Trouble Establishing VPN Connection with Cisco VPN Client

I would like to configure a Cisco 2611 router to accept IPSec VPN client connections.  However it is not working.  Below is my router config and the log from the VPN Client.  Any reason why it's not working?
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xecurouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$r7o5$P2TD.HEX99BEld3CB262M/
enable password 7 011D09110948260A225E41
!
clock timezone EST -5
no aaa new-model
ip subnet-zero
ip flow-cache timeout active 1
ip cef
!
!
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.41
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.129
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.34
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.194
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.230
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.50
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.164
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.146
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.82
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.232
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.58
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local IEI_Inside
!
crypto isakmp client configuration group IEI_Corp
 key xxxxxxxxxxxxx
 dns 10.1.0.2 10.1.0.100
 domain <domain>.com
 pool IEI_Inside
!
!
crypto ipsec transform-set 3des-set esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set trans1 esp-des esp-md5-hmac 
!
crypto dynamic-map dynmap 1
 set transform-set 3des-set 
!
!
crypto map xecu-map local-address Ethernet0/0
crypto map xecu-map isakmp authorization list IEI_Corp
crypto map xecu-map client configuration address initiate
crypto map xecu-map client configuration address respond
crypto map xecu-map 1 ipsec-isakmp 
 set peer xxx.xxx.xxx.41
 set transform-set 3des-set 
 match address 101
crypto map xecu-map 2 ipsec-isakmp 
 set peer xxx.xxx.xxx.146
 set transform-set ESP-DES-MD5 
 match address 102
crypto map xecu-map 4 ipsec-isakmp 
 set peer xxx.xxx.xxx.194
 set transform-set 3des-set 
 match address 104
crypto map xecu-map 5 ipsec-isakmp 
 set peer xxx.xxx.xxx.41
 set transform-set 3des-set 
 match address 105
crypto map xecu-map 6 ipsec-isakmp 
 set peer xxx.xxx.xxx.34
 set transform-set 3des-set 
 match address 106
crypto map xecu-map 7 ipsec-isakmp 
 set peer xxx.xxx.xxx.164
 set transform-set 3des-set 
 match address 107
crypto map xecu-map 8 ipsec-isakmp 
 set peer xxx.xxx.xxx.129
 set transform-set 3des-set 
 match address 108
crypto map xecu-map 9 ipsec-isakmp 
 set peer xxx.xxx.xxx.230
 set transform-set 3des-set 
 match address 110
crypto map xecu-map 10 ipsec-isakmp 
 set peer xxx.xxx.xxx.232
 set transform-set 3des-set 
 match address 109
crypto map xecu-map 11 ipsec-isakmp 
 set peer xxx.xxx.xxx.50
 set transform-set 3des-set 
 match address 111
crypto map xecu-map 12 ipsec-isakmp 
 set peer xxx.xxx.xxx.58
 set transform-set 3des-set 
 match address 112
!
!
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap 
!
!
!
!
interface Ethernet0/0
 ip address 172.16.0.2 255.255.255.0
 ip route-cache flow
 full-duplex
 crypto map xecu-map
!
interface Ethernet0/1
 ip address 172.16.1.254 255.255.255.0
 ip route-cache flow
 full-duplex
!
interface Ethernet0/1.1
 encapsulation dot1Q 2
 ip address 10.1.0.254 255.255.255.0
 no snmp trap link-status
!
interface Ethernet0/1.2
 encapsulation dot1Q 3
 ip address 10.10.7.1 255.255.255.0
 no snmp trap link-status
!
interface Ethernet0/1.3
 encapsulation dot1Q 4
 ip address 10.100.2.254 255.255.255.0
 rate-limit input 1024000 1024000 1024000 conform-action transmit exceed-action drop
 rate-limit output 1024000 1024000 1024000 conform-action transmit exceed-action drop
 no snmp trap link-status
!
interface Ethernet0/1.4
 encapsulation dot1Q 5
 ip address 10.100.1.254 255.255.255.0
 no snmp trap link-status
!
ip local pool IEI_Inside 10.1.0.150 10.1.0.200
ip http server
no ip http secure-server
ip flow-export version 5 peer-as
ip flow-export destination 10.1.0.1 9996
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!
!
!
access-list 101 permit ip 10.1.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.10.7.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 102 permit ip 10.1.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 104 permit ip 10.10.7.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 105 permit ip 10.10.7.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 106 permit ip 10.10.7.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 107 permit ip 10.1.0.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 108 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 109 permit ip 10.100.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.100.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 permit ip 10.100.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 112 permit ip 10.10.7.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 113 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps xgcp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps config-copy
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps stun
snmp-server enable traps dlsw
snmp-server enable traps bstun
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps atm subif
snmp-server enable traps pppoe
snmp-server enable traps ipmobile
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice poor-qov
snmp-server enable traps dnis
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 030A541E544C01494D1B16
 login
!
ntp clock-period 17181277
ntp server 71.40.128.148
!
end




Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600 

401    11:53:41.461  04/13/10  Sev=Info/4	CM/0x63100002
Begin connection process

402    11:53:41.481  04/13/10  Sev=Info/4	CM/0x63100004
Establish secure connection

403    11:53:41.481  04/13/10  Sev=Info/4	CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.98"

404    11:53:41.486  04/13/10  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.98.

405    11:53:41.495  04/13/10  Sev=Info/4	IKE/0x63000001
Starting IKE Phase 1 Negotiation

406    11:53:41.501  04/13/10  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.98

407    11:53:41.753  04/13/10  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started

408    11:53:41.753  04/13/10  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

409    11:53:44.858  04/13/10  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.98

410    11:53:44.859  04/13/10  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from xxx.xxx.xxx.98

411    11:53:44.859  04/13/10  Sev=Info/5	IKE/0x63000001
Peer is a Cisco-Unity compliant peer

412    11:53:44.859  04/13/10  Sev=Info/5	IKE/0x63000001
Peer supports DPD

413    11:53:44.859  04/13/10  Sev=Info/5	IKE/0x63000001
Peer supports DWR Code and DWR Text

414    11:53:44.859  04/13/10  Sev=Info/5	IKE/0x63000001
Peer supports XAUTH

415    11:53:44.859  04/13/10  Sev=Info/5	IKE/0x63000001
Peer supports NAT-T

416    11:53:44.866  04/13/10  Sev=Info/6	IKE/0x63000001
IOS Vendor ID Contruction successful

417    11:53:44.866  04/13/10  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xxx.xxx.xxx.98

418    11:53:44.867  04/13/10  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA

419    11:53:44.867  04/13/10  Sev=Info/4	IKE/0x63000083
IKE Port in use - Local Port =  0xE25F, Remote Port = 0x1194

420    11:53:44.867  04/13/10  Sev=Info/5	IKE/0x63000072
Automatic NAT Detection Status:
   Remote end IS behind a NAT device
   This   end IS behind a NAT device

421    11:53:44.867  04/13/10  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

422    11:53:44.867  04/13/10  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

423    11:53:44.876  04/13/10  Sev=Info/5	IKE/0x6300005E
Client sending a firewall request to concentrator

424    11:53:44.876  04/13/10  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.98

425    11:53:45.322  04/13/10  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.98

426    11:53:45.322  04/13/10  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.xxx.98

427    11:53:45.323  04/13/10  Sev=Info/5	IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

428    11:53:45.323  04/13/10  Sev=Info/5	IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 86396 seconds from now

429    11:53:45.402  04/13/10  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.98

430    11:53:45.403  04/13/10  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.98

431    11:53:45.403  04/13/10  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.1.0.158

432    11:53:45.403  04/13/10  Sev=Warning/3	IKE/0xE3000085
The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid

433    11:53:45.403  04/13/10  Sev=Info/5	IKE/0xA3000016
MODE_CFG_REPLY: The received (32767) attribute and value (2) is not supported

434    11:53:45.403  04/13/10  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.1.0.2

435    11:53:45.403  04/13/10  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.1.0.100

436    11:53:45.403  04/13/10  Sev=Info/5	IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (167837796) is not supported

437    11:53:45.403  04/13/10  Sev=Info/5	IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = <domain>.com

438    11:53:45.403  04/13/10  Sev=Info/5	IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Internetwork Operating System Software 
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(12e), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 24-Aug-05 07:51 by ssearch

439    11:53:45.403  04/13/10  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

440    11:53:45.407  04/13/10  Sev=Info/4	CM/0x63100019
Mode Config data received

441    11:53:45.440  04/13/10  Sev=Info/4	IKE/0x63000056
Received a key request from Driver: Local IP = 10.1.0.158, GW IP = xxx.xxx.xxx.98, Remote IP = 0.0.0.0

442    11:53:45.441  04/13/10  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xxx.xxx.xxx.98

443    11:53:45.567  04/13/10  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.98

444    11:53:45.567  04/13/10  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from xxx.xxx.xxx.98

445    11:53:45.567  04/13/10  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xxx.xxx.xxx.98

446    11:53:45.568  04/13/10  Sev=Info/4	IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=7963A365

447    11:53:45.568  04/13/10  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=695273BFE0986B70 R_Cookie=96AF43EF0078CD30) reason = DEL_REASON_IKE_NEG_FAILED

448    11:53:46.323  04/13/10  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

449    11:53:48.851  04/13/10  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=695273BFE0986B70 R_Cookie=96AF43EF0078CD30) reason = DEL_REASON_IKE_NEG_FAILED

450    11:53:48.851  04/13/10  Sev=Info/4	CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

451    11:53:48.851  04/13/10  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv

452    11:53:48.873  04/13/10  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 0.

453    11:53:48.873  04/13/10  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection

454    11:53:48.877  04/13/10  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

455    11:53:48.877  04/13/10  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

456    11:53:48.877  04/13/10  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

457    11:53:48.877  04/13/10  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

LVL 5
innotionentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ptchubaCommented:
You have created another crypto map - dynmap but this is not applied to an interface. What i suggest you do is add the dynamic map statement to the xecu-map crypto map. ie

crypto map xecu-map 5000 ipsec-isakmp dynamic dynmap

I used 5000 because with the ASA, QM FMS errors can occur if the dynamic crypto map comes before the static crypto maps in the sequence.

You might have to remove the crypto map from the interface and apply  it again.

Regards
Peter
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
innotionentAuthor Commented:
Right on point ptchuba!! I didn't catch that before.  Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.