Hey

I'm trying to set up a site-to-site vpn between a cisco 871 router(IOS 12.4) and asa 5550  8.4

The router conf:

crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key secretkey address router_external_ip

crypto ipsec transform-set ASA-IPSEC esp-sha-hmac esp-des

mode tunnel

exit

ip access-list extended SDM_2

permit ip remote_lan 0.0.0.255 local_lan 0.0.0.255

exit

crypto map SDM_CMAP_1 2 ipsec-isakmp

set transform-set ASA-IPSEC

set peer router_external_ip

match address SDM_2

and ASA conf:

object network local_lan

subnet local_lan 255.255.255.0

object network remote_lan

subnet remote_lan 255.255.255.0

access-list outside_cryptomap extended permit ip local_lan object remote_lan

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 213.226.133.162

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

group-policy GroupPolicy_remote_ip internal

group-policy GroupPolicy_remote_ip attributes

ipv6-vpn-filter none

vpn-tunnel-protocol ikev1

tunnel-group remote_ip type ipsec-l2l

tunnel-group remote_ip general-attributes

default-group-policy GroupPolicy_remote_ip

tunnel-group remote_ip ipsec-attributes

ikev1 pre-shared-key *****

ASA:

sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

gw# sh crypto ipsec sa

There are no ipsec sas

If i try to test the tunnel from the routers end, i get entries in the ASA log:

5|Jun 30 2011|11:24:25|713904|||||IP = remote_ip, Received encrypted packet with no matching SA, dropping

4|Jun 30 2011|11:24:25|113019|||||Group = remote_ip, Username = remote_ip, IP =remote_ip, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

7|Jun 30 2011|11:24:25|746013|||||user-identity: Delete IP-User mapping remote_ip- LOCAL\remote_ip Failed - VPN user logout

5|Jun 30 2011|11:24:25|713259|||||Group = remote_ip, IP = remote_ip, Session is being torn down. Reason: Phase 2 Mismatch

7|Jun 30 2011|11:24:25|713236|||||IP = remote_ip, IKE_DECODE SENDING Message (msgid=92b5d2f9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing qm hash payload

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing IKE delete payload

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing blank hash payload

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, sending delete/delete with reason message

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, IKE SA MM:3bba15da terminating:  flags 0x01018002, refcnt 0, tuncnt 0

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, IKE SA MM:3bba15da rcv'd Terminate: state MM_ACTIVE  flags 0x00018042, refcnt 1, tuncnt 0

3|Jun 30 2011|11:24:25|713902|||||Group = remote_ip, IP = 213.226.133.162, Removing peer from correlator table failed, no match!

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = 213.226.133.162, sending delete/delete with reason message

7|Jun 30 2011|11:24:25|715065|||||Group = remote_ip, IP = 213.226.133.162, IKE QM Responder FSM error history (struct &0x2446d720)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

3|Jun 30 2011|11:24:25|713902|||||Group = remote_ip, IP = remote_ip, QM FSM error (P2 struct &0x2446d720, mess id 0xc8d5ef77)!

7|Jun 30 2011|11:24:25|713236|||||IP = remote_ip, IKE_DECODE SENDING Message (msgid=37621ef6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing qm hash payload

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, constructing ipsec notify payload for msg id c8d5ef77

7|Jun 30 2011|11:24:20|715046|||||Group = remote_ip, IP = remote_ip, constructing blank hash payload

7|Jun 30 2011|11:24:20|713906|||||Group = remote_ip, IP = remote_ip, sending notify message

5|Jun 30 2011|11:24:20|713904|||||Group = remote_ip, IP = remote_ip, All IPSec SA proposals found unacceptable!

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing IPSec SA payload

7|Jun 30 2011|11:24:20|713066|||||Group = remote_ip, IP = remote_ip, IKE Remote Peer configured for crypto map: outside_map

7|Jun 30 2011|11:24:20|713225|||||Group = remote_ip, IP = remote_ip, Static Crypto Map check, map outside_map, seq = 1 is a successful match

7|Jun 30 2011|11:24:20|713221|||||Group = remote_ip, IP = remote_ip, Static Crypto Map check, checking map = outside_map, seq = 1...

7|Jun 30 2011|11:24:20|713906|||||Group = remote_ip, IP = remote_ip, QM IsRekeyed old sa not found by addr

7|Jun 30 2011|11:24:20|713034|||||Group = remote_ip, IP = remote_ip, Received local IP Proxy Subnet data in ID Payload:   Address local_lan, Mask 255.255.255.0, Protocol 0, Port 0

7|Jun 30 2011|11:24:20|714011|||||Group = remote_ip, IP = remote_ip, ID_IPV4_ADDR_SUBNET ID received--local_lan--255.255.255.0

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing ID payload

7|Jun 30 2011|11:24:20|713035|||||Group = remote_ip, IP = remote_ip, Received remote IP Proxy Subnet data in ID Payload:   Address remote_lan, Mask 255.255.255.0, Protocol 0, Port 0

7|Jun 30 2011|11:24:20|714011|||||Group = remote_ip, IP = remote_ip, ID_IPV4_ADDR_SUBNET ID received--remote_lan--255.255.255.0

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing ID payload

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing nonce payload

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing SA payload

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing hash payload

7|Jun 30 2011|11:24:20|713236|||||IP = remote_ip, IKE_DECODE RECEIVED Message (msgid=c8d5ef77) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168

7|Jun 30 2011|11:24:20|714003|||||IP = remote_ip, IKE Responder starting QM: msg id = c8d5ef77

7|Jun 30 2011|11:24:20|746012|||||user-identity: Add IP-User mapping remote_ip - LOCAL\remote_ip Succeeded - VPN user

7|Jun 30 2011|11:24:20|715080|||||Group = remote_ip, IP = remote_ip, Starting P1 rekey timer: 64800 seconds.

7|Jun 30 2011|11:24:20|713121|||||IP = remote_ip, Keep-alive type for this connection: DPD

5|Jun 30 2011|11:24:20|713119|||||Group = remote_ip, IP = remote_ip, PHASE 1 COMPLETED

Any ideas?