Help

I do not understand why the VPN will not work.  I see that it fails IKE phase 1 because of the hash...but everything looks good. 

Configs on the ASA:

access-list outside_cryptomap extended permit ip object ASA object Router

nat (inside,outside) source static ASA ASA destination static Router Router no-proxy-arp route-lookup

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer XXX.XXX.XXX.73
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

access-list outside_cryptomap extended permit ip object ASA object Router

group-policy GroupPolicy_XXX.XXX.XXX.73 internal
group-policy GroupPolicy_XXX.XXX.XXX.73 attributes
vpn-tunnel-protocol ikev1

tunnel-group XXX.XXX.XXX.73 type ipsec-l2l
tunnel-group XXX.XXX.XXX.73 general-attributes
default-group-policy GroupPolicy_XXX.XXX.XXX.73
tunnel-group XXX.XXX.XXX.73 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

access-list outside_cryptomap extended permit ip object ASA object Router

object network ASA
subnet 192.168.2.0 255.255.255.0

object network Router
subnet 192.168.1.0 255.255.255.0

crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400

___________________________________________________

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ****** address XXX.XXX.XXX.11
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac

!

crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic

ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log

interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly

interface FastEthernet1
description ISP
ip address XXX.XXX.XXX.73 255.255.255.248
nat outside
crypto map VPN
!

ip nat inside source list NAT_Outside interface FastEthernet1 overload

ip access-list extended NAT_Outside
deny ip 192.168.1.0 0.255.255.255 192.168.2.0 0.0.0.255 log
permit ip 192.168.1.0 0.255.255.255 any

____________________________________________________

On Router

#debug crypto isakmp

*Oct 3 17:52:53.617: ISAKMP:(0): SA request profile is (NULL)
*Oct 3 17:52:53.617: ISAKMP: Created a peer struct for XXX.XXX.XXX.2, peer port 500
*Oct 3 17:52:53.617: ISAKMP: New peer created peer = 0x8480B114 peer_handle = 0x8000007F
*Oct 3 17:52:53.617: ISAKMP: Locking peer struct 0x8480B114, refcount 1 for isakmp_initiator
*Oct 3 17:52:53.617: ISAKMP: local port 500, remote port 500
*Oct 3 17:52:53.617: ISAKMP: set new node 0 to QM_IDLE
*Oct 3 17:52:53.617: insert sa successfully sa = 8480A9C0
*Oct 3 17:52:53.617: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Oct 3 17:52:53.617: ISAKMP:(0):found peer pre-shared key matching XXX.XXX.XXX.2
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 3 17:52:53.617: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 3 17:52:53.617: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Oct 3 17:52:53.617: ISAKMP:(0): beginning Main Mode exchange
*Oct 3 17:52:53.617: ISAKMP:(0): sending packet to XXX.XXX.XXX.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 3 17:52:53.617: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 3 17:52:53.649: ISAKMP (0:0): received packet from XXX.XXX.XXX.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 3 17:52:53.649: ISAKMP:(0):Notify has no hash. Rejected. /////////////////////////////////////////////////This is where I see it going wrong//////////////////
*Oct 3 17:52:53.649: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 3 17:52:53.649: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 3 17:52:53.649: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Oct 3 17:52:53 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at XXX.XXX.XXX.2
*Oct 3 17:53:23.617: ISAKMP: set new node 0 to QM_IDLE
*Oct 3 17:53:23.617: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local XXX.XXX.XXX.73, remote XXX.XXX.XXX.2)
*Oct 3 17:53:23.617: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 3 17:53:23.617: ISAKMP: Error while processing KMI message 0, error 2.
**Oct 3 17:54:08.617: ISAKMP: quick mode timer expired.
*Oct 3 17:54:08.617: ISAKMP:(0):src XXX.XXX.XXX.73 dst XXX.XXX.XXX.2, SA is not authenticated
*Oct 3 17:54:08.617: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
*Oct 3 17:54:08.617: ISAKMP: Unlocking peer struct 0x8480B114 for isadb_mark_sa_deleted(), count 0
*Oct 3 17:54:08.617: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.2: 8480B114
*Oct 3 17:54:08.617: ISAKMP:(0):deleting node -763682124 error FALSE reason "IKE deleted"
*Oct 3 17:54:08.617: ISAKMP:(0):deleting node -1337740792 error FALSE reason "IKE deleted"
*Oct 3 17:54:08.617: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 3 17:54:08.617: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Oct 3 17:54:58.617: ISAKMP:(0):purging node -763682124
*Oct 3 17:54:58.617: ISAKMP:(0):purging node -1337740792
*Oct 3 17:55:08.617: ISAKMP:(0):purging SA., sa=8480A9C0, delme=8480A9C0