I am trying to connect a 3002 in network extension mode to a 2651xm VPN-k9. I am following the directions of :

http://www.cisco.com/warp/public/471/vpn-3k2-ios-nem-lea.html

My debug shows an apparent problem with the ISAKMP negotiation ... I notice that the problem may be with the NAT on the 3002 ... this is not something addresses in the cisco example config.

here is the ios debug ... i can provide the 3002 end as well but it doesn't have the same level of detail

x.603: ISAKMP: Locking peer struct 0x830F8F30, IKE refcount 1 for

crypto_ikmp_config_initialize_sa

x.603: ISAKMP (0:0): Setting client config settings 830DA758

x.603: ISAKMP (0:0): (Re)Setting client xauth list and state

x.603: ISAKMP: local port 500, remote port 500

x.603: ISAKMP (0:7): processing SA payload. message ID = 0

x.607: ISAKMP (0:7): processing ID payload. message ID = 0

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7): vendor ID is XAUTH

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7): vendor ID is NAT-T

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7): vendor ID is NAT-T

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7) Authentication by xauth preshared

x.607: ISAKMP (0:7): Checking ISAKMP transform 1 against priority 3 policy

x.607: ISAKMP: default group 2

x.607: ISAKMP: encryption 3DES-CBC

x.607: ISAKMP: hash SHA

x.607: ISAKMP: auth XAUTHInitPreShared

x.611: ISAKMP: life type in seconds

x.611: ISAKMP: life duration (VPI) of 0x7F 0xFF 0xFF 0xFF

x.611: ISAKMP (0:7): atts are acceptable. Next payload is 3

x.647: ISAKMP (0:7): processing KE payload. message ID = 0

x.687: ISAKMP (0:7): processing NONCE payload. message ID = 0

x.687: ISAKMP (0:7): processing vendor id payload

x.687: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.687: ISAKMP (0:7): vendor ID is XAUTH

x.687: ISAKMP (0:7): processing vendor id payload

x.687: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.691: ISAKMP (0:7): vendor ID is NAT-T

x.691: ISAKMP (0:7): processing vendor id payload

x.691: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.691: ISAKMP (0:7): vendor ID is NAT-T

x.691: ISAKMP (0:7): processing vendor id payload

x.691: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.691: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

x.691: ISAKMP (0:7): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

x.695: ISAKMP: got callback 1

x.727: ISAKMP (0:7): SKEYID state generated

x.727: ISAKMP (0:7): constructed NAT-T vendor-03 ID

x.727: ISAKMP (0:7): SA is doing pre-shared key authentication pl

us XAUTH using id type ID_IPV4_ADDR

x.727: ISAKMP (7): ID payload

next-payload : 10

type : 1

addr : 63.207.169.194

protocol : 17

port : 0

length : 8

x.727: ISAKMP (7): Total payload length: 12

x.735: ISAKMP (0:7): constructed HIS NAT-D

x.735: ISAKMP (0:7): constructed MINE NAT-D

x.735: ISAKMP (0:7): sending packet to 200.67.53.192 my_port 500 peer_port 500 (R) AG_INIT_EXCH

x.739: ISAKMP (0:7): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

x.739: ISAKMP (0:7): Old State = IKE_R_AM_AAA_AWAIT New State =IKE_R_AM2

x.204: ISAKMP (0:6): retransmitting phase 1 AG_INIT_EXCH...

x.204: ISAKMP (0:6): incrementing error counter on sa: retransmit phase 1

x.204: ISAKMP (0:6): retransmitting phase 1 AG_INIT_EXCH

x.204: ISAKMP (0:6): sending packet to 200.67.53.192 my_port 500 peer_port 500 (R) AG_INIT_EXCH

x.568: ISAKMP (0:5): retransmitting phase 1 AG_INIT_EXCH...

x.568: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 1

x.568: ISAKMP (0:5): retransmitting phase 1 AG_INIT_EXCH

x.568: ISAKMP (0:5): sending packet to 200.67.53.192 my_port 500 peer_port 500 (R) AG_INIT_EXCH

x.981: ISAKMP (0:4): retransmitting phase 1 AG_INIT_EXCH...

x.981: ISAKMP (0:4): peer does not do paranoid keepalives.

x.981: ISAKMP (0:4): deleting SA reason "death by retransmission P1" state (R) AG_INIT_EXCH (peer 200.67.53.192) input queue 0

x.981: ISAKMP (0:4): deleting SA reason "death by retransmission P1" state (R) AG_INIT_EXCH (peer 200.67.53.192) input queue 0

x.981: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

x.981: ISAKMP (0:4): Old State = IKE_R_AM2 New State = IKE_DEST_SA

ISAKMP (0:1): purging SA., sa=830F187C, delme=830F187C

ISAKMP: Unlocking IKE struct 0x830E8324 for declare_sa_dead(), count 0