Hello Guys,

                                         I have a ASA 5505 firewall am trying to create a site to site VPN tunnel with a 2621 router running Advanced IP services. The tunnel keeps failing and I don't know why. The config is below.

!
hostname SeCuReWaLL
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 Outside
name 192.168.3.0 inside
!
interface Vlan1
description Outside Wan Link
nameif outside
security-level 0
ip address 192.168.2.101 255.255.255.0
!
interface Vlan2
description Inside Private Network
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_access_in extended permit ip inside 255.255.255.0 Outside 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list site_router extended permit ip inside 255.255.255.0 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list site_router
nat (inside) 1 inside 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route outside 192.168.5.0 255.255.255.0 192.168.2.107 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set secure_set esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ipsec_map 10 set peer 192.168.2.107
crypto map ipsec_map 10 set transform-set secure_set
crypto map ipsec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.2.1
!
dhcpd address 192.168.3.10-192.168.3.40 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
tunnel-group 192.168.2.107 type ipsec-l2l
tunnel-group 192.168.2.107 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a6ffc4e9572dbee8e526c3013a96a510
: end

!
hostname InternetRouter
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key cisco address 192.168.2.101 no-xauth
!
!
crypto ipsec transform-set secure_set esp-3des
!
crypto map ipsec_map 10 ipsec-isakmp
set peer 192.168.2.101
set transform-set secure_set
match address router_site
!
!
!
!
interface Loopback0
ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.2.107 255.255.255.0
duplex auto
speed auto
crypto map ipsec_map
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip route 192.168.3.0 255.255.255.0 192.168.2.101
!
!
ip http server
no ip http secure-server
!
ip access-list extended router_site
permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
!
voice-port 1/1/1
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

InternetRouter#debug crypto isakmp
Crypto ISAKMP debugging is on
InternetRouter#ping
Protocol [ip]:
Target IP address: 192.168.3.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.5.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.1

*Mar  1 01:49:47.699: ISAKMP: received ke message (1/1)
*Mar  1 01:49:47.699: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 01:49:47.699: ISAKMP: Created a peer struct for 192.168.2.101, peer port 500
*Mar  1 01:49:47.699: ISAKMP: New peer created peer = 0x8553C778 peer_handle = 0x80000013
*Mar  1 01:49:47.699: ISAKMP: Locking peer struct 0x8553C778, IKE refcount 1 for isakmp_initiator
*Mar  1 01:49:47.699: ISAKMP: local port 500, remote port 500
*Mar  1 01:49:47.699: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 01:49:47.703: insert sa successfully sa = 84074CC8
*Mar  1 01:49:47.703: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 01:49:47.703: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.2.101
*Mar  1 01:49:47.703: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 01:49:47.703: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 01:49:47.703: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 01:49:47.703: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 01:49:47.707: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 01:49:47.707: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 01:49:47.707: ISAKMP:(0:0:N/A:0): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 01:49:47.711: ISAKMP (0:0): received packet from 192.168.2.101 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 01:49:47.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:49:47.711: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 01:49:47.715: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 01:49:47.715: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:49:47.715: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major .123 mismatch
*Mar  1 01:49:47.715: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 01:49:47.719: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:49:47.719: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar  1 01:49:47.719: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.2.101
*Mar  1 01:49:47.719: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 01:49:47.719: ISAKMP : Scanning profiles for xauth ...
*Mar  1 01:49:47.719: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 01:49:47.719: ISAKMP:      encryption 3DES-CBC
*Mar  1 01:49:47.719: ISAKMP:      hash MD5
*Mar  1 01:49:47.719: ISAKMP:      default group 5
*Mar  1 01:49:47.719: ISAKMP:      auth pre-share
*Mar  1 01:49:47.723: ISAKMP:      life type in seconds
*Mar  1 01:49:47.723: ISAKMP:      life duration (basic) of 28800
*Mar  1 01:49:47.723: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 01:49:48.119: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:49:48.119: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Mar  1 01:49:48.123: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 194 mismatch
*Mar  1 01:49:48.123: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:49:48.123: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 01:49:48.127: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 01:49:48.127: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:49:.48.131: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 01:49:48.383: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 01:49:48.383: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:49:48.383: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 01:49:48.387: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar  1 01:49:48.887: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar  1 01:49:48.887: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 192.168.2.101
*Mar  1 01:49:48.891: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar  1 01:49:48.891: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar  1 01:49:48.891: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 145 mismatch
*Mar  1 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
*Mar  1 01:49:48.895: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:49:48.895: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar  1 01:49:48.895: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:49:48.895: ISAKMP:(0:1:SW:1):vendor ID seems Unity/DPD but hash mismatch
*Mar  1 01:49:48.895: ISAKMP:received payload type 20
*Mar  1 01:49:48.895: ISAKMP:received payload type 20
*Mar  1 01:49:48.895: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:49:48.899: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 01:49:48.899: ISAKMP:(0:1:SW:1):Send initial contact
*Mar  1 01:49:48.899: ISAKMP:(0:1:SW:1):SA is doing pr.e-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 01:49:48.899: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.2.107
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 01:49:48.903: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar  1 01:49:48.903: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 01:49:48.907: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:49:48.907: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 01:49:48.907: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 01:49:48.911: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar  1 01:49:48.911: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.2.101
        protocol     : 17
        port         : 0
        length       : 12
*Mar  1 01:49:48.911: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Mar  1 01:49:48.911: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar  1 01:49:48.915: ISAKMP:received payload type 17
*Mar  1 01:49:48.915: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:49:48.915: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar  1 01:49:48.915: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
*Mar  1 01:49:48.915: ISAKMP:(0:1:SW:1):SA has been authenticated with 192.168.2.101
*Mar  1 01:49:48.915: ISAKMP: Trying to insert a peer 192.168.2.107/192.168.2.101/500/,  and inserted successfully 8553C778.
*Mar  1 01:49:48.919: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:49:48.919: ISAKMP:(0:1:SW:1.):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 01:49:48.919: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:49:48.919: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 01:49:48.923: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:49:48.923: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 01:49:48.927: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -590019425
*Mar  1 01:49:48.931: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 01:49:48.931: ISAKMP:(0:1:SW:1):Node -590019425, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 01:49:48.931: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 01:49:48.931: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 01:49:48.935: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 01:49:48.939: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 01:49:48.939: ISAKMP: set new node 330122531 to QM_IDLE
*Mar  1 01:49:48.943: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 330122531
*Mar  1 01:49:48.943: ISAKMP:(0:1:SW:1): processing NOTIFY INVALID_ID_INFO protocol 1
        spi 0, message ID = 330122531, sa = 84074CC8
*Mar  1 01:49:48.943: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Mar  1 01:49:48.943: ISAKMP:(0:1:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 192.168.2.101)
*Mar  1 01:49:48.943: ISAKMP:(0:1:SW:1):deleting node 330122531 error FALSE reason "Informational (in) st.
Success rate is 0 percent (0/5)
InternetRouter#ate 1"
*Mar  1 01:49:48.943: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 01:49:48.947: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 01:49:48.947: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 01:49:48.951: ISAKMP: set new node -412204705 to QM_IDLE
*Mar  1 01:49:48.951: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 01:49:48.951: ISAKMP:(0:1:SW:1):purging node -412204705
*Mar  1 01:49:48.955: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 01:49:48.955: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar  1 01:49:48.955: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 192.168.2.101)
*Mar  1 01:49:48.955: ISAKMP: Unlocking IKE struct 0x8553C778 for isadb_mark_sa_deleted(), count 0
*Mar  1 01:49:48.959: ISAKMP: Deleting peer node by peer_reap for 192.168.2.101: 8553C778
*Mar  1 01:49:48.959: ISAKMP:(0:1:SW:1):deleting node -590019425 error FALSE reason "IKE deleted"
*Mar  1 01:49:48.959: ISAKMP:(0:1:SW:1):deleting node 330122531 error FALSE reason "IKE deleted"
*Mar  1 01:49:48.959: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:49:48.959: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA