Thanks Rob. I will make the changes and test after-hours tonight and let you know how it goes.

Rob, I made the changes on both routers but the problem remains. Of course, the subnet IPs in the access-list are reversed on the opposite router. Both locations have internet access but no VPN.

That section of the config now looks like this:

!
interface GigabitEthernet0/0/1
description Spectrum Internet Connection
ip address 10.10.10.2 255.255.255.248
ip nat outside
zone-member security OUTSIDE
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list NAT interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
ip access-list extended NAT
10 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit ip any any
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended brvpn
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
!

@BrianVentura have you generated interesting traffic in order to establish the tunnel? Interesting traffic must match src and dst as per the crypto ACL in order to attempt to establish a tunnel.

Have the ISAKMP and IPSec SAs been established? Run show crypto isakmp sa and show crypto ipsec sa - provide the output for review (if any).

If the SAs are not established, enable debugs debug crypto isakmp. You will need to generate interesting traffic, at which point there will be some debug output - provide the output for review.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
https://community.cisco.com/t5/security-blogs/ipsec-important-debugging-and-logging/ba-p/3100883

Your WAN interface (Gi0/0/1) appears to have a private IP address, is there a static NAT on the device in front of your router? Is NAT-T configured on the routers?

You could also run a packet capture on the outside interface, to confirm you receive traffic (udp/500, esp and possibly udp/4500) from the peer.

Rob,

When I run the "debug crypto isakmp" it simply says "Crypto ISAKMP debugging is on" and when I run the various "show" commands all the results show zero activity.

----------------------

VTARouter#
VTARouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
20.20.20.2 10.10.10.2 MM_NO_STATE 0 ACTIVE

IPv6 Crypto ISAKMP SA

VTARouter#debug crypto isakmp
Crypto ISAKMP debugging is on
VTARouter#
VTARouter#
VTARouter#show crypto map
Crypto Map IPv4 "mymap" 10 ipsec-isakmp
Peer = 20.20.20.2
Extended IP access list brvpn
access-list brvpn permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
Current peer: 20.20.20.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
myset: { esp-aes esp-sha256-hmac } ,
}
Interfaces using crypto map mymap:
GigabitEthernet0/0/1

VTARouter#show crypto ipsec sa

interface: GigabitEthernet0/0/1
Crypto map tag: mymap, local addr 10.10.10.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 20.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 48, #recv errors 0

local crypto endpt.: 10.10.10.2, remote crypto endpt.: 20.20.20.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
VTARouter#

@BrianVentura there are no "inbound esp sas" or "outbound esp sas" so the VPN is not established. Did you generate interesting traffic from 192.168.0.x to 192.168.3.x? Or generate traffic traffic from the remote side? Only when traffic is generated will the SAs be established (if everything is working) and then you would see debug output.

What about the other questions I asked? Gi0/0/1 interface IP address and NAT?

I read your previous instructions to indicate that enabling debugging would itself generate interesting traffic.

Would one subnet attempting to address the other directly via ip address be sufficient to generate interesting traffic? For example, a desktop computer at 192.168.0.14 using a web browser and entering 192.168.3.45 in the address bar?

@BrianVentura yes, any IP address in the local network (192.168.0.14) communicating with the remote network (192.168.3.45) would be classed as interesting traffic (match the crypto ACL) and therefore attempt to establish the tunnel, if debugs are enabled output would be generated.

I can confirm that both sides of the VPN have attempted to generate interesting traffic.

I am not to sure about the outside NAT situation but I can see on our old Cisco RV325 routers which we are currently using that NAT Traversal is not enabled on the VPN.

Friend remove the zone pair outside to self and self to outside, 

Then ping from VPN local lan to VPN remote LAN and check 

Your service group use in ACL of class of policy of this zone is not correct I guess 

MHM

@MHM Cisco World  @Rob Ingram 

I removed the zone pair as MHM suggested but the results were the same.

I was able to get some debugging data from the console.

I am unable to paste the debug log here so I attached a txt file.

I am concerned because it appears to be actively trying to communicate with a vpn tunnel that I deleted (30.30.30.2)

Aug 21 23:23:18.105: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 21 23:23:18.105: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Aug 21 23:23:18.105: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 21 23:23:18.106: ISAKMP-PAK:

Thanks for debug 

First you have interface up/down check it 

Second do you see retransimt this occur when 

1-use wrong peer IP

2- peer use ACL drop Isakmp traffic

3- there is no route for remote peer 

Check these two points 

MHM

@BrianVentura this router is receiving traffic from 30.30.30.2, so the other end is still configured with a VPN to your router.

*Aug 21 23:26:20.799: ISAKMP-PAK: (0):received packet from 30.30.30.2 dport 500 sport 500 Global (N) NEW SA

It looks like your router is retransmitting and failing to get a response, check the remote router receives the traffic and is configured correctly and nothing is blocking communication.

*Aug 21 23:27:04.251: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 21 23:27:04.251: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Aug 21 23:27:04.251: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 21 23:27:04.251: ISAKMP-PAK: (0):sending packet to 20.20.20.2 my_port 500 peer_port 500 (I) MM_NO_STATE

 Take a packet capture on both sides.

That makes sense Rob. That other vpn is for a 3rd party business partner and I am trying to just focus on our primary business vpn between our two offices for now. I was concerned that I hadn't deleted it properly.