Using a Cisco VPN Client 5.0 on a ASA5505 I cannot connect with IPsec. I get the following log on the ASA:
....QM FSM error(P2 struct....etc
....All IPSec sa Proposals found unacceptable!
....Mismatch: Overriding phase2 DH Group(DH group!) with phase 1 group (DH group 2)
....PHASE 1 COMPLETED
AS I understand, authentication is okey, but the client and ASA cannot find a IKE policy to agree on ? I've tried to setup several IKE's (that are listed supported with the Cisco client) but with the same result. Am I looking in the wrong direction here ? help !
PS: if this message is posted more than 1 time - well, the Cisco apache/tomcat system has been seek for the last hours..
The logging capabilities on the VPN client are very good. I would set all the facilities to High, try and connect, and review the logs. They are usually pretty straight forward in reporting what is not working.
Occasionally I've had configurations all of a sudden require AES IKE policy. I found this out by enabling Debugging on the firewall and determining what exactly IKE policies were being sent from the VPN Client and then matched the first one.