Now you are failing on your Phase 2 proposals:

*Nov 25 12:31:17.243: IPSEC(validate_transform_proposal): transform

proposal not

supported for identity:

{esp-des esp-sha-hmac }

*Nov 25 12:31:17.243: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal

It seems the Vigor device does not have 3des as a proposal and is using

ESP-DES ESP-SHA-HMAC or ESP-SHA-MD5 as the hash.

You do not have ESP-DES configured as a one of the proposals (rightfully so).

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

However, just for the heck of it lets try configuring a ESP-DES proposal and see if we are successful.

Please try this:

1. Create a new transform set with esp-des and esp-sha-hmac

crypto ipsec trans this_should_work esp-des esp-sha-hmac

2. Remove the crypto map from the interface, otherwise we may block our access, (normally the crypto just say !incomplete, but be safe than sorry)

Interface dialer0

no crypto map VPN-Map-1

3. remove the 3des transform and attach des transform

crypto map VPN-Map-1 10 ipsec-isakmp

no set transform-set 3DES-SHA

set trans this_should_work

4. Attach the crypto map to the dialer0 interface again.

interface dialer0

crypto map VPN-Map-1

One more observation; sorry to have missed it before;

Your nat access-list is not bypassing the nat for the remote network 192.168.6.0 so

Ip access-li exten 100

5 deny ip 192.168.78.0 0.0.0.255 192.168.6.0 0.0.0.255

Done that but still got problem with phase 2....

################### CONFIG ####################

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key burtonst1 address 78.xx.xxx.48
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 78.xx.xxx.48
set transform-set this_should_work
set pfs group2
match address Crypto-list
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.78.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.78.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 78.xx.xxx.48 any eq isakmp
permit esp host 78.xx.xxx.48 any
!
access-list 100 deny   ip 192.168.78.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 permit ip 192.168.78.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO

################################################

*Nov 25 13:11:40.619: ISAKMP (0:134217729): received packet from 78.xx.xxx.48 dp
ort 500 sport 500 Global (R) QM_IDLE
*Nov 25 13:11:40.619: ISAKMP: set new node -1395233995 to QM_IDLE
*Nov 25 13:11:40.619: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -
1395233995
*Nov 25 13:11:40.619: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -13
95233995
*Nov 25 13:11:40.619: ISAKMP:(0:1:SW:1):Checking IPSec proposal 0
*Nov 25 13:11:40.619: ISAKMP: transform 0, ESP_DES
*Nov 25 13:11:40.619: ISAKMP:   attributes in transform:
*Nov 25 13:11:40.619: ISAKMP:      encaps is 1 (Tunnel)
*Nov 25 13:11:40.619: ISAKMP:      SA life type in seconds
*Nov 25 13:11:40.619: ISAKMP:      SA life duration (basic) of 3600
*Nov 25 13:11:40.619: ISAKMP:      authenticator is HMAC-SHA
*Nov 25 13:11:40.619: ISAKMP:(0:1:SW:1):atts are acceptable.
*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1):Checking IPSec proposal 0
*Nov 25 13:11:40.623: ISAKMP: transform 1, ESP_DES
*Nov 25 13:11:40.623: ISAKMP:   attributes in transform:
*Nov 25 13:11:40.623: ISAKMP:      encaps is 1 (Tunnel)
*Nov 25 13:11:40.623: ISAKMP:      SA life type in seconds
*Nov 25 13:11:40.623: ISAKMP:      SA life duration (basic) of 3600
*Nov 25 13:11:40.623: ISAKMP:      authenticator is HMAC-MD5
*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1):atts are acceptable.
*Nov 25 13:11:40.623: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 77.xxx.xxx.176, remote= 78.xx.xxx.48,
    local_proxy= 192.168.78.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Nov 25 13:11:40.623: Crypto mapdb : proxy_match
        src addr     : 192.168.78.0
        dst addr     : 192.168.6.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Nov 25 13:11:40.623: IPSEC(validate_transform_proposal): invalid transform prop
osal flags -- 0x2
*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Nov 25 13:11:40.623: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 77.xxx.xxx.176, remote= 78.xx.xxx.48,
    local_proxy= 192.168.78.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Nov 25 13:11:40.623: Crypto mapdb : proxy_match
        src addr     : 192.168.78.0
        dst addr     : 192.168.6.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Nov 25 13:11:40.623: IPSEC(validate_transform_proposal): transform proposal not
supported for identity:
    {esp-des esp-md5-hmac }
*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (loca
l 77.107.173.176 remote 78.xx.xxx.48)
*Nov 25 13:11:40.623: ISAKMP: set new node -542923407 to QM_IDLE
*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN proto
col 3
        spi 1664467464, message ID = -542923407
*Nov 25 13:11:40.627: ISAKMP:(0:1:SW:1): sending packet to 78.xx.xxx.48 my_port
500 peer_port 500 (R) QM_IDLE
*Nov 25 13:11:40.627: ISAKMP:(0:1:SW:1):purging node -542923407
*Nov 25 13:11:40.627: ISAKMP:(0:1:SW:1):deleting node -1395233995 error TRUE rea
son "QM rejected"
*Nov 25 13:11:40.627: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER, IK
E_QM_EXCH:  for node -1395233995: state = IKE_QM_READY
*Nov 25 13:11:40.627: ISAKMP:(0:1:SW:1):Node -1395233995, Input = IKE_MESG_FROM_
PEER, IKE_QM_EXCH
*Nov 25 13:11:40.627: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IK
E_QM_READY
*Nov 25 13:11:40.627: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 78.xx.xxx.48
*Nov 25 13:11:43.647: ISAKMP (0:134217729): received packet from 78.xx.xxx.48 dp
ort 500 sport 500 Global (R) QM_IDLE
*Nov 25 13:11:43.651: ISAKMP:(0:1:SW:1): phase 2 packet is a duplicate of a prev
ious packet.

I think it's validating phase 1 against transform set 3 and policy 5

Checking ISAKMP transform 3 against pri
ority 5 policy
*Nov 25 13:11:39.427: ISAKMP:      life type in seconds
*Nov 25 13:11:39.427: ISAKMP:      life duration (basic) of 28800
*Nov 25 13:11:39.427: ISAKMP:      encryption 3DES-CBC
*Nov 25 13:11:39.427: ISAKMP:      hash MD5
*Nov 25 13:11:39.427: ISAKMP:      auth pre-share
*Nov 25 13:11:39.427: ISAKMP:      default group 2
*Nov 25 13:11:39.427: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Nov 25 13:11:39.483: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
*Nov 25 13:11:39.483: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R
_MM1

Hello,

*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal

*Nov 25 13:11:40.623: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 77.xxx.xxx.176, remote= 78.xx.xxx.48,

local_proxy= 192.168.78.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Nov 25 13:11:40.623: Crypto mapdb : proxy_match

src addr : 192.168.78.0

dst addr : 192.168.6.0

protocol : 0

src port : 0

dst port : 0

*Nov 25 13:11:40.623: IPSEC(validate_transform_proposal): transform

proposal not

supported for identity:

{esp-des esp-md5-hmac }

*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal

*Nov 25 13:11:40.623: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable!

(loca

l 77.107.173.176 remote 78.xx.xxx.48)

It is the Phase 2 which is being dropped.

Which side is trying to initiate the tunnel?

Can you please collect the debugs from the cisco router when you initiate the tunnel from behind the cisco router and also when you try to initiate the tunnel from behind vigor?

Got some progress now, i need a quick search on google about invalid transform proposal flags -- 0x2 and it said to remove PFS Group2.

Once this was removed it connected fine. However im still getting these errors?

The other remaining issue i have is we port forward 80 and 443 to a local mailserver, if i access the mailserver outside the LAN using the public ip it works perfect but if i try and access the mailserver inside the lan i get page cannot be displayed?

I would also like to say thank you, you have been a great help. I now understand these cisco routers far more than i did 2 days ago.

BURTON#show crypto isakmp sa
dst             src             state          conn-id slot status
77.xxx.xxx.176  78.xx.xxx.48    QM_IDLE              1    0 ACTIVE

BURTON#
*Nov 25 14:15:44.210: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 25 14:16:21.342: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 25 14:16:58.474: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

*Nov 25 14:15:44.210: IPSEC(epa_des_crypt): decrypted packet failed SA

identity

check

*Nov 25 14:16:21.342: IPSEC(epa_des_crypt): decrypted packet failed SA

identity

check

*Nov 25 14:16:58.474: IPSEC(epa_des_crypt): decrypted packet failed SA

identity

check

Looks like crypto ACL mis match. One side is using fine grained ACL if I am not mistaken.

Can you post the screen shot of Vigor? Or the ACL which you are using in it.

Or try initiating the tunnel from router.

The vigor is a very basic router which just has a GUI, i've telnet into it and under accesslist nothing is listed.

Connected to this vigor is another 7 vpn's though, which i cannot route to from the cisco. The vigor is basically the hub with the cisco being a spoke node, ultimately in the coming days i'm going to replace the vigor with the cisco.

The network id's of our LAN's

192.168.23.0

192.168.18.0

192.168.28.0

192.168.48.0

192.168.88.0

192.168.108.0

10.0.0.0

Results from sh crypto ipsec sa

It's not causing any problems that i can see anyway, I can ping 192.168.78.2 which is a pc on that subnet and also ping 192.168.6.30 the server on that subnet.

interface: Dialer0

    Crypto map tag: VPN-Map-1, local addr 77.xxx.xxx.176

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.78.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   current_peer 78.xx.xxx.48 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4406, #pkts encrypt: 4406, #pkts digest: 4406

    #pkts decaps: 6206, #pkts decrypt: 6206, #pkts verify: 6206

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 175

     local crypto endpt.: 77.xxx.xxx.176, remote crypto endpt.: 78.xx.xxx.48

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0

     current outbound spi: 0x60C18423(1623295011)

     inbound esp sas:

      spi: 0x6AE509AC(1793395116)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3003, flow_id: FPGA:3, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4586467/2908)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x60C18423(1623295011)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3004, flow_id: FPGA:4, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4586472/2907)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2

    Crypto map tag: VPN-Map-1, local addr 77.xxx.xxx.176

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.78.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   current_peer 78.xx.xxx.48 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4406, #pkts encrypt: 4406, #pkts digest: 4406

    #pkts decaps: 6206, #pkts decrypt: 6206, #pkts verify: 6206

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 175

     local crypto endpt.: 77.xxx.xxx.176, remote crypto endpt.: 78.xx.xxx.48

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0

     current outbound spi: 0x60C18423(1623295011)

     inbound esp sas:

      spi: 0x6AE509AC(1793395116)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3003, flow_id: FPGA:3, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4586467/2907)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x60C18423(1623295011)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3004, flow_id: FPGA:4, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4586472/2906)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Hi Vikas,

When i reload the router the crypto map assigned to dialer0 is not retained? I checked the basics made sure the settings have been written to memory still does not retain the crypto map on the dialer.

Any ideas?

Thanks

Mark

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(25), REL
EASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 10:00 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

BURTON uptime is 12 minutes
System returned to ROM by reload at 11:06:24 UTC Fri Nov 26 2010
System image file is "flash:c1841-advsecurityk9-mz.124-25.bin"

Hi Vikas,

I upgraded to 25(d) all working fine now, the IPSEC sa's were causing me a problem but that's also been sorted to a certain extent. I dont think the Vigor routers are fully compatible with the cisco.

https://supportforums.cisco.com/message/3237644

thanks gain for your help though.

Mark

Hi Vikas,

I was wondering if you can help me please.

I've just replaced one of the vigor routers with a cisco 1841 as a spoke to the main hub.

Im getting this though...

*Jan 18 14:58:46.147: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 78.xx.xxx.48

This is my spoke config..

#############################################################################

Current configuration : 6571 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DALBY
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$iFwB$xxxxxxxxxxxxxxxx.
enable password xxxxxxxxxx

!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.121.0.2
ip name-server 195.54.225.10
!
!
crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-692553461
revocation-check none
rsakeypair TP-self-signed-692553461
!
!
crypto pki certificate chain TP-self-signed-692553461
certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36393235 35333436 31301E17 0D313130 31313831 34313134
  305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533
  34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
  B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
  20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
  FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
  02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D
  11040930 07820544 414C4259 301F0603 551D2304 18301680 14645E3F DE4E90A8
  77358081 EE4217F4 82123899 3A301D06 03551D0E 04160414 645E3FDE 4E90A877
  358081EE 4217F482 1238993A 300D0609 2A864886 F70D0101 04050003 8181006C
  774C8BB8 2E5A70BA 4E38068F C4B8CC70 3318C04D 1EF45489 D3FD6E13 A49AB6B7
  8A40E698 09FA2417 A61C574A 8668E3F4 67532654 C33034DC 1B0B0962 EB5F05F6
  C83B7AA8 D132208C 1CFC10A4 94D5741C 83967D65 642886A9 2FC53C0F 4C21303E
  A90FDF8F 4742460B 4DFB3E2C ECE1E328 4642C1F3 2E687B94 A44082E7 2E56A6
  quit
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Dalby%19 address 78.xx.xxx.48
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
!
crypto map VPN-Map-1 11 ipsec-isakmp
set peer 78.xx.xxx.48
set transform-set this_should_work
set pfs group2
match address burton
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.88.40 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface ATM0/0/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.88.30 25 78.xx.xxx.245 25 extendable
ip nat inside source static tcp 192.168.88.30 80 78.xx.xxx.245 80 extendable
ip nat inside source static tcp 192.168.88.30 443 78.xx.xxx.245 443 extendable
ip nat inside source static tcp 192.168.88.45 443 78.xx.xxx.246 443 extendable
!
ip access-list extended Internet-inbound-ACL
permit udp host 78.xx.xx.48 any eq isakmp
permit esp host 78.xx.xx.48 any
permit udp host 78.xx.xx.188 any eq isakmp
permit esp host 78.xx.xx.188 any
ip access-list extended braintree
permit ip any 10.0.0.0 0.0.0.255
ip access-list extended burton
permit ip any 192.168.6.0 0.0.0.255
ip access-list extended burtonstores
permit ip any 192.168.78.0 0.0.0.255
ip access-list extended corby
permit ip any 192.168.18.0 0.0.0.255
ip access-list extended dalby
permit ip any 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip any 192.168.108.0 0.0.0.255
ip access-list extended hadleigh
permit ip any 192.168.48.0 0.0.0.255
ip access-list extended northwich
permit ip any 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip any 192.168.28.0 0.0.0.255
!
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.88.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
banner motd ^CCC
******************************************
* Welcome to xxxxxxxxxxxxxxxxx

* Dalby Router
* Unauthorized access prohibited
******************************************
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xxxxxxxxxx%18
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end

My hub config.....

####################################################################

Current configuration : 8449 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BURTON
!
boot-start-marker
boot-end-marker
!
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxx.
enable password xxxxxxxxxx

!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.121.0.2
ip name-server 195.54.225.10
!
!
crypto pki trustpoint TP-self-signed-561592686
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-561592686
revocation-check none
rsakeypair TP-self-signed-561592686
!
!
crypto pki certificate chain TP-self-signed-561592686
certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35363135 39323638 36301E17 0D313130 31313831 33303433
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 31353932
  36383630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E4DBC9F8 8DE09F73 32A36E04 09799F97 29720B78 4C02543D EA4EC2F1 71A3C126
  C93BE7BD 0D76F720 A0617593 6CABD849 771E52A7 27832E26 4D8B51E8 3F18CCE0
  B809D177 8820615D 7EDB42AE EB1AC1B6 D1333F93 AF284E97 2E254CE9 905C54EE
  B52F5E66 6D653B3C F490B042 AEBF2962 3BEF40EC FFB79ECC C21FC162 B85E83D9
  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
  11040A30 08820642 5552544F 4E301F06 03551D23 04183016 80148AC9 92D2CAA8
  C71BB6E5 D8AF5B07 B0E876B8 3837301D 0603551D 0E041604 148AC992 D2CAA8C7
  1BB6E5D8 AF5B07B0 E876B838 37300D06 092A8648 86F70D01 01040500 03818100
  0164D61E 00DA2699 FCEC5883 9673596F 6BAF1602 ED1CDDF9 EC94F994 01452D19
  FEFD02BB 592E1C44 7EE37A45 8861C6FC 0D6CE485 CDE5AFEE C4D9B629 1F6EFDB8
  F4C122B6 2DD9FABE 0BE55EBD 2F38F37A 5305F79C A798B50C 1FFD8355 80539A2E
  9C4277E8 7762A368 5CCE6916 8949A1A9 4588E7B9 822C3C5A D8F30C1F 2744EB55
  quit
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Braxxxe%20 address 85.xxx.xxx.9
crypto isakmp key Nordddd%24x address 85.xx.xxx.10
crypto isakmp key Burxxxst%18 address 78.xx.xxx.82
crypto isakmp key Corxxxx%21 address 78.xx.xxx.179
crypto isakmp key Glaxsxxx%22 address 78.xx.xxx.181
crypto isakmp key Haxxxxh%23 address 78.xx.xxx.180
crypto isakmp key Wyxxxe%25 address 78.xx.xxx.178
crypto isakmp key Daxxxx%19 address 78.xx.xxx.188
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 78.xx.xxx.82
set transform-set cm-transformset-2
match address burtonstores
crypto map VPN-Map-1 11 ipsec-isakmp
set peer 78.xx.xxx.188
set transform-set this_should_work
set pfs group2
match address dalby
crypto map VPN-Map-1 12 ipsec-isakmp
set peer 85.xxx.xxx.9
set transform-set this_should_work
match address braintree
crypto map VPN-Map-1 13 ipsec-isakmp
set peer 78.xx.xxx.179
set transform-set this_should_work
match address corby
crypto map VPN-Map-1 14 ipsec-isakmp
set peer 78.xx.xxx.181
set transform-set cm-transformset-2
match address glasgow
crypto map VPN-Map-1 15 ipsec-isakmp
set peer 78.xx.xxx.180
set transform-set this_should_work
match address hadleigh
crypto map VPN-Map-1 16 ipsec-isakmp
set peer 85.xxx.xxx.10
set transform-set this_should_work
match address northwich
crypto map VPN-Map-1 17 ipsec-isakmp
set peer 78.xx.xxx.178
set transform-set this_should_work
match address wycombe
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface ATM0/0/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.6.45 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.6.65 25 78.xx.xxx.48 25 extendable
ip nat inside source static tcp 192.168.6.65 80 78.xx.xxx.48 80 extendable
ip nat inside source static tcp 192.168.6.65 443 78.xx.xxx.48 443 extendable
ip nat inside source static tcp 192.168.6.30 80 78.xx.xxx.62 80 extendable
ip nat inside source static tcp 192.168.6.30 443 78.xx.xxx.62 443 extendable
!
ip access-list extended Internet-inbound-ACL
permit udp host 85.xxx.xxx.85 any eq isakmp
permit esp host 85.xxx.xxx.85 any
permit udp host 85.xxx.xxx.9 any eq isakmp
permit esp host 85.xxx.xxx.9 any
permit udp host 85.xxx.xxx.10 any eq isakmp
permit esp host 85.xxx.xxx.10 any
permit udp host 78.xx.xxx.82 any eq isakmp
permit esp host 78.xx.xxx.82 any
permit udp host 78.xx.xxx.178 any eq isakmp
permit esp host 78.xx.xxx.178 any
permit udp host 78.xx.xxx.179 any eq isakmp
permit esp host 78.xx.xxx.179 any
permit udp host 78.xx.xxx.180 any eq isakmp
permit esp host 78.xx.xxx.180 any
permit udp host 78.xx.xxx.181 any eq isakmp
permit esp host 78.xx.xxx.181 any
permit udp host 78.xx.xxx.188 any eq isakmp
permit esp host 78.xx.xxx.188 any
ip access-list extended braintree
permit ip any 10.0.0.0 0.0.0.255
ip access-list extended burtonstores
permit ip any 192.168.78.0 0.0.0.255
ip access-list extended corby
permit ip any 192.168.18.0 0.0.0.255
ip access-list extended dalby
permit ip any 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip any 192.168.108.0 0.0.0.255
ip access-list extended hadleigh
permit ip any 192.168.48.0 0.0.0.255
ip access-list extended northwich
permit ip any 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip any 192.168.28.0 0.0.0.255
!
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server community private RW
!
!
control-plane
!
banner motd ^CC
******************************************
* Welcome to xxxxxxxxxxxx

* Burton Router
* Unauthorized access prohibited
******************************************
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xxxxxxxxxxxxx%18
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end

###############################################

This is shown on the spoke

DALBY#show crypto isakmp sa
dst             src             state          conn-id slot status
78.xx.xxx.48    78.xx.xxx.188   QM_IDLE             69    0 ACTIVE
78.xx.xxx.48    78.xx.xxx.188   MM_NO_STATE         68    0 ACTIVE (deleted)

It looks like it's failing on phase 2 (this is on the spoke)

*Jan 18 15:27:38.431: map_db_find_best did not find matching map
*Jan 18 15:27:38.431: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi
sts for local address 78.xx.xxx.188
*Jan 18 15:27:38.431: ISAKMP:(0:72:SW:1): IPSec policy invalidated proposal
*Jan 18 15:27:38.431: ISAKMP:(0:72:SW:1): phase 2 SA policy not acceptable! (loc
al 78.xx.xxx.188 remote 78.xx.xxx.48)

If you could help I would be extremely greatfull.

Thanks

A cisco ios novice!