Link to home
Start Free TrialLog in
Avatar of datapalvelut
datapalvelutFlag for Finland

asked on

VPN site-to-site

I'm having problem to creating VPN tunnel between these two devices.

I changed Firebox's IP-address to 1.1.1.1
And Cisco's to 2.2.2.2

Here is some debug output from Cisco 878:

*Apr 12 17:10:57.325: ISAKMP (0:2181): received packet from 1.1.1.1 dport 4500 sport 23294 Global (R) QM_IDLE
*Apr 12 17:10:57.325: ISAKMP: set new node 22914874 to QM_IDLE
*Apr 12 17:10:57.325: ISAKMP:(2181): processing HASH payload. message ID = 22914874
*Apr 12 17:10:57.329: ISAKMP:(2181): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 22914874, sa = 83F42324
*Apr 12 17:10:57.329: ISAKMP:(2181):deleting node 22914874 error FALSE reason "Informational (in) state 1"
*Apr 12 17:10:57.329: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 12 17:10:57.329: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:10:57.329: ISAKMP:(2181):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4794DE66
*Apr 12 17:10:57.329: ISAKMP: set new node 1691270778 to QM_IDLE
*Apr 12 17:10:57.329: ISAKMP:(2181):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2208842384, message ID = 1691270778
*Apr 12 17:10:57.329: ISAKMP:(2181): seq. no 0x4794DE66
*Apr 12 17:10:57.329: ISAKMP:(2181): sending packet to 1.1.1.1 my_port 4500 peer_port 23294 (R) QM_IDLE
*Apr 12 17:10:57.329: ISAKMP:(2181):Sending an IKE IPv4 Packet.
*Apr 12 17:10:57.333: ISAKMP:(2181):purging node 1691270778
*Apr 12 17:10:57.333: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Apr 12 17:10:57.333: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:11:07.557: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 12 17:11:08.185: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 12 17:11:08.185: ISAKMP: set new node 0 to CONF_XAUTH
*Apr 12 17:11:08.185: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
*Apr 12 17:11:08.185: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 12 17:11:08.185: ISAKMP: Error while processing KMI message 0, error 2.
*Apr 12 17:11:22.561: ISAKMP: quick mode timer expired.
*Apr 12 17:11:22.561: ISAKMP:(0):src 2.2.2.2 dst 1.1.1.1, SA is not authenticated
*Apr 12 17:11:22.561: ISAKMP:(0):peer does not do paranoid keepalives.

*Apr 12 17:11:22.561: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 1.1.1.1)
*Apr 12 17:11:22.561: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 1.1.1.1)
*Apr 12 17:11:22.561: ISAKMP: Unlocking peer struct 0x8358D698 for isadb_mark_sa_deleted(), count 0
*Apr 12 17:11:22.561: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 8358D698
*Apr 12 17:11:22.561: ISAKMP:(0):deleting node -1531374776 error FALSE reason "IKE deleted"
*Apr 12 17:11:22.561: ISAKMP:(0):deleting node -1783709907 error FALSE reason "IKE deleted"
*Apr 12 17:11:22.561: ISAKMP:(0):deleting node 930963450 error FALSE reason "IKE deleted"
*Apr 12 17:11:22.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 12 17:11:22.561: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Apr 12 17:11:22.565: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 12 17:11:38.185: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 12 17:11:38.185: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 12 17:11:38.185: ISAKMP:(0): SA request profile is (NULL)
*Apr 12 17:11:38.185: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Apr 12 17:11:38.185: ISAKMP: New peer created peer = 0x83EC688C peer_handle = 0x80000581
*Apr 12 17:11:38.185: ISAKMP: Locking peer struct 0x83EC688C, refcount 1 for isakmp_initiator
*Apr 12 17:11:38.185: ISAKMP:(0):Setting client config settings 842BEBAC
*Apr 12 17:11:38.185: ISAKMP:(0):(Re)Setting client xauth list  and state
*Apr 12 17:11:38.185: ISAKMP/xauth: initializing AAA request
*Apr 12 17:11:38.189: ISAKMP: local port 500, remote port 500
*Apr 12 17:11:38.189: ISAKMP: set new node 0 to CONF_XAUTH
*Apr 12 17:11:38.189: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83E3A7E4
*Apr 12 17:11:38.189: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 12 17:11:38.189: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Apr 12 17:11:38.189: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 12 17:11:38.189: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 12 17:11:38.189: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 12 17:11:38.189: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 12 17:11:38.189: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Apr 12 17:11:38.189: ISAKMP:(0): beginning Main Mode exchange
*Apr 12 17:11:38.189: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 12 17:11:38.189: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 12 17:11:38.205: ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 12 17:11:38.209: ISAKMP:(0):Notify has no hash. Rejected.
*Apr 12 17:11:38.209: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr 12 17:11:38.209: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 12 17:11:38.209: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Apr 12 17:11:38.209: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 1.1.1.1
*Apr 12 17:11:47.329: ISAKMP:(2181):purging node 22914874
*Apr 12 17:12:08.185: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 12 17:12:12.849: ISAKMP (0:2181): received packet from 1.1.1.1 dport 4500 sport 23294 Global (R) QM_IDLE
*Apr 12 17:12:12.849: ISAKMP: set new node 1353152698 to QM_IDLE
*Apr 12 17:12:12.849: ISAKMP:(2181): processing HASH payload. message ID = 1353152698
*Apr 12 17:12:12.849: ISAKMP:(2181): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 1353152698, sa = 83F42324
*Apr 12 17:12:12.849: ISAKMP:(2181):deleting node 1353152698 error FALSE reason "Informational (in) state 1"
*Apr 12 17:12:12.849: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 12 17:12:12.849: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:12:12.853: ISAKMP:(2181):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4794DE67
*Apr 12 17:12:12.853: ISAKMP: set new node -859419958 to QM_IDLE
*Apr 12 17:12:12.853: ISAKMP:(2181):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2208842384, message ID = -859419958
*Apr 12 17:12:12.853: ISAKMP:(2181): seq. no 0x4794DE67
*Apr 12 17:12:12.853: ISAKMP:(2181): sending packet to 1.1.1.1 my_port 4500 peer_port 23294 (R) QM_IDLE
*Apr 12 17:12:12.853: ISAKMP:(2181):Sending an IKE IPv4 Packet.
*Apr 12 17:12:12.853: ISAKMP:(2181):purging node -859419958
*Apr 12 17:12:12.853: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Apr 12 17:12:12.853: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:12:22.561: ISAKMP:(0):purging SA., sa=83041BE0, delme=83041BE0
*Apr 12 17:12:22.561: ISAKMP:(0):purging node -1531374776
*Apr 12 17:12:22.561: ISAKMP:(0):purging node -1783709907
*Apr 12 17:12:22.561: ISAKMP:(0):purging node 930963450
*Apr 12 17:12:53.189: ISAKMP: quick mode timer expired.
*Apr 12 17:12:53.189: ISAKMP:(0):src 2.2.2.2 dst 1.1.1.1, SA is not authenticated
*Apr 12 17:12:53.189: ISAKMP:(0):peer does not do paranoid keepalives.

*Apr 12 17:12:53.189: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 1.1.1.1)
*Apr 12 17:12:53.189: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 1.1.1.1)
*Apr 12 17:12:53.189: ISAKMP: Unlocking peer struct 0x83EC688C for isadb_mark_sa_deleted(), count 0
*Apr 12 17:12:53.189: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 83EC688C
*Apr 12 17:12:53.189: ISAKMP:(0):deleting node -408327990 error FALSE reason "IKE deleted"
*Apr 12 17:12:53.189: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 12 17:12:53.189: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Apr 12 17:12:53.193: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 12 17:13:02.849: ISAKMP:(2181):purging node 1353152698
*Apr 12 17:13:23.369: ISAKMP (0:2181): received packet from 1.1.1.1 dport 4500 sport 23294 Global (R) QM_IDLE
*Apr 12 17:13:23.369: ISAKMP: set new node 1338599672 to QM_IDLE
*Apr 12 17:13:23.369: ISAKMP:(2181): processing HASH payload. message ID = 1338599672
*Apr 12 17:13:23.369: ISAKMP:(2181): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 1338599672, sa = 83F42324
*Apr 12 17:13:23.369: ISAKMP:(2181):deleting node 1338599672 error FALSE reason "Informational (in) state 1"
*Apr 12 17:13:23.369: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 12 17:13:23.369: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:13:23.369: ISAKMP:(2181):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4794DE68
*Apr 12 17:13:23.369: ISAKMP: set new node -1492865989 to QM_IDLE
*Apr 12 17:13:23.373: ISAKMP:(2181):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2208842384, message ID = -1492865989
*Apr 12 17:13:23.373: ISAKMP:(2181): seq. no 0x4794DE68
*Apr 12 17:13:23.373: ISAKMP:(2181): sending packet to 1.1.1.1 my_port 4500 peer_port 23294 (R) QM_IDLE
*Apr 12 17:13:23.373: ISAKMP:(2181):Sending an IKE IPv4 Packet.
*Apr 12 17:13:23.373: ISAKMP:(2181):purging node -1492865989
*Apr 12 17:13:23.373: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Apr 12 17:13:23.373: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:13:53.189: ISAKMP:(0):purging SA., sa=83E3A7E4, delme=83E3A7E4
*Apr 12 17:13:53.189: ISAKMP:(0):purging node -408327990
*Apr 12 17:14:13.369: ISAKMP:(2181):purging node 1338599672
*Apr 12 17:14:34.645: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 12 17:14:34.645: ISAKMP:(0): SA request profile is (NULL)
*Apr 12 17:14:34.645: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Apr 12 17:14:34.649: ISAKMP: New peer created peer = 0x82EBEE28 peer_handle = 0x8000056A
*Apr 12 17:14:34.649: ISAKMP: Locking peer struct 0x82EBEE28, refcount 1 for isakmp_initiator
*Apr 12 17:14:34.649: ISAKMP:(0):Setting client config settings 842BEBAC
*Apr 12 17:14:34.649: ISAKMP:(0):(Re)Setting client xauth list  and state
*Apr 12 17:14:34.649: ISAKMP/xauth: initializing AAA request
*Apr 12 17:14:34.649: ISAKMP: local port 500, remote port 500
*Apr 12 17:14:34.649: ISAKMP: set new node 0 to CONF_XAUTH
*Apr 12 17:14:34.649: insert sa successfully sa = 8358A314
*Apr 12 17:14:34.649: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 12 17:14:34.649: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Apr 12 17:14:34.649: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 12 17:14:34.649: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 12 17:14:34.649: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 12 17:14:34.649: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 12 17:14:34.649: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Apr 12 17:14:34.653: ISAKMP:(0): beginning Main Mode exchange
*Apr 12 17:14:34.653: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 12 17:14:34.653: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 12 17:14:34.669: ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 12 17:14:34.669: ISAKMP:(0):Notify has no hash. Rejected.
*Apr 12 17:14:34.669: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr 12 17:14:34.669: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 12 17:14:34.669: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Apr 12 17:14:34.669: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 1.1.1.1
*Apr 12 17:14:44.397: ISAKMP (0:2181): received packet from 1.1.1.1 dport 4500 sport 23294 Global (R) QM_IDLE
*Apr 12 17:14:44.397: ISAKMP: set new node -1973294896 to QM_IDLE
*Apr 12 17:14:44.397: ISAKMP:(2181): processing HASH payload. message ID = -1973294896
*Apr 12 17:14:44.397: ISAKMP:(2181): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -1973294896, sa = 83F42324
*Apr 12 17:14:44.397: ISAKMP:(2181):deleting node -1973294896 error FALSE reason "Informational (in) state 1"
*Apr 12 17:14:44.397: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 12 17:14:44.397: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:14:44.401: ISAKMP:(2181):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4794DE69
*Apr 12 17:14:44.401: ISAKMP: set new node -1527469735 to QM_IDLE
*Apr 12 17:14:44.401: ISAKMP:(2181):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2208842384, message ID = -1527469735
*Apr 12 17:14:44.401: ISAKMP:(2181): seq. no 0x4794DE69
*Apr 12 17:14:44.401: ISAKMP:(2181): sending packet to 1.1.1.1 my_port 4500 peer_port 23294 (R) QM_IDLE
*Apr 12 17:14:44.401: ISAKMP:(2181):Sending an IKE IPv4 Packet.
*Apr 12 17:14:44.401: ISAKMP:(2181):purging node -1527469735
*Apr 12 17:14:44.401: ISAKMP:(2181):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Apr 12 17:14:44.401: ISAKMP:(2181):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 12 17:15:04.645: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 12 17:15:04.645: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 12 17:15:04.645: ISAKMP: set new node 0 to CONF_XAUTH
*Apr 12 17:15:04.645: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
*Apr 12 17:15:04.645: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 12 17:15:04.645: ISAKMP: Error while processing KMI message 0, error 2.
Cisco878#
Cisco878#undebug all
All possible debugging has been turned off


Cisco878#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1  2.2.2.2  MM_NO_STATE          0    0 ACTIVE (deleted)
2.2.2.2  1.1.1.1  QM_IDLE           2181    0 ACTIVE
Avatar of Jody Lemoine
Jody Lemoine
Flag of Canada image

According to the log you've posted, the 878 is attempting to authenticate the connection with extended authentication (XAUTH) which is not normally something you see in a LAN-to-LAN VPN configuration.  If you *want* to do extended authentication with this connection, we're going to need to look at the configuration in more detail.  If you don't (which I expect is the case) then you should remove the current "crypto isakmp key" statement associated with the Firebox connection and re-add it with "no-xauth" at the end of the statement.
As above stated we need to see the configuration to be of any use. Else you can make sure that the dynamic crypto map (if you have one) is numbered higher than the static crypto map.
Avatar of datapalvelut

ASKER

Here is the runningconfig
Cisco878#show running-config
Building configuration... 
Current configuration : 8157 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco878
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login ravpn local
aaa authorization network ravpn local
!
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.99
!
ip dhcp pool d-pool
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   netbios-name-server 192.168.3.2
   dns-server 192.168.3.2 217.30.180.230
   lease 0 18
!
!
no ip domain lookup
ip ssh time-out 60
ip ssh version 2
ip inspect name inspect-out cuseeme
ip inspect name inspect-out dns
ip inspect name inspect-out ftp
ip inspect name inspect-out h323
ip inspect name inspect-out https
ip inspect name inspect-out icmp
ip inspect name inspect-out imap
ip inspect name inspect-out pop3
ip inspect name inspect-out netshow
ip inspect name inspect-out rcmd
ip inspect name inspect-out realaudio
ip inspect name inspect-out rtsp
ip inspect name inspect-out esmtp
ip inspect name inspect-out sqlnet
ip inspect name inspect-out streamworks
ip inspect name inspect-out tftp
ip inspect name inspect-out tcp
ip inspect name inspect-out udp
ip inspect name inspect-out vdolive
ip inspect name inspect-out pptp
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-2640886786
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2640886786
 revocation-check none
 rsakeypair TP-self-signed-2640886786
!
!
crypto pki certificate chain TP-self-signed-2640886786
 certificate self-signed 01
  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363430 38383637 3836301E 170D3032 30333033 31343534
  35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36343038
  38363738 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D1D2 7D281A79 946F5E1D 7C4EB37E 67E62214 4A0A067F C1610FA8 C267D433
  ED246945 211A90D2 B218D448 9997A383 F231BD29 BD1220D8 15D70AC6 078310B7
  EB574BE7 5EF1F05F 97090046 03AA9A6D CA6E4791 1C3D4A94 A5847687 B52C5C23
  8BA755D6 90CC58D5 F31E707F EB994E50 A383F039 47E87F38 4890C6BF 9CF05BA4
  B75D0203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
  551D1104 11300F82 0D696F6B 7573742D 666F7273 7361301F 0603551D 23041830
  16801464 D1122267 607FA4EC F58D7561 8B8CD084 8DDAB030 1D060355 1D0E0416
  041464D1 12226760 7FA4ECF5 8D75618B 8CD0848D DAB0300D 06092A86 4886F70D
  01010405 00038181 000CE953 C584B0D7 E353BC81 A3AA221C CB921DFA F8C843E5
  58DD5AEE 166F3A30 EC4896EF 9D5FA63A 0626E0B3 9DC82AC2 A6F080A5 33E23CCD
  0CE16ACE 7D22FBEF 9D33086F 617B4E2C 57EF4F37 A1F1950F 5D87BB0E 1E41725F
  A897B815 C7CABA3F 6BD17C77 9138697E 2428C466 91E2588A 9A0304A0 637ADF33
  9F05FD43 9A16F12C AA
  quit
!
!
username jdadmin privilege 15 secret 5 $1$Uf8k$O9evbD38egisyyOR2L3QU1
username myynti secret 5 $1$IVq7$ENeQ12p/A0BoFtRmXqvRr0
username etayhteys privilege 15 secret 5 $1$VlhR$QRAqgCZFAtxK8IcGzt/qj0
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 4-wire enhanced
 dsl-mode shdsl symmetric annex B
 line-rate 4608
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 334GGHHyty112 address 1.1.1.1 no-xauth
!
crypto isakmp client configuration group remotevpn
 key Dgjr88_Mnz
 dns 192.168.3.2 217.30.180.230
 domain iokustantajapalvelut.fi
 pool ravpnpool
 acl 199
 netmask 255.255.255.0
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto dynamic-map RAVPN 1
 set transform-set VPN
 reverse-route
!
!
crypto map VPN client authentication list ravpn
crypto map VPN isakmp authorization list ravpn
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
 set peer 1.1.1.1
 set security-association lifetime kilobytes 128000
 set security-association lifetime seconds 28800
 set transform-set VPN
 match address 123
crypto map VPN 9999 ipsec-isakmp dynamic RAVPN
!
bridge irb
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/100
  encapsulation aal5snap
 !
 bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Vlan1
 description inside
 ip address 192.168.3.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip inspect inspect-out in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 description DMZ
 ip address 10.100.100.1 255.255.255.0
 ip nat inside
 ip inspect inspect-out in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI1
 mtu 1500
 ip address 2.2.2.2 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect inspect-out out
 ip virtual-reassembly
 crypto map VPN
!
ip local pool ravpnpool 192.168.3.50 192.168.3.70
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map NATROUTEMAP interface BVI1 overload
ip nat inside source static tcp 10.100.100.11 22 x.x.x.x 22 extendable
ip nat inside source static tcp 10.100.100.11 80 x.x.x.x 80 extendable
ip nat inside source static tcp 10.100.100.11 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.100.100.10 22 x.x.x.x 22 extendable
ip nat inside source static tcp 10.100.100.10 80 x.x.x.x 80 extendable
ip nat inside source static tcp 10.100.100.10 443 x.x.x.x 443 extendable
ip nat inside source static tcp 192.168.3.2 25 2.2.2.2 25 extendable
ip nat inside source static tcp 192.168.3.2 443 2.2.2.2 443 extendable
!
access-list 23 permit x.x.x.x
access-list 23 permit x.x.x.x
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit tcp any host x.x.x.x eq 443
access-list 101 permit tcp any host x.x.x.x eq 22
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit tcp any host x.x.x.x eq 443
access-list 101 permit tcp any host x.x.x.x eq 22
access-list 101 permit tcp any host 2.2.2.2 eq smtp
access-list 101 permit tcp any host 2.2.2.2 eq 443
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any host 2.2.2.2 eq 22
access-list 103 deny   ip 10.100.100.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 deny   ip 192.168.3.0 0.0.0.255 x.x.x.x 0.0.0.15
access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
access-list 123 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 124 permit ip 192.168.3.0 0.0.0.255 1.1.1.1 0.0.0.0
access-list 199 permit ip 192.168.3.0 0.0.0.255 any
access-list 199 permit ip 10.100.100.0 0.0.0.255 any
access-list 199 permit ip x.x.x.x x.x.x.x any
access-list 199 permit ip 1.1.1.1 0.0.0.0 any
no cdp run
!
!
!
route-map NATROUTEMAP permit 1
 match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end 
Cisco878#

Open in new window

Did you have the "no-xauth" on the key before?  If not, can you post new debugs for ISAKMP and IPsec now that it's on there?
Yes. I added no-xauth after you comment
*Apr 14 14:18:44.678: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 14 14:18:44.678: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 14 14:18:44.678: ISAKMP:(0): SA request profile is (NULL)
*Apr 14 14:18:44.678: ISAKMP: Created a peer struct for 217.119.42.194, peer port 500
*Apr 14 14:18:44.678: ISAKMP: New peer created peer = 0x8357E2A0 peer_handle = 0x80000879
*Apr 14 14:18:44.678: ISAKMP: Locking peer struct 0x8357E2A0, refcount 1 for isakmp_initiator
*Apr 14 14:18:44.678: ISAKMP:(0):Setting client config settings 83FD1ECC
*Apr 14 14:18:44.678: ISAKMP: local port 500, remote port 500
*Apr 14 14:18:44.678: ISAKMP: set new node 0 to QM_IDLE
*Apr 14 14:18:44.678: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83046284
*Apr 14 14:18:44.678: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 14 14:18:44.682: ISAKMP:(0):found peer pre-shared key matching 217.119.42.194
*Apr 14 14:18:44.682: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 14 14:18:44.682: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 14 14:18:44.682: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 14 14:18:44.682: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 14 14:18:44.682: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 
*Apr 14 14:18:44.682: ISAKMP:(0): beginning Main Mode exchange
*Apr 14 14:18:44.682: ISAKMP:(0): sending packet to 217.119.42.194 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 14 14:18:44.682: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 14 14:18:44.698: ISAKMP (0:0): received packet from 217.119.42.194 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 14 14:18:44.698: ISAKMP:(0):Notify has no hash. Rejected.
*Apr 14 14:18:44.698: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr 14 14:18:44.698: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 14 14:18:44.698: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1 
*Apr 14 14:18:44.698: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 217.119.42.194
*Apr 14 14:19:06.978: ISAKMP:(0):purging node 1597546372
*Apr 14 14:19:06.978: ISAKMP:(0):purging node -1441216997
*Apr 14 14:19:06.978: ISAKMP:(0):purging node 1168114313
*Apr 14 14:19:14.678: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 14 14:19:16.978: ISAKMP:(0):purging SA., sa=83580208, delme=83580208
*Apr 14 14:19:59.678: ISAKMP: quick mode timer expired.
*Apr 14 14:19:59.678: ISAKMP:(0):src 83.145.207.227 dst 217.119.42.194, SA is not authenticated
*Apr 14 14:19:59.678: ISAKMP:(0):peer does not do paranoid keepalives. 
*Apr 14 14:19:59.678: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 217.119.42.194)
*Apr 14 14:19:59.678: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 217.119.42.194)
*Apr 14 14:19:59.678: ISAKMP: Unlocking peer struct 0x8357E2A0 for isadb_mark_sa_deleted(), count 0
*Apr 14 14:19:59.678: ISAKMP: Deleting peer node by peer_reap for 217.119.42.194: 8357E2A0
*Apr 14 14:19:59.678: ISAKMP:(0):deleting node -1092086919 error FALSE reason "IKE deleted"
*Apr 14 14:19:59.678: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 14 14:19:59.678: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA 
*Apr 14 14:19:59.678: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 14 14:20:49.678: ISAKMP:(0):purging node -1092086919
*Apr 14 14:20:59.678: ISAKMP:(0):purging SA., sa=83046284, delme=83046284
*Apr 14 14:22:23.086: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 14 14:22:23.090: ISAKMP:(0): SA request profile is (NULL)
*Apr 14 14:22:23.090: ISAKMP: Created a peer struct for 217.119.42.194, peer port 500
*Apr 14 14:22:23.090: ISAKMP: New peer created peer = 0x8357E2A0 peer_handle = 0x80000803
*Apr 14 14:22:23.090: ISAKMP: Locking peer struct 0x8357E2A0, refcount 1 for isakmp_initiator
*Apr 14 14:22:23.090: ISAKMP:(0):Setting client config settings 83FD1ECC
*Apr 14 14:22:23.090: ISAKMP: local port 500, remote port 500
*Apr 14 14:22:23.090: ISAKMP: set new node 0 to QM_IDLE
*Apr 14 14:22:23.090: insert sa successfully sa = 83046284
*Apr 14 14:22:23.090: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 14 14:22:23.090: ISAKMP:(0):found peer pre-shared key matching 217.119.42.194
*Apr 14 14:22:23.090: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 14 14:22:23.090: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 14 14:22:23.090: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 14 14:22:23.090: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 14 14:22:23.090: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 
*Apr 14 14:22:23.094: ISAKMP:(0): beginning Main Mode exchange
*Apr 14 14:22:23.094: ISAKMP:(0): sending packet to 217.119.42.194 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 14 14:22:23.094: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 14 14:22:23.138: ISAKMP (0:0): received packet from 217.119.42.194 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 14 14:22:23.138: ISAKMP:(0):Notify has no hash. Rejected.
*Apr 14 14:22:23.138: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr 14 14:22:23.138: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 14 14:22:23.138: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1 
*Apr 14 14:22:23.138: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 217.119.42.194
*Apr 14 14:22:53.086: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 14 14:22:53.086: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 14 14:22:53.086: ISAKMP: set new node 0 to QM_IDLE
*Apr 14 14:22:53.086: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 83.145.207.227, remote 217.119.42.194)
*Apr 14 14:22:53.086: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 14 14:22:53.086: ISAKMP: Error while processing KMI message 0, error 2.
*Apr 14 14:23:23.086: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
*Apr 14 14:23:38.090: ISAKMP: quick mode timer expired.
*Apr 14 14:23:38.090: ISAKMP:(0):src 83.145.207.227 dst 217.119.42.194, SA is not authenticated
*Apr 14 14:23:38.090: ISAKMP:(0):peer does not do paranoid keepalives. 
*Apr 14 14:23:38.090: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 217.119.42.194)
*Apr 14 14:23:38.090: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 217.119.42.194)
*Apr 14 14:23:38.090: ISAKMP: Unlocking peer struct 0x8357E2A0 for isadb_mark_sa_deleted(), count 0
*Apr 14 14:23:38.090: ISAKMP: Deleting peer node by peer_reap for 217.119.42.194: 8357E2A0
*Apr 14 14:23:38.090: ISAKMP:(0):deleting node 753651642 error FALSE reason "IKE deleted"
*Apr 14 14:23:38.090: ISAKMP:(0):deleting node 1861705316 error FALSE reason "IKE deleted"
*Apr 14 14:23:38.090: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 14 14:23:38.090: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA 
*Apr 14 14:23:38.090: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 14 14:24:28.090: ISAKMP:(0):purging node 753651642
*Apr 14 14:24:28.090: ISAKMP:(0):purging node 1861705316
*Apr 14 14:24:38.090: ISAKMP:(0):purging SA., sa=83046284, delme=83046284
*Apr 14 14:24:52.994: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 83.145.207.227, remote= 217.119.42.194,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 28800s and 128000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Apr 14 14:24:52.994: ISAKMP:(0): SA request profile is (NULL)
*Apr 14 14:24:52.994: ISAKMP: Created a peer struct for 217.119.42.194, peer port 500
*Apr 14 14:24:52.994: ISAKMP: New peer created peer = 0x83FD1ECC peer_handle = 0x80000728
*Apr 14 14:24:52.994: ISAKMP: Locking peer struct 0x83FD1ECC, refcount 1 for isakmp_initiator
*Apr 14 14:24:52.994: ISAKMP:(0):Setting client config settings 82EBEDC8
*Apr 14 14:24:52.994: ISAKMP: local port 500, remote port 500
*Apr 14 14:24:52.998: ISAKMP: set new node 0 to QM_IDLE
*Apr 14 14:24:52.998: insert sa successfully sa = 83046284
*Apr 14 14:24:52.998: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 14 14:24:52.998: ISAKMP:(0):found peer pre-shared key matching 217.119.42.194
*Apr 14 14:24:52.998: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 14 14:24:52.998: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 14 14:24:52.998: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 14 14:24:52.998: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 14 14:24:52.998: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 
*Apr 14 14:24:52.998: ISAKMP:(0): beginning Main Mode exchange
*Apr 14 14:24:52.998: ISAKMP:(0): sending packet to 217.119.42.194 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 14 14:24:52.998: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 14 14:24:53.014: ISAKMP (0:0): received packet from 217.119.42.194 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 14 14:24:53.014: ISAKMP:(0):Notify has no hash. Rejected.
*Apr 14 14:24:53.014: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr 14 14:24:53.018: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 14 14:24:53.018: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1 
*Apr 14 14:24:53.018: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 217.119.42.194

Open in new window

Your ISAKMP (phase 1) negotiation is breaking down because the Firebox is either not using a hash algorithm or is using a different one.  If you configure the Firebox' ISAKMP (phase 1) to use SHA for its hash algorithm, we should be a step ahead.
phase 1 is configured to use SHA
ee-photo.png
Hmmm.  This makes me wonder why the Cisco is claiming that there is no hash on the remote's transmissions.  Just for reference's sake, what are the phase 2 parameters set to on the Firebox?
here is phase2
ee-photo2.png
I think I see it.  The 878 doesn't support SHA-256 as a hash algorithm.  Try adjusting your IPsec proposals to match the Cisco.  ESP-AES 256 and ESP-SHA-1.
ASKER CERTIFIED SOLUTION
Avatar of Jody Lemoine
Jody Lemoine
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial