Hello,

I have an 887 DSL router that I'm trying to set up a VPN to an ASA.  I seem to have a possible hash mismatch in phase 1, am I correct as the debug is huge, however it seems phase 1 completes, but the SA loooks ok to me for phase 2.:

ping 10.100.1.66 rep 1 sou vlan 10

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 10.100.1.66, timeout is 2 seconds:

Packet sent with a source address of 10.105.10.49

*Jan  6 20:01:39.966: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 81.149.110.113:500, remote= 91.171.156.66:500,

    local_proxy= 10.105.10.48/255.255.255.240/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

*Jan  6 20:01:39.970: ISAKMP:(0): SA request profile is (NULL)

*Jan  6 20:01:39.970: ISAKMP: Created a peer struct for 91.171.156.66, peer port 500

*Jan  6 20:01:39.970: ISAKMP: New peer created peer = 0x862DF5A4 peer_handle = 0x8000000B

*Jan  6 20:01:39.970: ISAKMP: Locking peer struct 0x862DF5A4, refcount 1 for isakmp_initiator

*Jan  6 20:01:39.970: ISAKMP: local port 500, remote port 500

*Jan  6 20:01:39.970: ISAKMP: set new node 0 to QM_IDLE

*Jan  6 20:01:39.970: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87A14F48

*Jan  6 20:01:39.970: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jan  6 20:01:39.970: ISAKMP:(0):found peer pre-shared key matching 91.171.156.66

*Jan  6 20:01:39.970: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jan  6 20:01:39.970: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jan  6 20:01:39.970: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jan  6 20:01:39.970: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jan  6 20:01:39.970: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jan  6 20:01:39.970: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jan  6 20:01:39.970: ISAKMP:(0): beginning Main Mode exchange

*Jan  6 20:01:39.970: ISAKMP:(0): sending packet to 91.171.156.66 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jan  6 20:01:39.970: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jan  6 20:01:39.998: ISAKMP (0): received packet from 91.171.156.66 dport 500 sport 500 Global (I) MM.

Success rate is 0 percent (0/1)

CBSO-Aston-DSL#_NO_STATE

*Jan  6 20:01:39.998: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan  6 20:01:39.998: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Jan  6 20:01:39.998: ISAKMP:(0): processing SA payload. message ID = 0

*Jan  6 20:01:39.998: ISAKMP:(0): processing vendor id payload

*Jan  6 20:01:39.998: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jan  6 20:01:39.998: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jan  6 20:01:39.998: ISAKMP:(0): processing vendor id payload

*Jan  6 20:01:39.998: ISAKMP:(0): processing IKE frag vendor id payload

*Jan  6 20:01:39.998: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Jan  6 20:01:39.998: ISAKMP:(0):found peer pre-shared key matching 91.171.156.66

*Jan  6 20:01:39.998: ISAKMP:(0): local preshared key found

*Jan  6 20:01:39.998: ISAKMP : Scanning profiles for xauth ...

*Jan  6 20:01:39.998: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jan  6 20:01:39.998: ISAKMP:      encryption AES-CBC

*Jan  6 20:01:39.998: ISAKMP:      keylength of 256

*Jan  6 20:01:39.998: ISAKMP:      hash SHA

*Jan  6 20:01:39.998: ISAKMP:      default group 5

*Jan  6 20:01:39.998: ISAKMP:      auth pre-share

*Jan  6 20:01:39.998: ISAKMP:      life type in seconds

*Jan  6 20:01:39.998: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jan  6 20:01:39.998: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jan  6 20:01:39.998: ISAKMP:(0):Acceptable atts:actual life: 0

*Jan  6 20:01:39.998: ISAKMP:(0):Acceptable atts:life: 0

*Jan  6 20:01:39.998: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jan  6 20:01:39.998: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jan  6 20:01:39.998: ISAKMP:(0):Returning Actual lifetime: 86400

*Jan  6 20:01:39.998: ISAKMP:(0)::Started lifetime timer: 86400.

*Jan  6 20:01:39.998: ISAKMP:(0): processing vendor id payload

*Jan  6 20:01:39.998: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jan  6 20:01:39.998: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jan  6 20:01:39.998: ISAKMP:(0): processing vendor id payload

*Jan  6 20:01:39.998: ISAKMP:(0): processing IKE frag vendor id payload

*Jan  6 20:01:39.998: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Jan  6 20:01:39.998: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jan  6 20:01:39.998: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Jan  6 20:01:39.998: ISAKMP:(0): sending packet to 91.171.156.66 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Jan  6 20:01:39.998: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jan  6 20:01:40.002: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jan  6 20:01:40.002: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Jan  6 20:01:40.062: ISAKMP (0): received packet from 91.171.156.66 dport 500 sport 500 Global (I) MM_SA_SETUP

*Jan  6 20:01:40.066: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan  6 20:01:40.066: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Jan  6 20:01:40.066: ISAKMP:(0): processing KE payload. message ID = 0

*Jan  6 20:01:40.158: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jan  6 20:01:40.158: ISAKMP:(0):found peer pre-shared key matching 91.171.156.66

*Jan  6 20:01:40.162: ISAKMP:(2009): processing vendor id payload

*Jan  6 20:01:40.162: ISAKMP:(2009): vendor ID is Unity

*Jan  6 20:01:40.162: ISAKMP:(2009): processing vendor id payload

*Jan  6 20:01:40.162: ISAKMP:(2009): vendor ID seems Unity/DPD but major 242 mismatch

*Jan  6 20:01:40.162: ISAKMP:(2009): vendor ID is XAUTH

*Jan  6 20:01:40.162: ISAKMP:(2009): processing vendor id payload

*Jan  6 20:01:40.162: ISAKMP:(2009): speaking to another IOS box!

*Jan  6 20:01:40.162: ISAKMP:(2009): processing vendor id payload

*Jan  6 20:01:40.162: ISAKMP:(2009):vendor ID seems Unity/DPD but hash mismatch

*Jan  6 20:01:40.162: ISAKMP:received payload type 20

*Jan  6 20:01:40.162: ISAKMP (2009): His hash no match - this node outside NAT

*Jan  6 20:01:40.162: ISAKMP:received payload type 20

*Jan  6 20:01:40.162: ISAKMP (2009): No NAT Found for self or peer

*Jan  6 20:01:40.162: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jan  6 20:01:40.162: ISAKMP:(2009):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Jan  6 20:01:40.162: ISAKMP:(2009):Send initial contact

*Jan  6 20:01:40.162: ISAKMP:(2009):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jan  6 20:01:40.162: ISAKMP (2009): ID payload

        next-payload : 8

        type         : 1

        address      : 81.149.110.113

        protocol     : 17

        port         : 500

        length       : 12

*Jan  6 20:01:40.162: ISAKMP:(2009):Total payload length: 12

*Jan  6 20:01:40.162: ISAKMP:(2009): sending packet to 91.171.156.66 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jan  6 20:01:40.162: ISAKMP:(2009):Sending an IKE IPv4 Packet.

*Jan  6 20:01:40.162: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jan  6 20:01:40.162: ISAKMP:(2009):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Jan  6 20:01:40.190: ISAKMP (2009): received packet from 91.171.156.66 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jan  6 20:01:40.190: ISAKMP:(2009): processing ID payload. message ID = 0

*Jan  6 20:01:40.190: ISAKMP (2009): ID payload

        next-payload : 8

        type         : 1

        address      : 91.171.156.66

        protocol     : 17

        port         : 0

        length       : 12

*Jan  6 20:01:40.190: ISAKMP:(0):: peer matches *none* of the profiles

*Jan  6 20:01:40.190: ISAKMP:(2009): processing HASH payload. message ID = 0

*Jan  6 20:01:40.190: ISAKMP:received payload type 17

*Jan  6 20:01:40.190: ISAKMP:(2009): processing vendor id payload

*Jan  6 20:01:40.190: ISAKMP:(2009): vendor ID is DPD

*Jan  6 20:01:40.190: ISAKMP:(2009):SA authentication status:

        authenticated

*Jan  6 20:01:40.190: ISAKMP:(2009):SA has been authenticated with 91.171.156.66

*Jan  6 20:01:40.190: ISAKMP: Trying to insert a peer 81.149.110.113/91.171.156.66/500/,  and inserted successfully 862DF5A4.

*Jan  6 20:01:40.190: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan  6 20:01:40.190: ISAKMP:(2009):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Jan  6 20:01:40.190: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jan  6 20:01:40.190: ISAKMP:(2009):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Jan  6 20:01:40.194: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jan  6 20:01:40.194: ISAKMP:(2009):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Jan  6 20:01:40.194: ISAKMP:(2009):beginning Quick Mode exchange, M-ID of 826305285

*Jan  6 20:01:40.194: ISAKMP:(2009):QM Initiator gets spi

*Jan  6 20:01:40.194: ISAKMP:(2009): sending packet to 91.171.156.66 my_port 500 peer_port 500 (I) QM_IDLE

*Jan  6 20:01:40.194: ISAKMP:(2009):Sending an IKE IPv4 Packet.

*Jan  6 20:01:40.194: ISAKMP:(2009):Node 826305285, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Jan  6 20:01:40.194: ISAKMP:(2009):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Jan  6 20:01:40.194: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jan  6 20:01:40.194: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jan  6 20:01:40.234: ISAKMP (2009): received packet from 91.171.156.66 dport 500 sport 500 Global (I) QM_IDLE

*Jan  6 20:01:40.234: ISAKMP: set new node -1068276346 to QM_IDLE

*Jan  6 20:01:40.234: ISAKMP:(2009): processing HASH payload. message ID = 3226690950

*Jan  6 20:01:40.234: ISAKMP:(2009): processing NOTIFY INVALID_ID_INFO protocol 1

        spi 0, message ID = 3226690950, sa = 0x87A14F48

*Jan  6 20:01:40.234: ISAKMP:(2009):peer does not do paranoid keepalives.

*Jan  6 20:01:40.234: ISAKMP:(2009):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 91.171.156.66)

*Jan  6 20:01:40.234: ISAKMP:(2009):deleting node -1068276346 error FALSE reason "Informational (in) state 1"

*Jan  6 20:01:40.234: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jan  6 20:01:40.234: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jan  6 20:01:40.234: ISAKMP (2009): received packet from 91.171.156.66 dport 500 sport 500 Global (I) QM_IDLE

*Jan  6 20:01:40.238: ISAKMP: set new node -351243224 to QM_IDLE

*Jan  6 20:01:40.238: ISAKMP:(2009): sending packet to 91.171.156.66 my_port 500 peer_port 500 (I) QM_IDLE

*Jan  6 20:01:40.238: ISAKMP:(2009):Sending an IKE IPv4 Packet.

*Jan  6 20:01:40.238: ISAKMP:(2009):purging node -351243224

*Jan  6 20:01:40.238: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jan  6 20:01:40.238: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Jan  6 20:01:40.238: ISAKMP:(2009):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 91.171.156.66)

*Jan  6 20:01:40.238: ISAKMP: Unlocking peer struct 0x862DF5A4 for isadb_mark_sa_deleted(), count 0

*Jan  6 20:01:40.238: ISAKMP: Deleting peer node by peer_reap for 91.171.156.66: 862DF5A4

*Jan  6 20:01:40.238: ISAKMP:(2009):deleting node 826305285 error FALSE reason "IKE deleted"

*Jan  6 20:01:40.238: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan  6 20:01:40.238: ISAKMP:(2009):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Jan  6 20:01:40.238: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jan  6 20:01:43.118: ISAKMP:(2008):purging node -1331402024

*Jan  6 20:01:43.122: ISAKMP:(2008):purging node -1977171047

Let me know what else you need.

Thanks