I've combed through the configs on both sides of this tunnel 4x now and the policies look like they match. I followd the note http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
My crypto access lsits are good and my nat on the IOS side are bundled with a route map and look good. On the ASA side traffic from the ASA side to the remote tunnel is exempt from NAT. Each side already has a site to site tunnel setup, so i've added the appropriate lines to the existing crypto maps that include peer, transform set, and match address "access-list". The crypto isakmp polcies on both ends are compatible. I've attached some configs and debugs(from IOS router), but essentially the log on the ASA starts out with phase 1 completed, and then reads received non routing notify message, no proposal chosen and then it goes to IKE lost connection to remote peer, deleting connection, removing peer from correlator table failed, no match, and finally session disconnected, reason lost service.
Connection is good, their other tunnel stays up along with the remote access vpn config.
I found a note that recommends checking any security access-list, so I removed them, but no luck, and one from cisco related to a concentrator, but had some sound logic to it,
Normally appears with the
corresponding Cisco VPN 3000
concentrator message: No proposal
chosen(14). This is a result of the
connections being host-to-host.
The router configuration had the
IPSec proposals ordered so that the
proposal chosen for the router
matched the access-list, but not the
peer. The access-list had a larger
network that included the host that
was intersecting traffic.
Make the router proposal for this
first in line, so that it matches the
specific host first.
however it didn't work either.
Take a look at this
000610: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Need XAUTH
000611: *Sep 27 10:42:15.094 PCTime: ISAKMP: set new node 920927400 to CONF_XAUTH
000612: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
000613: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
000614: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): initiating peer config to 18.104.22.168. ID = 920927400
000615: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): sending packet to 22.214.171.124 my_port 4500 peer_port 4500 (R) CONF_XAUTH
--More-- 000616: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000617: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
It should not be going for Extended Authentication. Since you have the client and the L2L on the same router and the clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the command "no-xauth" after the pre-shared key
Please implement the command:
crypto isakmp key cleartext address 126.96.36.199 no-xauth