Cisco L2L VPN problem

I am having a problem with a site to site VPN setup.  I am recieving the following errors on the hub router:

000221: *Feb 26 16:38:49.341 EST: ISAKMP:(2031): IPSec policy invalidated proposal with error 256
000222: *Feb 26 16:38:49.341 EST: ISAKMP:(2031): phase 2 SA policy not acceptable! (local 216.222.165.72 remote 216.222.162.155)
000223: *Feb 26 16:38:49.341 EST: ISAKMP:(2031):deleting node -1773415254 error TRUE reason "QM rejected"

I recieve the following error on the remote router:

ISAKMP:(2002):deleting node -1382141815 error TRUE reason "Delete Larval"

Here is the config for the main site:

Building configuration...

Current configuration : 9226 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login clientauth local
aaa authentication ppp default local
aaa authorization exec local_author local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool POOL_LAN_DHCP
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 64.33.128.10 209.143.0.10
!
!
ip tcp synwait-time 10
ip tftp source-interface Vlan1
no ip bootp server
no ip domain lookup
ip domain name local
ip name-server 64.33.128.10
ip name-server 209.143.0.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name CBACinspect cuseeme
ip inspect name CBACinspect ftp
ip inspect name CBACinspect h323
ip inspect name CBACinspect icmp
ip inspect name CBACinspect netshow
ip inspect name CBACinspect rcmd
ip inspect name CBACinspect realaudio
ip inspect name CBACinspect rtsp
ip inspect name CBACinspect esmtp
ip inspect name CBACinspect sqlnet
ip inspect name CBACinspect streamworks
ip inspect name CBACinspect tftp
ip inspect name CBACinspect tcp
ip inspect name CBACinspect udp
ip inspect name CBACinspect vdolive
vpdn enable
!
!
!
!

!
!
crypto keyring L2L
  pre-shared-key address x.x.x.155 key xxxxxxx
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group RemoteAccessVPN
 key xxxxxxxxx
 pool Pool_RemoteAccessVPN
 acl ACL_VPN_RemoteAccess
!
crypto isakmp client configuration group watertower
 key xxxxxx
 pool watertower
 acl VPN_watertower
crypto isakmp profile VPNClient
   description VPN clients with access LAN
   match identity group RemoteAccessVPN
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
crypto isakmp profile L2L
   keyring L2L
 match identity address x.x.x.155 255.255.255.255
crypto isakmp profile watertower
   match identity group watertower
   client authentication list local
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set newset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
 set transform-set ESP-AES256-SHA
 set isakmp-profile VPNClient
crypto dynamic-map dynmap 10
 set transform-set ESP-AES256-SHA
crypto dynamic-map dynmap 15
 set transform-set newset
!
!
crypto map VPNmap 30 ipsec-isakmp dynamic dynmap
crypto map VPNmap 40 ipsec-isakmp
 set peer x.x.x.155
 set transform-set newset
 match address ACL_L2L_watertower
!
!
!
!
interface Null0
 no ip unreachables
!
interface Loopback0
 description Lo0 used for outbound traffic not subject to NAT
 ip address 10.20.30.40 255.255.255.0
!
interface FastEthernet0
 description External - Internet - to DSL modem
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
 switchport access vlan 12
!
interface Vlan1
 description Internal LAN
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map RMAP_NO_STATIC_NAT
!
interface Vlan12
 no ip address
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group ACL_outside_in in
 ip nat outside
 ip inspect CBACinspect out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username xxxx password 7 xxxxx
 ppp ipcp dns request
 ppp ipcp address accept
 crypto map VPNmap
!
ip local pool Pool_RemoteAccessVPN 192.168.100.100 192.168.100.150
ip local pool watertower 192.168.9.50 192.168.9.60
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.41 23 interface Dialer1 1000
ip nat inside source route-map NAT_RMAP interface Dialer1 overload
!
ip access-list extended ACL_L2L_watertower
permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
ip access-list extended ACL_NAT_RMAP
 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_RMAP_NO_STATIC
 permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_VPN_RemoteAccess
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended ACL_outside_in
 permit udp any eq bootps any eq bootpc
 permit icmp any host x.x.x.72 echo-reply
 permit icmp any host x.x.x.72 time-exceeded
 permit icmp any host x.x.x.72 unreachable
 permit udp any host x.x.x.72 eq non500-isakmp
 permit udp any host x.x.x.72 eq isakmp
 permit esp any host x.x.x.72
 permit ahp any host x.x.x.72
 permit gre any host x.x.x.72
 permit tcp any host x.x.x.72 eq 22
 permit tcp any host x.x.x.72 eq telnet
 permit tcp any host x.x.x.72 eq 1000
 deny   tcp any host x.x.x.72 eq cmd
 deny   udp any host x.x.x.72 eq snmp
 permit ip x.x.x.x x.x.x.72 any
 permit ip x.x.x.x x.x.x.72 any
ip access-list extended ACL_vty_access_in
 remark VTY Access-class list
 permit ip 192.168.100.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
 remark VTY Access-class list
 deny   ip any any
ip access-list extended VPN_watertower
 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
 permit ip 192.168.13.0 0.0.0.255 192.168.9.0 0.0.0.255
!
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NAT_RMAP permit 1
 match ip address ACL_NAT_RMAP
!

route-map RMAP_NO_STATIC_NAT permit 1
 match ip address ACL_RMAP_NO_STATIC
 set ip next-hop 10.20.30.41
!
!
!
!
control-plane
!

This is the config for the remote site:

Building configuration...

Current configuration : 3863 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

dot11 syslog
!
!
ip cef
no ip domain lookup
!
!
!

!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key xxxxxx address x.x.x.72
!
!
crypto ipsec transform-set newest esp-3des esp-sha-hmac
!
crypto map newmap 10 ipsec-isakmp
 set peer x.x.x.72
 set transform-set newest
 match address 110
!
archive
 log config
  hidekeys
!
!
ip tcp mss 1452
!
bridge irb
!
!
interface ATM0
 no ip address
 no ip route-cache cef
 no ip route-cache
 load-interval 30
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.13.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no autostate
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxxxx password 7 xxxxxx
 ppp ipcp dns request
 ppp ipcp address accept
 crypto map newmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!

Any help would be greatly appreciated.  Thanks!


LVL 1
danielc25Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2  <<<=== add this to the remote router. Your policies must be identical.

0
danielc25Author Commented:
I miss copied the config. Upon looking at the remote router group 2 is in the policy.

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
0
lrmooreCommented:
I don't see the NAT policy at the remote site config
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

danielc25Author Commented:
The Spoke config got chopped up for some reason.  i am going to re paste it here.  Sorry for the inconvenience.

Building configuration...

Current configuration : 4068 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
dot11 syslog
!
!
no ip cef
no ip domain lookup
ip domain name menomonie.net
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address x.x.x.72
!
!
crypto ipsec transform-set newset esp-3des esp-sha-hmac
!
crypto map newmap 10 ipsec-isakmp
 set peer x.x.x.72
 set transform-set newset
 match address 110
!
archive
 log config
  hidekeys
!
!
ip tcp mss 1452
!
bridge irb
!
!
interface Tunnel0
 no ip address
!
interface ATM0
 no ip address
 no ip route-cache
 load-interval 30
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.13.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no autostate
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxxxx password 7 xxxxx
 ppp ipcp dns request
 ppp ipcp address accept
 crypto map newmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 102 interface Dialer1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
0
danielc25Author Commented:
The problem was the following line:

crypto map VPNmap 40 ipsec-isakmp

Upon changing the value from 40 to 1000 the problem was eliminated.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vikrantambhoreCommented:
Hi Dear,

Can suggest, why u use 1000 instead of 40 & issue was eliminated
How was this solved ?

We have same issue ?

Please help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.