Hi All, 

I hope someone can help, I am trying to configure the cisco vpn client access to our Cisco 887VA-W, it doesnt use the dialer interface and for its public IP access uses 1 to 1 NAT from our watchguard router. The VPN client seems to be able to contact the VPN server but then doesnt get any replies, heres the configuration and error messages:

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VOIPVPNRouter
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
ip cef
!
!
!
!
!
!
ip domain name m3c.local
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn FCZ1743C1X7
!
!
vtp domain M3C
vtp mode transparent
username ADMINISTRATOR privilege 15 secret 4 f7v04/RWgoxtjQpDbT0twLleUsFI2Tcfs4o4nDbveZA
username USERNAME password 0 PASSWORD
!
!
!
!
!
controller VDSL 0
!
vlan 10
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group oracle
key PRE-SHARED-KEY
dns 172.16.1.18
pool VPN-Pool
acl vpn_resources
max-users 10
crypto isakmp profile vpn_ike_profile
match identity group oracle
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_m1_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set vpn_transform esp-3des esp-sha-hmac
mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
!
crypto ipsec profile vpn_profile
set transform-set vpn_transform
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn_profile
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
ip address 172.16.1.33 255.255.255.0
ip helper-address 172.16.1.100
ip flow ingress
!
ip local pool VPN-Pool 172.16.1.80
ip default-gateway 172.16.1.100
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip default-network 172.16.1.0
ip route 0.0.0.0 0.0.0.0 172.16.1.100
ip route 10.1.2.0 255.255.255.0 172.16.1.100
!
ip access-list extended vpn_resources
permit ip 172.16.1.0 0.0.0.255 any
permit ip 10.3.3.0 0.0.0.255 any
!
!
snmp-server community private RW
snmp-server community public RO
snmp-server ifindex persist
!
!
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
password PASSWORD
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
!
end

When I try to connect using the VPN client application, the client says it "The VPN server did not respond." the cisco router outputs the following:

*Nov 24 10:03:27.889: ISAKMP: life type in seconds
*Nov 24 10:03:27.889: ISAKMP: life duration (basic) of 3600
*Nov 24 10:03:27.889: ISAKMP: encryption 3DES-CBC
*Nov 24 10:03:27.889: ISAKMP: auth XAUTHInitPreShared
*Nov 24 10:03:27.889: ISAKMP: hash SHA
*Nov 24 10:03:27.889: ISAKMP: default group 2
*Nov 24 10:03:27.889: ISAKMP:(0):atts are acceptable. Next payload is 3
*Nov 24 10:03:27.889: ISAKMP:(0):Acceptable atts:actual life: 86400
*Nov 24 10:03:27.889: ISAKMP:(0):Acceptable atts:life: 0
*Nov 24 10:03:27.889: ISAKMP:(0):Basic life_in_seconds:3600
*Nov 24 10:03:27.889: ISAKMP:(0):Returning Actual lifetime: 3600
*Nov 24 10:03:27.889: ISAKMP:(0)::Started lifetime timer: 3600.

*Nov 24 10:03:27.889: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 24 10:03:27.889: crypto_engine: Create DH shared secret
*Nov 24 10:03:27.889: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 24 10:03:27.893: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Nov 24 10:03:27.893: ISAKMP (0): vendor ID is NAT-T v7
*Nov 24 10:03:27.893: ISAKMP:(0): vendor ID is NAT-T v3
*Nov 24 10:03:27.893: ISAKMP:(0): vendor ID is NAT-T v2
*Nov 24 10:03:27.893: ISAKMP:(0):peer does not do paranoid keepalives.

*Nov 24 10:03:27.893: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer EXTERNALIP )
*Nov 24 10:03:27.893: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Nov 24 10:03:27.893: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Nov 24 10:03:27.893: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY

*Nov 24 10:03:27.893: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at EXTERNALIP 
*Nov 24 10:03:27.893: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer EXTERNALIP )
*Nov 24 10:03:27.893: ISAKMP: Unlocking peer struct 0x2A5684C for isadb_mark_sa_ deleted(), count 0
*Nov 24 10:03:27.893: ISAKMP: Deleting peer node by peer_reap for EXTERNALIP : 2A5684C
*Nov 24 10:03:27.893: crypto engine: deleting DH phase 2 SW:41
*Nov 24 10:03:27.893: crypto_engine: Delete DH shared secret
*Nov 24 10:03:27.893: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 24 10:03:27.893: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA

*Nov 24 10:03:27.893: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 24 10:03:31.081: ISAKMP (0): received packet from EXTERNALIP dport 500 sp ort 500 Global (R) MM_NO_STATE
*Nov 24 10:03:34.321: ISAKMP (0): received packet from EXTERNALIP  dport 500 sp ort 500 Global (R) MM_NO_STATE
*Nov 24 10:03:37.517: ISAKMP (0): received packet from EXTERNALIP  dport 500 sp ort 500 Global (R) MM_NO_STATE