakmp key XXXX address 217.155.113.179
  crypto ipsec transform-set STRONG esp-aes
  crypto map S2S_VPN 10 ipsec-isakmp
  set peer 217.155.113.179
  set transform-set STRONG
  match address 101
  controller E1 1/0
  interface Tunnel0
  bandwidth 100000
  ip address 10.208.200.1 255.255.255.0
  ip mtu 1400
  ip pim dense-mode
  ip route-cache flow
  tunnel source FastEthernet0/1
  tunnel destination 217.155.113.179
  interface FastEthernet0/0
  ip address 10.208.1.10 255.255.224.0
  ip pim state-refresh origination-interval 30
  ip pim dense-mode
  ip route-cache flow
  ip igmp version 1
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.248.253 255.255.254.0
  ip nbar protocol-discovery
  ip route-cache flow
  load-interval 60
  duplex auto
  speed auto
  router eigrp 1
  auto-summary
  router ospf 1
  log-adjacency-changes
  network 10.208.0.0 0.0.31.255 area 0
  network 10.208.200.0 0.0.0.255 area 0
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 10.208.1.1
  ip route 217.155.113.179 255.255.255.255 192.168.248.1
  ip flow-export version 5
  ip flow-export destination 192.168.249.198 9996
  no ip http server
  no ip http secure-server
  access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
  ROuter B
  version 12.4
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname BSU-RTR
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$VABE$6r6dayC90o52Gb8iZZgNP/
  no aaa new-model
  memory-size iomem 25
  ip cef
  no ip domain lookup
  ip multicast-routing
  multilink bundle-name authenticated
  archive
  log config
    hidekeys
  crypto isakmp policy 1
  authentication pre-share
  crypto isakmp key XXXX address 37.205.62.5
  crypto ipsec transform-set STRONG esp-aes
  crypto map S2S_VPN 10 ipsec-isakmp
  set peer 37.205.62.5
  set transform-set STRONG
  match address 101
  controller E1 1/0
  interface Tunnel0
  bandwidth 20000
  ip address 10.208.200.2 255.255.255.0
  ip mtu 1400
  ip pim dense-mode
  tunnel source FastEthernet0/1
  tunnel destination 37.205.62.5
  interface FastEthernet0/0
  ip address 10.208.102.1 255.255.255.0
  ip helper-address 10.208.2.31
  ip pim dense-mode
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 217.155.113.179 255.255.255.248
  ip nbar protocol-discovery
  load-interval 60
  duplex auto
  speed auto
  router ospf 1
  log-adjacency-changes
  network 10.208.102.0 0.0.0.255 area 0
  network 10.208.200.0 0.0.0.255 area 0
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 10.208.200.1
  ip route 37.205.62.5 255.255.255.255 217.155.113.182
  no ip http server
  no ip http secure-server
  ip pim bidir-enable
  ip mroute 10.208.0.0 255.255.224.0 Tunnel0
  access-list 101 permit gre host 217.155.113.179 host 37.205.62.5

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• ASA 5505 Site to Site VPN rekey

  I have a5505 configured to support a number of site to site links. One of these has a problem with rekeying. Running debug I see the entres:
  Dec 04 10:37:58 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Starting phase 1 rekey
  Dec 04 10:37:58 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE Initiator: Rekeying Phase 1, Intf Servers, IKE Peer XXX.XXX.XXX.XXX  local Proxy Address N/A, remote Proxy Address N/A,  Crypto map (N/A)
  The VPN is not configured on the Interface Servers but on another Interface (outside). It has been completely rebuilt recently. Is this a problem or a ghost of some sort?

  Ok, symptoms are that the Phase1 rekey ss started early (18 hours rather than full 24 specified). Rekey always fails, but VPN immediately rebuilds without error.
  Phase 1 is AES-256, Preshared keys, Hash SHA1 DH Group2 Rekey 86400 seconds.
  Logs at 100:
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Starting phase 1 rekey
  Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE Initiator: Rekeying Phase 1, I
  ntf Servers, IKE Peer AAA.AAA.AAA.AAA  local Proxy Address N/A, remote Proxy Addr
  ess N/A,  Crypto map (N/A)
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing ISAKMP SA paylo
  ad
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V
  ID ver 02 payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V
  ID ver 03 payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V
  ID ver RFC payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing Fragmentation V
  ID + extended capabilities payload
  Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE SENDING Message (msgid=
  0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEND
  OR (13) + NONE (0) total length : 172
  Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE RECEIVED Message (msgid
  =0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEN
  DOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) tota
  l length : 260
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing SA payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Oakley proposal is acceptabl
  e
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received DPD VID
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received NAT-Traversal ver 0
  2 VID
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received NAT-Traversal ver 0
  3 VID
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing ke payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing nonce payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing Cisco Unity VID
  payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing xauth V6 VID pa
  yload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Send IOS VID
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Constructing ASA spoofing IO
  S Vendor ID payload (version: 1.0.0, capabilities: 20000409)
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing VID payload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Send Altiga/Cisco VPN3000/Ci
  sco ASA GW VID
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Discovery p
  ayload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, computing NAT Discovery hash
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Discovery p
  ayload
  Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, computing NAT Discovery hash
  Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE SENDING Message (msgid=
  0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDO
  R (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
  Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE RECEIVED Message (msgid
  =a62822cf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length
  : 80
  The VPN then rebuild normally as far as I can see.

• Remote Access VPN with existing site-to-site tunnel

  Hi there!
  I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
  I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
  The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
  murasaki#
  *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
  *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
  *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
  *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
  *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
  *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
  *Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
  *Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
  *Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
  *Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
  *Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
  *Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
  *Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
  *Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
  *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
  *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
  *Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
  *Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  *Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
  *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
  *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
  *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
  *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
  *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
  *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
  If I specify my key like a site-to-site VPN key like this:
  crypto isakmp key xxx address 0.0.0.0
  Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
  Configuration:
  ! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
  version 15.2
  no service pad
  service timestamps debug datetime localtime
  service timestamps log datetime localtime
  service password-encryption
  no service dhcp
  hostname murasaki
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login client_vpn_authentication local
  aaa authorization network default local
  aaa authorization network client_vpn_authorization local
  aaa session-id common
  wan mode dsl
  clock timezone AEST 10 0
  clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
  ip inspect name normal_traffic tcp
  ip inspect name normal_traffic udp
  ip domain name router.xxx
  ip name-server xxx
  ip name-server xxx
  ip cef
  ipv6 unicast-routing
  ipv6 cef
  crypto pki trustpoint TP-self-signed-591984024
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-591984024
  revocation-check none
  rsakeypair TP-self-signed-591984024
  crypto pki trustpoint TP-self-signed-4045734018
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4045734018
  revocation-check none
  rsakeypair TP-self-signed-4045734018
  crypto pki certificate chain TP-self-signed-591984024
  crypto pki certificate chain TP-self-signed-4045734018
  object-group network CLOUD_SUBNETS
  description Azure subnet
  172.16.0.0 255.252.0.0
  object-group network INTERNAL_LAN
  description All Internal subnets which should be allowed out to the Internet
  192.168.1.0 255.255.255.0
  192.168.20.0 255.255.255.0
  username timothy privilege 15 secret 5 xxx
  controller VDSL 0
  ip ssh version 2
  no crypto isakmp default policy
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp policy 2
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxx address xxxx no-xauth
  crypto isakmp client configuration group VPN_CLIENTS
  key xxx
  dns 192.168.1.24 192.168.1.20
  domain xxx
  pool Client-VPN-Pool
  acl CLIENT_VPN
  crypto isakmp profile Client-VPN
  description Remote Client IPSec VPN
  match identity group VPN_CLIENTS
  client authentication list client_vpn_authentication
  isakmp authorization list client_vpn_authorization
  client configuration address respond
  crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto dynamic-map ClientVPNCryptoMap 1
  set transform-set TRANS_3DES_SHA
  set isakmp-profile Client-VPN
  reverse-route
  qos pre-classify
  crypto map AzureCryptoMap 12 ipsec-isakmp
  set peer xxxx
  set security-association lifetime kilobytes 102400000
  set transform-set AzureIPSec
  match address AzureEastUS
  crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
  bridge irb
  interface ATM0
  mtu 1492
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  interface Ethernet0
  no ip address
  shutdown
  interface FastEthernet0
  switchport mode trunk
  no ip address
  interface FastEthernet1
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  switchport mode trunk
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  no ip address
  interface GigabitEthernet0
  switchport mode trunk
  no ip address
  interface GigabitEthernet1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Vlan1
  description Main LAN
  ip address 192.168.1.97 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer1
  mtu 1492
  ip address negotiated
  ip access-group PORTS_ALLOWED_IN in
  ip flow ingress
  ip inspect normal_traffic out
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  ip tcp adjust-mss 1350
  dialer pool 1
  dialer-group 1
  ipv6 address autoconfig
  ipv6 enable
  ppp chap hostname xxx
  ppp chap password 7 xxx
  ppp ipcp route default
  no cdp enable
  crypto map AzureCryptoMap
  ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
  no ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat translation timeout 360
  ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
  ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
  ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
  ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
  ip access-list extended AzureEastUS
  permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
  permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
  ip access-list extended CLIENT_VPN
  permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
  ip access-list extended PORTS_ALLOWED_IN
  remark List of ports which are allowed IN
  permit gre any any
  permit esp any any
  permit udp any any eq non500-isakmp
  permit udp any any eq isakmp
  permit tcp any any eq 55663
  permit udp any any eq 55663
  permit tcp any any eq 22
  permit tcp any any eq 5723
  permit tcp any any eq 1723
  permit tcp any any eq 443
  permit icmp any any echo-reply
  permit icmp any any traceroute
  permit icmp any any port-unreachable
  permit icmp any any time-exceeded
  deny ip any any
  ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
  deny tcp object-group INTERNAL_LAN any eq smtp
  deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
  permit tcp object-group INTERNAL_LAN any
  permit udp object-group INTERNAL_LAN any
  permit icmp object-group INTERNAL_LAN any
  deny ip any any
  mac-address-table aging-time 16
  no cdp run
  ipv6 route ::/0 Dialer1
  route-map NoNAT permit 10
  match ip address AzureEastUS CLIENT_VPN
  route-map NoNAT permit 15
  banner motd Welcome to Murasaki
  line con 0
  privilege level 15
  no modem enable
  line aux 0
  line vty 0
  privilege level 15
  no activation-character
  transport preferred none
  transport input ssh
  line vty 1 4
  privilege level 15
  transport input ssh
  scheduler max-task-time 5000
  scheduler allocate 60000 1000
  ntp update-calendar
  ntp server au.pool.ntp.org
  end
  Any ideas on what I'm doing wrong?

  Hi Marius,
  I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
  *Oct  9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
  *Oct  9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
  *Oct  9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
  *Oct  9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
  *Oct  9 20:43:16: ISAKMP: local port 500, remote port 49727
  *Oct  9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
  *Oct  9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP (0): ID payload
      next-payload : 13
      type         : 11
      group id     : timothy
      protocol     : 17
      port         : 500
      length       : 15
  *Oct  9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is DPD
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is Unity
  *Oct  9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
  *Oct  9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):no offers accepted!
  *Oct  9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
  *Oct  9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
  *Oct  9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
  *Oct  9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Oct  9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
  *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
  *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
  *Oct  9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
  *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
  *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY
  *Oct  9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
  *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
  *Oct  9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
  *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA
  *Oct  9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  *Oct  9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
  *Oct  9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE

• Site-to-Site VPN btw Pix535 and Router 2811, can't get it work

  Hi, every one,  I spent couple of days trying to make  a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
  http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
  #1: PIX config:
  : Saved
  : Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
  PIX Version 8.0(4)
  hostname pix535
  interface GigabitEthernet0
  description to-cable-modem
  nameif outside
  security-level 0
  ip address X.X.138.132 255.255.255.0
  ospf cost 10
  interface GigabitEthernet1
  description inside  10/16
  nameif inside
  security-level 100
  ip address 10.1.1.254 255.255.0.0
  ospf cost 10
  access-list outside_access_in extended permit ip any any
  access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
  access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
  access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
  pager lines 24
  ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
  global (outside) 10 interface
  global (outside) 15 1.2.4.5
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 15 10.1.0.0 255.255.0.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
  crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
  crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
  crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
  crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
  crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
  crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer X.X.21.29
  crypto map outside_map 1 set transform-set ESP-DES-SHA
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp identity hostname
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 1
  lifetime 86400
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal 3600
  group-policy GroupPolicy1 internal
  group-policy cnf-vpn-cls internal
  group-policy cnf-vpn-cls attributes
  wins-server value 10.1.1.7
  dns-server value 10.1.1.7 10.1.1.205
  vpn-tunnel-protocol IPSec l2tp-ipsec
  default-domain value x.com
  username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key secret1
  radius-sdi-xauth
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cnf-vpn-cls type remote-access
  tunnel-group cnf-vpn-cls general-attributes
  address-pool cnf-8-ip
  default-group-policy cnf-vpn-cls
  tunnel-group cnf-vpn-cls ipsec-attributes
  pre-shared-key secret2
  isakmp ikev1-user-authentication none
  tunnel-group cnf-vpn-cls ppp-attributes
  authentication ms-chap-v2
  tunnel-group X.X.21.29 type ipsec-l2l
  tunnel-group X.X.21.29 ipsec-attributes
  pre-shared-key SECRET
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
  : end
  #2:  Router 2811 config:
  ! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
  ! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname LA-2800
  crypto pki trustpoint TP-self-signed-1411740556
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1411740556
  revocation-check none
  rsakeypair TP-self-signed-1411740556
  crypto pki certificate chain TP-self-signed-1411740556
  certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
    30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
    34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
    C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
    E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
    A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
    35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
    551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
    88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
    054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
    81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
    E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
    310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
    659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
              quit
  crypto isakmp policy 1
  authentication pre-share
  crypto isakmp key SECRET address X.X.138.132 no-xauth
  crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
  crypto map la-2800-ipsec-policy 1 ipsec-isakmp
  description vpn ipsec policy
  set peer X.X.138.132
  set transform-set la-2800-trans-set
  match address 101
  interface FastEthernet0/0
  description WAN Side
  ip address X.X.216.29 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  no mop enabled
  crypto map la-2800-ipsec-policy
  interface FastEthernet0/1
  description LAN Side
  ip address 10.20.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex full
  speed auto
  no mop enabled
  ip nat inside source route-map nonat interface FastEthernet0/0 overload
  access-list 10 permit X.X.138.132
  access-list 99 permit 64.236.96.53
  access-list 99 permit 98.82.1.202
  access-list 101 remark vpn tunnerl acl
  access-list 101 remark SDM_ACL Category=4
  access-list 101 remark tunnel policy
  access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  access-list 110 deny   ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  access-list 110 permit ip 10.20.0.0 0.0.0.255 any
  snmp-server community public RO
  route-map nonat permit 10
  match ip address 110
  webvpn gateway gateway_1
  ip address X.X.216.29 port 443
  ssl trustpoint TP-self-signed-1411740556
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context gateway-1
  title "b"
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  policy group policy_1
     functions svc-enabled
     svc address-pool "WebVPN-Pool"
     svc keep-client-installed
     svc split include 10.20.0.0 255.255.0.0
  default-group-policy policy_1
  gateway gateway_1
  inservice
  end
  #3:  Test from Pix to router:
  Active SA:    1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: X.X.21.29
      Type    : user            Role    : initiator
      Rekey   : no              State   : MM_WAIT_MSG2
  >>DEBUG:
  Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
  Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
  #4:  test from router to pix:
  LA-2800#sh  crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id slot status
  X.X.138.132  X.X.216.29  MM_KEY_EXCH       1017    0 ACTIVE
  >>debug
  LA-2800#ping 10.1.1.7 source 10.20.1.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
  Packet sent with a source address of 10.20.1.1
  Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
  Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
  Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
  Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
  Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
  Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE     
  Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
  Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
  Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
  Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
  Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
  Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
  Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
  Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
  Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
  Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  Oct 22 16:24:34.053: ISAKMP:      encryption DES-CBC
  Oct 22 16:24:34.053: ISAKMP:      hash SHA
  Oct 22 16:24:34.053: ISAKMP:      default group 1
  Oct 22 16:24:34.053: ISAKMP:      auth pre-share
  Oct 22 16:24:34.053: ISAKMP:      life type in seconds
  Oct 22 16:24:34.053: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
  Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
  Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
  Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
  Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
  Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
  Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
  Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
  Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
  Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
  Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
  Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
  Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
  Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
  Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
  Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
  Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
  Oct 22 16:24:34.221: ISAKMP:received payload type 20
  Oct 22 16:24:34.221: ISAKMP:received payload type 20
  Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
  Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
  next-payload : 8
  type         : 1
  address      : X.X.216.29
  protocol     : 17
  port         : 500
  length       : 12
  Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
  Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
  Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
  Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
  Success rate is 0 percent (0/5)
  LA-2800#
  Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
  Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
  Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
  Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
  Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
  Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
  Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
  Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE     
  Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
  Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
  Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
  Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
  Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
  Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
  Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5  New State = IKE_DEST_SA
  Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
  Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
  Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
  Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
  ****** The PIX is also used    VPN client access  , such as  Cicso VPN client  5.0, working fine ; Router is  used as  SSL VPN server, working too
  I know there are lots of data here, hopefully these data may be useful for   diagnosis purpose.
  Any suggestions and advices are greatly appreciated.
  Sean

  Hi Sean,
  Current configuration:
  On the PIX:
  crypto isakmp policy 5
        authentication pre-share
        encryption 3des
        hash sha
        group 2
        lifetime 86400
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer X.X.21.29
  crypto map outside_map 1 set transform-set ESP-DES-SHA
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
  tunnel-group X.X.21.29 type ipsec-l2l
  tunnel-group X.X.21.29 ipsec-attributes
       pre-shared-key SECRET
  On the Router:
  crypto isakmp policy 1
        authentication pre-share
  crypto map la-2800-ipsec-policy 1 ipsec-isakmp
        description vpn ipsec policy    
        set peer X.X.138.132
        set transform-set la-2800-trans-set
        match address 101
  access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
  crypto isakmp key SECRET address X.X.138.132 no-xauth
  Portu.
  Please rate any helpful posts
  Message was edited by: Javier Portuguez

• Not able to estabislt phase1 of site-to-site VPN

  Hi Experts,
  Site-B(router)------Modem------Internet--------Site-A(router)
  I'm trying to create a Ipsec Site-to-stie VPN between cisco2900 & cisco 861 and below is the scenario. kindly find the connectivity diagram in attached files.
  The issue is there is a modem provided by ISP on Site-B and cisco 861 router is connected back to that modem and the connection is given through RJ11 and there is no ADSL port available on Site-B router.
  Based on above mentioned scenario here is config
  Site B:-
  crypto isakmp policy 1
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key CITDENjan2014 address 80.227.xx.xx
  crypto ipsec transform-set ETH-to-Dxb esp-3des esp-md5-hmac
   mode tunnel
  crypto map VPN 1 ipsec-isakmp
   set peer 80.227.xx.xx
   set transform-set ETH-to-Dxb
   match address 110
  interface fa 4
  ip address 192.168.1.254 255.255.255.0
  crypto map VPN
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  ip access-list ext 110
  permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
  Kindly find screenshots of ADSL modem for below information
  Configuration on LAN interface of ADSL modem with dual ip address
  i have done port forwarding on modem, though i haven't done port forwarding before so i'm not sure it's correct or not.
  Site-A router Config:-
  crypto isakmp policy 1
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key CITDENjan2014 address 197.156.xx.xx
  crypto ipsec transform-set Dxb-to-ETH esp-3des esp-md5-hmac
   mode tunnel
  crypto map Dxb-to-Nigeria 20 ipsec-isakmp
   set peer 197.156.xx.xx
   set transform-set Dxb-to-ETH
   match address 120
  interface GigabitEthernet0/1
  ip address 80.227.xx.xx 255.255.255.252
  crypto map Dxb-to-Nigeria
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
  access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  Logs on Site-B router:-
  *Apr 16 13:02:06.735: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (N) NEW SA
  *Apr 16 13:02:06.735: ISAKMP: Created a peer struct for 80.227.xx.xx, peer port 1
  *Apr 16 13:02:06.735: ISAKMP: New peer created peer = 0x886B0310 peer_handle = 0x8000001D
  *Apr 16 13:02:06.735: ISAKMP: Locking peer struct 0x886B0310, refcount 1 for crypto_isakmp_process_block
  *Apr 16 13:02:06.735: ISAKMP: local port 500, remote port 1
  *Apr 16 13:02:06.735: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88776A88
  *Apr 16 13:02:06.735: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:02:06.735: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
  *Apr 16 13:02:06.735: ISAKMP:(0): processing SA payload. message ID = 0
  *Apr 16 13:02:06.735: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:02:06.735: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16
  ETH-CIT# 13:02:06.735: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
  *Apr 16 13:02:06.739: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
  *Apr 16 13:02:06.739: ISAKMP:(0): local preshared key found
  *Apr 16 13:02:06.739: ISAKMP : Scanning profiles for xauth ...
  *Apr 16 13:02:06.739: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Apr 16 13:02:06.739: ISAKMP:      encryption 3DES-CBC
  *Apr 16 13:02:06.739: ISAKMP:      hash MD5
  *Apr 16 13:02:06.739: ISAKMP:      default group 2
  *Apr 16 13:02:06.739: ISAKMP:      auth pre-share
  *Apr 16 13:02:06.739: ISAKMP:      life type in seconds
  *Apr 16 13:02:06.739: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  *Apr 16 13:02:06.739: ISAKMP:(0):atts are acceptable. Next payload is 0
  *Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:actual life: 0
  *Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:life: 0
  *Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa vpi_length:4
  *Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  *Apr 16 13:02:06.739: ISAKMP:(0):Returning Actual lifetime: 86400
  *Apr 16 13:02:06.739: ISAKMP:(0)::Started lifetime timer: 86400.
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
  *Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
  *Apr 16 13:02:06.739: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  *Apr 16 13:02:06.739: ISAKMP:(0): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_SA_SETUP
  *Apr 16 13:02:06.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
  *Apr 16 13:02:06.995: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
  *Apr 16 13:02:06.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:02:06.999: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3
  *Apr 16 13:02:06.999: ISAKMP:(0): processing KE payload. message ID = 0
  *Apr 16 13:02:07.027: ISAKMP:(0): processing NONCE payload. message ID = 0
  *Apr 16 13:02:07.027: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
  *Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
  *Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is DPD
  *Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
  *Apr 16 13:02:07.027: ISAKMP:(2028): speaking to another IOS box!
  *Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
  *Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID seems Unity/DPD but major 241 mismatch
  *Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is XAUTH
  *Apr 16 13:02:07.027: ISAKMP:received payload type 20
  *Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
  *Apr 16 13:02:07.027: ISAKMP:received payload type 20
  *Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
  *Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3  New State = IKE_R_MM3
  *Apr 16 13:02:07.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
  *Apr 16 13:02:07.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
  *Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3  New State = IKE_R_MM4
  ETH-CIT#
  ETH-CIT#
  *Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:02:17.027: ISAKMP (2028): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:02:17.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
  *Apr 16 13:02:17.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
  Logs on Site-A router:-
  *Apr 16 13:15:28.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:15:28.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:15:28.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
  *Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:15:28.609: ISAKMP (1263): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  *Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:15:28.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:15:28.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
  DXB-CIT#
  *Apr 16 13:15:38.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:15:38.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:15:38.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
  *Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:15:38.609: ISAKMP (1263): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  *Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:15:38.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:15:38.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
  DXB-CIT#
  *Apr 16 13:15:47.593: ISAKMP: set new node 0 to QM_IDLE      
  *Apr 16 13:15:47.593: ISAKMP:(1263):SA is still budding. Attached new ipsec request to it. (local 80.227.xx.xx, remote 197.156.xx.xx)
  *Apr 16 13:15:47.593: ISAKMP: Error while processing SA request: Failed to initialize SA
  *Apr 16 13:15:47.593: ISAKMP: Error while processing KMI message 0, error 2.
  *Apr 16 13:15:48.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:15:48.609: ISAKMP:(1263):peer does not do paranoid keepalives.
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
  *Apr 16 13:15:48.609: ISAKMP: Unlocking peer struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
  *Apr 16 13:15:48.609: ISAKMP: Deleting peer node by peer_reap for 197.156.xx.xx: 23193AD4
  DXB-CIT#
  DXB-CIT#
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1134682361 error FALSE reason "IKE deleted"
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 680913363 error FALSE reason "IKE deleted"
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1740991762 error FALSE reason "IKE deleted"
  *Apr 16 13:15:48.609: ISAKMP:(1263):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Apr 16 13:15:48.609: ISAKMP:(1263):Old State = IKE_I_MM5  New State = IKE_DEST_SA
  DXB-CIT#
  DXB-CIT#shoc  cry
  DXB-CIT#sho cry isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  197.156.xx.xx  80.227.xx.xx   MM_NO_STATE       1263 ACTIVE (deleted)
  IPv6 Crypto ISAKMP SA
  *Apr 16 13:16:17.593: IPSEC(key_engine): request timer fired: count = 2,
    (identity) local= 80.227.xx.xx:0, remote= 197.156.xx.xx:0,
      local_proxy= 192.168.10.0/255.255.255.0/256/0,
      remote_proxy= 192.168.1.0/255.255.255.0/256/0
  *Apr 16 13:16:17.609: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 80.227.xx.xx:500, remote= 197.156.xx.xx:500,
      local_proxy= 192.168.10.0/255.255.255.0/256/0,
      remote_proxy= 192.168.1.0/255.255.255.0/256/0,
      protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  *Apr 16 13:16:17.609: ISAKMP:(0): SA request profile is (NULL)
  *Apr 16 13:16:17.609: ISAKMP: Created a peer struct for 197.156.xx.xx, peer port 500
  *Apr 16 13:16:17.609: ISAKMP: New peer created peer = 0x23193AD4 peer_handle = 0x80001862
  *Apr 16 13:16:17.609: ISAKMP: Locking peer struct 0x23193AD4, refcount 1 for isakmp_initiator
  *Apr 16 13:16:17.609: ISAKMP: local port 500, remote port 500
  *Apr 16 13:16:17.609: ISAKMP: set new node 0 to QM_IDLE      
  *Apr 16 13:16:17.609: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 270A2FD0
  *Apr 16 13:16:17.609: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  *Apr 16 13:16:17.609: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-07 ID
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-03 ID
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-02 ID
  *Apr 16 13:16:17.609: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  *Apr 16 13:16:17.609: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  *Apr 16 13:16:17.609: ISAKMP:(0): beginning Main Mode exchange
  *Apr 16 13:16:17.609: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
  *Apr 16 13:16:17.609: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Apr 16 13:16:17.865: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_NO_STATE
  *Apr 16 13:16:17.865: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:16:17.865: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  *Apr 16 13:16:17.865: ISAKMP:(0): processing SA payload. message ID = 0
  *Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16 13:16:17.869: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
  *Apr 16 13:16:17.869: ISAKMP:(0): local preshared key found
  *Apr 16 13:16:17.869: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profile-1
  *Apr 16 13:16:17.869: ISAKMP:(0): Authentication by xauth preshared
  *Apr 16 13:16:17.869: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Apr 16 13:16:17.869: ISAKMP:      encryption 3DES-CBC
  *Apr 16 13:16:17.869: ISAKMP:      hash MD5
  *Apr 16 13:16:17.869: ISAKMP:      default group 2
  *Apr 16 13:16:17.869: ISAKMP:      auth pre-share
  *Apr 16 13:16:17.869: ISAKMP:      life type in seconds
  *Apr 16 13:16:17.869: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  *Apr 16 13:16:17.869: ISAKMP:(0):atts are acceptable. Next payload is 0
  *Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:actual life: 0
  *Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:life: 0
  *Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa vpi_length:4
  *Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  *Apr 16 13:16:17.869: ISAKMP:(0):Returning Actual lifetime: 86400
  *Apr 16 13:16:17.869: ISAKMP:(0)::Started lifetime timer: 86400.
  *Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  *Apr 16 13:16:17.869: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_SA_SETUP
  *Apr 16 13:16:17.869: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  *Apr 16 13:16:18.157: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_SA_SETUP
  *Apr 16 13:16:18.157: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:16:18.157: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  *Apr 16 13:16:18.157: ISAKMP:(0): processing KE payload. message ID = 0
  *Apr 16 13:16:18.181: ISAKMP:(0): processing NONCE payload. message ID = 0
  *Apr 16 13:16:18.181: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
  *Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
  *Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is Unity
  *Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
  *Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is DPD
  *Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
  *Apr 16 13:16:18.185: ISAKMP:(1264): speaking to another IOS box!
  *Apr 16 13:16:18.185: ISAKMP:received payload type 20
  *Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
  *Apr 16 13:16:18.185: ISAKMP:received payload type 20
  *Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
  *Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4  New State = IKE_I_MM4
  *Apr 16 13:16:18.185: ISAKMP:(1264):Send initial contact
  *Apr 16 13:16:18.185: ISAKMP:(1264):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  *Apr 16 13:16:18.185: ISAKMP (1264): ID payload
  next-payload : 8
  type         : 1
  address      : 80.227.xx.xx
  protocol     : 17
  port         : 0
  length       : 12
  *Apr 16 13:16:18.185: ISAKMP:(1264):Total payload length: 12
  *Apr 16 13:16:18.185: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:16:18.185: ISAKMP:(1264):Sending an IKE IPv4 Packet.
  *Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4  New State = IKE_I_MM5
  DXB-CIT#
  *Apr 16 13:16:28.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:16:28.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:16:28.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
  *Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:16:28.657: ISAKMP (1264): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:16:28.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  DXB-CIT#
  *Apr 16 13:16:28.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#u all
  All possible debugging has been turned off
  DXB-CIT#
  DXB-CIT#
  *Apr 16 13:16:38.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:16:38.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:16:38.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
  *Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1134682361
  *Apr 16 13:16:38.609: ISAKMP:(1263):purging node 680913363
  *Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1740991762
  *Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:16:38.657: ISAKMP (1264): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  *Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:16:38.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:16:38.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.

  Hello salman.abid,
  its hard to troubleshoot if there is some 3th party device in way. I tried your config in my lab and I established IPSec successfuly.
  So it seems that modem would do some problems during IPSec establishment.
  Basically if you are configuring L2L IPSec VPN so there is few things what have to match
  1. check cryptomap, transform sets etc. if they match on both sides. Especially preshared keys.
  2. permit protocol ESP, ISAKMP (UDP 500), and NAT-T (UDP 4500) if applicable.
  3. check default GW is configured properly
  4. check NAT configuration
  Regarding crypto ipsec nat-transparency udp-encapsulation it could help you but also enable UDP/4500 port.
  HTH
  Jan

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• Site to Site VPN on Cisco ASA

  Hello,
  I'm trying to set up a site to site VPN. I've never done this before and can't get it to work. I've watched training vids online and thought it looked straight forward enough. My problem appears to be that th ASA is not trying to create a tunnel. It doesn't seem to know that this traffic should be sent over the tunnel. Both the outside interfaces can ping one another and are on the same subnet.
  I've pasted the two configs below. They're just base configs with all the VPN commands having been created by the wizard. I've not put any routes in as the two devices are on the same subnet. If you can see my mistake I'd be very grateful to you if you could point it out or even point me in the right direction.
  Cheers,
  Tormod
  ciscoasa1
  : Saved
  : Written by enable_15 at 05:11:30.489 UTC Wed Jun 19 2013
  ASA Version 8.2(5)13
  hostname ciscoasa1
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list inside_nat0_outbound
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 1.1.1.2
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group 1.1.1.2 type ipsec-l2l
  tunnel-group 1.1.1.2 ipsec-attributes
  pre-shared-key ciscocisco
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:29e3cdb2d704736b7fbbc477e8418d65
  : end
  ciscoasa2
  : Saved
  : Written by enable_15 at 15:40:31.509 UTC Wed Jun 19 2013
  ASA Version 8.2(5)13
  hostname ciscoasa2
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 1.1.1.2 255.255.255.0
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.1.2.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list inside_nat0_outbound
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key ciscocisco
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:92dca65f5c2cf16486aa7d564732b0e1
  : end

  Thanks very much for your help Jouni. I came in this morning and ran the crypto map outside_map 1 set reverse-route command and everything started to work. I'm surprised the wizard didn't include that command but maybe it's because I didn't have a default route set.
  However, I now have a new problem. We're working towards migrating from ASA8.2 to 9.1. In order to prepare for this I've created a mock of our environment and am testing that everything works prior to making the changes. I can't get this site to site VPN to work. (The one I posted yesterday was just to get a basic site to site VPN working so that I could go from there)
  I've posted the debug from the ASA to which I'm trying to connect. To my undtrained eye it looks like it completes phase one but fails to match a vpn tunnel map. I'm coming from 10.99.99.99 going to 10.1.1.57
  Hope you can help as I'm going nuts here. Although I will of course understand if you've something better to do with your time than bail me out.
  access-list 1111_cryptomap extended permit ip 10.1.1.0 255.255.255.0 Private1 255.255.255.0
  access-list 1111_cryptomap extended permit ip 10.99.99.0 255.255.255.0 10.1.1.0 255.255.255.0
  crypto map vpntunnelmap 1 match address 1111_cryptomap
  crypto map vpntunnelmap 1 set pfs
  crypto map vpntunnelmap 1 set peer 1.1.1.1
  crypto map vpntunnelmap 1 set transform-set ESP-3DES-MD5
  ciscoasa# debug crypto isakmp 255
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 00 00 00 00 00 00 00 00    |  ...?:...........
  01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 84    |  ................
  00 00 00 01 00 00 00 01 00 00 00 78 01 01 00 03    |  ...........x....
  03 00 00 24 01 01 00 00 80 04 00 02 80 01 00 05    |  ...$............
  80 02 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04    |  ................
  00 00 70 80 03 00 00 28 02 01 00 00 80 04 00 02    |  ..p....(........
  80 01 00 07 80 0e 00 c0 80 02 00 02 80 03 00 01    |  ................
  80 0b 00 01 00 0c 00 04 00 00 70 80 00 00 00 24    |  ..........p....$
  03 01 00 00 80 04 00 02 80 01 00 05 80 02 00 01    |  ................
  80 03 00 01 80 0b 00 01 00 0c 00 04 00 01 51 80    |  ..............Q.
  0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5    |  ........>.in.c..
  ec 42 7b 1f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f    |  .B{.....}...S..o
  2c 17 9d 92 15 52 9d 56 0d 00 00 14 4a 13 1c 81    |  ,....R.V....J...
  07 03 58 45 5c 57 28 f2 0e 95 45 2f 00 00 00 18    |  ..XE\W(...E/....
  40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3    |  @H..n...%.....
  c0 00 00 00                                        |  ....
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 00 00 00 00 00 00 00 00
    Next Payload: Security Association
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 244
    Payload Security Association
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 132
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 120
        Proposal #: 1
        Protocol-Id: PROTO_ISAKMP
        SPI Size: 0
        # of transforms: 3
        Payload Transform
          Next Payload: Transform
          Reserved: 00
          Payload Length: 36
          Transform #: 1
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: SHA1
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 00 70 80
        Payload Transform
          Next Payload: Transform
          Reserved: 00
          Payload Length: 40
          Transform #: 2
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: AES-CBC
          Key Length: 192
          Hash Algorithm: SHA1
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 00 70 80
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 36
          Transform #: 3
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: MD5
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 01 51 80
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 24
      Data (In Hex):
        40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
        c0 00 00 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Oakley proposal is acceptable
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 02 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 03 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal RFC VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Fragmentation VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing IKE SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ISAKMP SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Fragmentation VID + extended capabilities payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Security Association
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 104
    Payload Security Association
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 52
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Proposal #: 1
        Protocol-Id: PROTO_ISAKMP
        SPI Size: 0
        # of transforms: 1
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 32
          Transform #: 1
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: SHA1
          Group Description: Group 2
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 70 80
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 24
      Data (In Hex):
        40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
        c0 00 00 00
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  04 10 02 00 00 00 00 00 00 00 01 00 0a 00 00 84    |  ................
  00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3    |  ..*M.c.\......a.
  f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53    |  ...uc#?Y..WKY.`S
  0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa    |  ...+.1.uFW.[L...
  a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0    |  ..J.bh.ULT.ys...
  09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4    |  ...Z?.....M..{|.
  cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb    |  .....0[/O.V.....
  b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05    |  .... .A:........
  fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa    |  ......J.........
  0d 00 00 18 bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04    |  ........7..w....
  de c9 d3 1a b0 6f ee a8 0d 00 00 14 12 f5 f2 8c    |  .....o..........
  45 71 68 a9 70 2d 9f e2 74 cc 01 00 0d 00 00 0c    |  Eqh.p-..t.......
  09 00 26 89 df d6 b7 12 0d 00 00 14 2e 41 69 22    |  ..&..........Ai"
  3a a8 e7 0a cd 38 ba 43 ed f2 db 2c 00 00 00 14    |  :....8.C...,....
  1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00    |  .....e.....T*P..
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Key Exchange
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 256
    Payload Key Exchange
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 132
      Data:
        00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3
        f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53
        0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa
        a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0
        09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4
        cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb
        b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05
        fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa
    Payload Nonce
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 24
      Data:
        bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04 de c9 d3 1a
        b0 6f ee a8
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Data (In Hex): 09 00 26 89 df d6 b7 12
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        2e 41 69 22 3a a8 e7 0a cd 38 ba 43 ed f2 db 2c
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ISA_KE payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Cisco Unity client VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received xauth V6 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Cisco Unity VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing xauth V6 VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send IOS VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Generating keys for Responder...
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Key Exchange
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 256
    Payload Key Exchange
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 132
      Data:
        27 62 7f 00 84 06 59 07 28 a1 05 9f 2a 13 ad ff
        47 10 99 27 68 01 2a c8 06 52 b8 55 0c 7d 82 3d
        31 94 0d 68 aa 98 5e 60 ee 2b 37 a5 0f ca 06 5c
        2a f7 83 bb 2e 8b 53 13 49 8b 4e 4c bf d1 34 67
        df ff 50 5b ab e9 f2 12 cb bd c2 0c ab 95 3a 39
        ca 60 31 7a d4 80 80 b6 0c 85 3e f5 16 fb f5 f8
        27 5d 28 b9 b1 2e b3 35 79 1a 9e f7 fd 13 8f f4
        5f 5d 53 93 74 6d d1 60 97 ca d2 bc b3 b4 e6 03
    Payload Nonce
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 24
      Data:
        a7 f8 48 c1 98 b4 cb 02 79 de ae 6e 59 3d 23 cb
        4c a1 7b 44
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Data (In Hex): 09 00 26 89 df d6 b7 12
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        99 8a 8b d3 68 02 55 58 44 16 79 1c 51 be 23 8f
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  05 10 02 01 00 00 00 00 00 00 00 64 8f a8 6e 03    |  ...........d..n.
  81 b9 24 e5 f0 ba ca 1a 0f fa 5a a1 3c 2d 61 1a    |  ..$.......Z.<-a.
  7d 48 b0 0c 7f 09 bc 82 9b b1 25 b4 f6 04 45 a0    |  }H......%...E.
  13 12 27 ff 7a 41 9f e9 8e 96 c2 80 b9 59 b0 ec    |  ..'.zA.......Y..
  40 e3 95 4d 96 ef eb ce e2 fb d9 45 83 50 0d e7    |  @..M.......E.P..
  9c c7 70 7f                                        |  ..
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
  AFTER DECRYPTION
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
    Payload Identification
      Next Payload: Hash
      Reserved: 00
      Payload Length: 12
      ID Type: IPv4 Address (1)
      Protocol ID (UDP/TCP, etc...): 17
      Port: 500
      ID Data: 1.1.1.2
    Payload Hash
      Next Payload: IOS Proprietary Keepalive or CHRE
      Reserved: 00
      Payload Length: 24
      Data:
        f4 40 eb 6b 55 f0 19 cd 10 81 e6 53 cf 23 75 c5
        45 ab 7f 3d
    Payload IOS Proprietary Keepalive or CHRE
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Default Interval: 32767
      Retry Interval: 32767
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
  1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Received DPD VID
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing ID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing dpd vid payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
  BEFORE ENCRYPTION
  RAW PACKET DUMP on SEND
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c    |  ................
  01 11 01 f4 c2 9f 09 02 80 00 00 18 58 00 80 06    |  ............X...
  e9 66 ba 20 1e ba 79 c8 16 85 2d 2f a0 96 b4 e5    |  .f. ..y...-/....
  0d 00 00 0c 80 00 7f ff 80 00 7f ff 00 00 00 14    |  ............
  af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00    |  ....h...k...wW..
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 469762048
    Payload Identification
      Next Payload: Hash
      Reserved: 00
      Payload Length: 12
      ID Type: IPv4 Address (1)
      Protocol ID (UDP/TCP, etc...): 17
      Port: 500
      ID Data: 1.1.1.1
    Payload Hash
      Next Payload: IOS Proprietary Keepalive or CHRE
      Reserved: 00
      Payload Length: 24
      Data:
        58 00 80 06 e9 66 ba 20 1e ba 79 c8 16 85 2d 2f
        a0 96 b4 e5
    Payload IOS Proprietary Keepalive or CHRE
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Default Interval: 32767
      Retry Interval: 32767
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 27360 seconds.
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  08 10 20 01 56 e5 a4 1e 00 00 01 4c d2 44 3e 24    |  .. .V......L.D>$
  87 96 a1 fe d1 a3 d3 a3 ed 59 45 2d 53 be 17 9f    |  .........YE-S...
  42 72 2b a3 5f f8 5e 41 5a 62 25 0c 5d bf 6c 2a    |  Br+._.^AZb%.].l*
  e6 e0 1f 77 d5 ed c8 1c 06 cb ef f2 58 07 1d 35    |  ...w........X..5
  a9 d5 7b 86 24 05 88 32 e7 33 6f f2 f7 9d 70 07    |  ..{.$..2.3o...p.
  18 40 51 77 7d 7e 6c 77 55 d9 18 7a 57 5d b9 88    |  .@Qw}~lwU..zW]..
  6c a6 d5 f3 60 5e 14 4f da cb 42 65 88 d6 75 0e    |  l...`^.O..Be..u.
  22 1c bb 89 1f 57 bd c2 f2 46 30 31 30 9c 63 e6    |  "....W...F010.c.
  e2 e9 5b 68 71 f2 ed 69 f1 eb a7 65 2d b2 31 85    |  ..[hq..i...e-.1.
  31 93 0a c1 21 44 57 de ad 8b 79 5e 3d 36 5c 44    |  1...!DW...y^=6\D
  88 23 a8 44 76 2c d6 c2 ed 31 2d 69 b1 50 26 9f    |  .#.Dv,...1-i.P&.
  ee 48 3e c4 dd 0d 40 8f 65 d2 fb 82 19 42 b7 0f    |  .H>[email protected]..
  a0 74 b3 e6 df dd 16 c4 fa ca bf d2 b6 33 b0 5f    |  .t...........3._
  d6 59 4f 6a 84 9e 0d 76 a4 d6 d3 94 67 bc 9c df    |  .YOj...v....g...
  33 20 48 61 d7 80 b6 97 0d a9 32 48 7d 5b 79 8b    |  3 Ha......2H}[y.
  7b bc e0 9b b4 5d ed 49 04 6b 5d 72 d7 5b 82 90    |  {....].I.k]r.[..
  47 e5 65 64 a9 25 ce 2f 3f a2 ca 98 b1 0b ff 01    |  G.ed.%./?.......
  9c 32 64 5c dd 9c 26 71 c4 59 cd 52 da 1f b9 23    |  .2d\..&q.Y.R...#
  32 dd d8 a5 d1 1c 2a d0 0f ef 2b 26 66 c0 14 48    |  2.....*...+&f..H
  52 35 3a ee 36 a6 00 df a5 d6 6b 42                |  R5:.6.....kB
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 56E5A41E
    Length: 332
  Jun 20 16:29:42 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 56e5a41e
  AFTER DECRYPTION
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 56E5A41E
    Length: 332
    Payload Hash
      Next Payload: Security Association
      Reserved: 00
      Payload Length: 24
      Data:
        78 09 81 d2 54 22 37 a1 b0 a8 53 cf df d4 1e fb
        4a 7b 99 f7
    Payload Security Association
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 64
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 52
        Proposal #: 1
        Protocol-Id: PROTO_IPSEC_ESP
        SPI Size: 4
        # of transforms: 1
        SPI: b2 c1 66 6e
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 40
          Transform #: 1
          Transform-Id: ESP_3DES
          Reserved2: 0000
          Life Type: Seconds
          Life Duration (Hex): 70 80
          Life Type: Kilobytes
          Life Duration (Hex): 00 46 50 00
          Encapsulation Mode: Tunnel
          Authentication Algorithm: MD5
          Group Description: Group 2
    Payload Nonce
      Next Payload: Key Exchange
      Reserved: 00
      Payload Length: 24
      Data:
        1e 43 34 fa cc 9f 77 65 45 7c b6 18 2f 18 fd a9
        86 e6 58 42
    Payload Key Exchange
      Next Payload: Identification
      Reserved: 00
      Payload Length: 132
      Data:
        3c 26 4c 94 68 33 4b 2d ce 37 4a d2 8c 62 ab 6b
        e6 d4 d2 8a df 70 bc 67 62 ca 96 8c 3b 30 cd 58
        54 55 71 0f 9e bc da 63 a9 68 86 fd ba 7a 13 f3
        e9 51 e9 a4 13 b0 b0 20 45 cf 1f 36 1e 95 95 c9
        dd 92 c9 cd 2b 33 2d 4b 7e bd ed d4 ec bf 54 b9
        6e 13 7f 17 dc 28 61 5d 46 fe 1d ba 88 e5 ca 70
        40 59 12 c1 0c 3a 51 7f ae 5f e2 95 73 bc c9 16
        67 ce 38 82 e7 b3 1b 6a 39 05 46 71 b8 da c3 57
    Payload Identification
      Next Payload: Identification
      Reserved: 00
      Payload Length: 16
      ID Type: IPv4 Subnet (4)
      Protocol ID (UDP/TCP, etc...): 0
      Port: 0
      ID Data: 10.99.99.0/255.255.255.0
    Payload Identification
      Next Payload: Notification
      Reserved: 00
      Payload Length: 16
      ID Type: IPv4 Subnet (4)
      Protocol ID (UDP/TCP, etc...): 0
      Port: 0
      ID Data: 10.1.1.0/255.255.255.0
    Payload Notification
      Next Payload: None
      Reserved: 00
      Payload Length: 28
      DOI: IPsec
      Protocol-ID: PROTO_ISAKMP
      Spi Size: 16
      Notify Type: STATUS_INITIAL_CONTACT
      SPI:
        db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=56e5a41e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 332
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.99.99.0--255.255.255.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote IP Proxy Subnet data in ID Payload:   Address 10.99.99.0, Mask 255.255.255.0, Protocol 0, Port 0
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local IP Proxy Subnet data in ID Payload:   Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 1...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 1, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 2...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 2, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 3...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 3, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 35...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 35, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 40...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 40, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 41...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 41, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.99.99.0/255.255.255.0/0/0 local proxy 10.1.1.0/255.255.255.0/0/0 on interface thus
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, sending notify message
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing blank hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7ecccf15) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 384
  BEFORE ENCRYPTION
  RAW PACKET DUMP on SEND
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55
  IKE Recv RAW packet dump

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"

• RV215W - Problem setting up site-to-site VPN

  Hello,
  I've taken a plane to newbie-land and need help in setting up a site-to-site VPN. I know this is very basic stuff so I apologize for asking something that's been answered a million times before. I just can't find an answer I can translate directly to my situation.
  I have two RV215W routers, and although I've found a considerable amount of information on setting up the VPN on this model, I can't find anything on setting up two of them to create a functional VPN. I think I'm probably making an error in my IP addressing.
  It appears that somehow I'm creating an endless loop on at least one end.  I can't ping specific devices on the other network, and when I type the LAN IP address of the remote router into a browser it actually goes to the local router's setup page. After running awhile the network gets so bogged down with its own traffic (I'm assuming) that it grinds nearly to a halt. I can see in the IPSec connection status that both sides are connected, but I'm not sure exactly what they think they are connected to. Tons of VPN traffic on both ends, though.
  I have been using the Basic VPN Setup page  following instructions in the RV215W Administration guide's "Configuring Basic Site-to-site IPsec VPN Settings", page 104. Basically, I'm configuring the routers as mirror images with regard to local and remote LAN and WAN settings, although I have to admit I don't know if that's how you're supposed to configure them to work together.
  Here's my environment:
  Local Network:
  WAN: XXX.XX.XX.XX
  LAN: 192.168.0.0/255.255.255.0
  Router IP Address: 192.168.0.1
  Remote Network:
  WAN: YYY.YY.YY.YY
  LAN: 192.168.1.0/255.255.255.0
  Router IP Address: 192.168.1.1
  Here are my router configurations:
  Local Network Router:
  Connection Name: Bob
  Pre-shared Key: wxyz
  Remote endpoint: 192.168.1.1
  Remote WAN IP Address: YYY.YY.YY.YY
  Redundancy Endpoint: Not enabled
  Remote LAN IP Address: 192.168.1.0
  Local LAN IP Address: 192.168.0.0
  Local LAN Subnet Mask: 255.255.255.0
  Remote Network Router:
  Connection Name: Jerry
  Pre-shared Key: wxyz
  Remote endpoint: 192.168.0.1
  Remote WAN IP Address: XXX.XX.XX.XX
  Redundancy Endpoint: Not enabled
  Remote LAN IP Address: 192.168.0.0
  Local LAN IP Address: 192.168.0.0
  Local LAN Subnet Mask: 255.255.255.0
  When I look at the advanced settings I don't see any items that need to be changed, at least according to what I've gathered in my searches for information on my problem. The IKE and VPN policy tables are enabled, and for kicks I've toggled NAT traversal and NETBIOS different ways.
  Thank you for any help!
  -John

  We are a relatively small not-for-profit so I've never had to do much in the way of anything beyond setting up stand-alone networks and no-brainer stuff like port-forwards, troubleshooting devices that don't like this or that feature in a router, etc. We are growing quickly though.
  The reason I need to do this one on-site is because there are several devices I can't reach remotely. They have specific IP addresses and you can only configure them from the front panel. Nearly everything else would work perfectly, but those devices would not be happy. :-) I'll be able to remote from there though to a computer at this location.
  Thanks again!

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal