cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
5
Helpful
2
Replies

Site to site VPN not working

Portus92
Level 1
Level 1

Hello,

I would like to set up a site to site VPN between 2 Cisco 881 :

version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RemoteLab
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 
!
aaa new-model
!
!
aaa authentication login userVPN local
aaa authorization network groupVPN local
!
aaa session-id common
ethernet lmi ce
memory-size iomem 10
clock timezone PST 2 0
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
!
ip dhcp pool VLAN100
 network 10.0.10.0 255.255.255.0
 default-router 10.0.10.1
 dns-server 1.1.1.1
 domain-name remotelab.lab
!
!
!
ip domain name remote.lab
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn 
!
!
username labo privilege 15 secret 8 
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 3600
!
crypto isakmp policy 20
 authentication pre-share
crypto isakmp key LabRemote123 address AB.CD.160.216
crypto isakmp keepalive 60
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group groupVPN
 key xxx
 pool VPNPOOL
!
!
crypto ipsec transform-set setVPN esp-aes esp-sha256-hmac
 mode tunnel
crypto ipsec transform-set P2PSET esp-aes esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map dynamicVPN 10
 set transform-set setVPN
 reverse-route
!
!
crypto map staticMap client authentication list userVPN
crypto map staticMap isakmp authorization list groupVPN
crypto map staticMap client configuration address respond
crypto map staticMap 10 ipsec-isakmp dynamic dynamicVPN
crypto map staticMap 20 ipsec-isakmp
 set peer AB.CD.160.216
 set transform-set P2PSET
 match address 150
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 10
 no ip address
!
interface FastEthernet1
 switchport access vlan 20
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.0.10.1 255.255.255.0
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan20
 ip address 192.168.92.1 255.255.255.0
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password 0 xxx
 crypto map staticMap
!
ip local pool VPNPOOL 192.168.50.1 192.168.50.10
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh version 2
!
ip access-list extended VPNACL
 permit icmp any any
 permit ip any any
!
dialer-list 1 protocol ip permit
!
access-list 100 deny   ip 10.0.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 10.0.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 192.168.92.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit ip any any
access-list 150 permit ip 10.0.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
control-plane
!
!
 vstack
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input ssh
line vty 5 15
 exec-timeout 0 0
 transport input ssh
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
memory-size iomem 10
!
!
ip dhcp excluded-address 192.168.30.1 192.168.30.10
!
ip dhcp pool VLAN30
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1 
 dns-server 1.1.1.1 
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn 
! 
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key LabRemote123 address AB.CD.99.101  
crypto isakmp keepalive 60
!         
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac 
 mode transport
!
!
!
crypto map MYMAP 1 ipsec-isakmp 
 set peer AB.CD.99.101
 set transform-set MYSET 
 match address 150
!
!
interface FastEthernet0
 switchport access vlan 30
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
!         
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 crypto map MYMAP
!
interface Vlan1
 no ip address
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password 0 xxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!         
dialer-list 1 protocol ip permit
!
access-list 100 deny   ip 192.168.30.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 100 permit ip any any
access-list 150 permit ip 192.168.30.0 0.0.0.255 10.0.10.0 0.0.0.255

When I start a ping from RemoteLab to R1 (ping 192.168.30.1 from IP 10.0.10.1) I have this result on R1 (debug crypto isakmp) : 

*Jul 24 16:26:18.171: ISAKMP-PAK: (0):received packet from AB.CD.99.101 dport 500 sport 500 Global (N) NEW SA
*Jul 24 16:26:18.171: ISAKMP: (0):Created a peer struct for AB.CD.99.101, peer port 500
*Jul 24 16:26:18.171: ISAKMP: (0):New peer created peer = 0x8A929118 peer_handle = 0x8000000E
*Jul 24 16:26:18.171: ISAKMP: (0):Locking peer struct 0x8A929118, refcount 1 for crypto_isakmp_process_block
*Jul 24 16:26:18.171: ISAKMP: (0):local port 500, remote port 500
*Jul 24 16:26:18.171: ISAKMP: (0):insert sa successfully sa = 8BE4DEF4
*Jul 24 16:26:18.171: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.171: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1 

*Jul 24 16:26:18.171: ISAKMP: (0):processing SA payload. message ID = 0
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T v7
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T v3
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T v2
*Jul 24 16:26:18.171: ISAKMP: (0):found peer pre-shared key matching AB.CD.99.101
*Jul 24 16:26:18.171: ISAKMP: (0):local preshared key found
*Jul 24 16:26:18.171: ISAKMP: (0):Scanning profiles for xauth ...
*Jul 24 16:26:18.171: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
*Jul 24 16:26:18.171: ISAKMP: (0):      encryption AES-CBC
*Jul 24 16:26:18.171: ISAKMP: (0):      keylength of 256
*Jul 24 16:26:18.171: ISAKMP: (0):      hash SHA256
*Jul 24 16:26:18.171: ISAKMP: (0):      default group 14
*Jul 24 16:26:18.171: ISAKMP: (0):      auth pre-share
*Jul 24 16:26:18.171: ISAKMP: (0):      life type in seconds
*Jul 24 16:26:18.171: ISAKMP: (0):      life duration (basic) of 3600
*Jul 24 16:26:18.171: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Jul 24 16:26:18.171: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 24 16:26:18.171: ISAKMP: (0):Checking ISAKMP transform 2 against priority 1 policy
*Jul 24 16:26:18.171: ISAKMP: (0):      encryption DES-CBC
*Jul 24 16:26:18.171: ISAKMP: (0):      hash SHA
*Jul 24 16:26:18.171: ISAKMP: (0):      default group 1
*Jul 24 16:26:18.171: ISAKMP: (0):      auth pre-share
*Jul 24 16:26:18.171: ISAKMP: (0):      life type in seconds
*Jul 24 16:26:18.171: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*Jul 24 16:26:18.171: ISAKMP: (0):atts are acceptable. Next payload is 0
*Jul 24 16:26:18.171: ISAKMP: (0):Acceptable atts:actual life: 86400
*Jul 24 16:26:18.171: ISAKMP: (0):Acceptable atts:life: 0
*Jul 24 16:26:18.171: ISAKMP: (0):Fill atts in sa vpi_length:4
*Jul 24 16:26:18.171: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Jul 24 16:26:18.171: ISAKMP: (0):Returning Actual lifetime: 86400
*Jul 24 16:26:18.171: ISAKMP: (0):Started lifetime timer: 86400.

*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T v7
*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T v3
*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T v2
*Jul 24 16:26:18.175: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 24 16:26:18.175: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

*Jul 24 16:26:18.175: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Jul 24 16:26:18.175: ISAKMP-PAK: (0):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 24 16:26:18.175: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.175: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 24 16:26:18.175: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

*Jul 24 16:26:18.207: ISAKMP-PAK: (0):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 24 16:26:18.207: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.207: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3 

*Jul 24 16:26:18.207: ISAKMP: (0):processing KE payload. message ID = 0
*Jul 24 16:26:18.227: ISAKMP: (0):processing NONCE payload. message ID = 0
*Jul 24 16:26:18.227: ISAKMP: (0):found peer pre-shared key matching AB.CD.99.101
*Jul 24 16:26:18.227: ISAKMP: (2011):processing vendor id payload
*Jul 24 16:26:18.227: ISAKMP: (2011):vendor ID is DPD
*Jul 24 16:26:18.227: ISAKMP: (2011):processing vendor id payload
*Jul 24 16:26:18.227: ISAKMP: (2011):speaking to another IOS box!
*Jul 24 16:26:18.227: ISAKMP: (2011):processing vendor id payload
*Jul 24 16:26:18.227: ISAKMP: (2011):vendor ID seems Unity/DPD but major 127 mismatch
*Jul 24 16:26:18.227: ISAKMP: (2011):vendor ID is XAUTH
*Jul 24 16:26:18.227: ISAKMP: (2011):received payload type 20
*Jul 24 16:26:18.227: ISAKMP: (2011):His hash no match - this node outside NAT
*Jul 24 16:26:18.227: ISAKMP: (2011):received payload type 20
*Jul 24 16:26:18.227: ISAKMP: (2011):No NAT Found for self or peer
*Jul 24 16:26:18.227: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 24 16:26:18.227: ISAKMP: (2011):Old State = IKE_R_MM3  New State = IKE_R_MM3 

*Jul 24 16:26:18.231: ISAKMP-PAK: (2011):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 24 16:26:18.231: ISAKMP: (2011):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.231: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 24 16:26:18.231: ISAKMP: (2011):Old State = IKE_R_MM3  New State = IKE_R_MM4 

*Jul 24 16:26:18.283: ISAKMP-PAK: (2011):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 24 16:26:18.283: ISAKMP: (2011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.283: ISAKMP: (2011):Old State = IKE_R_MM4  New State = IKE_R_MM5 

*Jul 24 16:26:18.283: ISAKMP: (2011):processing ID payload. message ID = 0
*Jul 24 16:26:18.283: ISAKMP: (2011):ID payload 
        next-payload : 8
        type         : 1
*Jul 24 16:26:18.283: ISAKMP: (2011):   address      : AB.CD.99.101
*Jul 24 16:26:18.283: ISAKMP: (2011):   protocol     : 17 
        port         : 500 
        length       : 12
*Jul 24 16:26:18.283: ISAKMP: (0):peer matches *none* of the profiles
*Jul 24 16:26:18.283: ISAKMP: (2011):processing HASH payload. message ID = 0
*Jul 24 16:26:18.283: ISAKMP: (2011):received payload type 17
*Jul 24 16:26:18.283: ISAKMP: (2011):processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0x8BE4DEF4
*Jul 24 16:26:18.283: ISAKMP: (2011):SA authentication status:
        authenticated
*Jul 24 16:26:18.283: ISAKMP: (2011):SA has been authenticated with AB.CD.99.101
*Jul 24 16:26:18.283: ISAKMP: (2011):SA authentication status:
        authenticated
*Jul 24 16:26:18.283: ISAKMP: (2011):Process initial contact,
bring down existing phase 1 and 2 SA's with local AB.CD.160.216 remote AB.CD.99.101 remote port 500
*Jul 24 16:26:18.283: ISAKMP: (0):Trying to insert a peer AB.CD.160.216/AB.CD.99.101/500/, 
*Jul 24 16:26:18.283: ISAKMP: (0): and inserted successfully 8A929118.
*Jul 24 16:26:18.283: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 24 16:26:18.283: ISAKMP: (2011):Old State = IKE_R_MM5  New State = IKE_R_MM5 

*Jul 24 16:26:18.283: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 16:26:18.283: ISAKMP: (2011):SA is doing 
*Jul 24 16:26:18.283: ISAKMP: (2011):pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 24 16:26:18.283: ISAKMP: (2011):ID payload 
        next-payload : 8
        type         : 1
*Jul 24 16:26:18.287: ISAKMP: (2011):   address      : AB.CD.160.216
*Jul 24 16:26:18.287: ISAKMP: (2011):   protocol     : 17 
        port         : 500 
        length       : 12
*Jul 24 16:26:18.287: ISAKMP: (2011):Total payload length: 12
*Jul 24 16:26:18.287: ISAKMP-PAK: (2011):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 24 16:26:18.287: ISAKMP: (2011):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.287: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 24 16:26:18.287: ISAKMP: (2011):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

*Jul 24 16:26:18.287: ISAKMP: (2011):IKE_DPD is enabled, initializing timers
*Jul 24 16:26:18.287: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 24 16:26:18.287: ISAKMP: (2011):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Jul 24 16:26:18.319: ISAKMP-PAK: (2011):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) QM_IDLE      
*Jul 24 16:26:18.319: ISAKMP: (2011):set new node -1494307278 to QM_IDLE      
*Jul 24 16:26:18.319: ISAKMP: (2011):processing transaction payload from AB.CD.99.101. message ID = -1494307278
*Jul 24 16:26:18.319: ISAKMP: (2011):Config payload REQUEST
*Jul 24 16:26:18.319: ISAKMP: (2011):No provision for the request
*Jul 24 16:26:18.319: ISAKMP-ERROR: (2011):Invalid config REQUEST
*Jul 24 16:26:18.319: ISAKMP-ERROR: (2011):(2011): FSM action returned error: 2
*Jul 24 16:26:18.319: ISAKMP: (2011):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jul 24 16:26:18.319: ISAKMP: (2011):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Jul 24 16:26:18.319: ISAKMP: (2011):peer does not do paranoid keepalives.
*Jul 24 16:26:18.319: ISAKMP-ERROR: (2011):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) QM_IDLE       (peer AB.CD.99.101)
*Jul 24 16:26:18.319: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 16:26:18.319: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
*Jul 24 16:26:18.319: ISAKMP (2011): IPSec has no more SA's with this peer.  Won't keepalive phase 1.
*Jul 24 16:26:18.323: ISAKMP: (2011):set new node 978968774 to QM_IDLE      
*Jul 24 16:26:18.323: ISAKMP-PAK: (2011):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) QM_IDLE      
*Jul 24 16:26:18.323: ISAKMP: (2011):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.323: ISAKMP: (2011):purging node 978968774
*Jul 24 16:26:18.323: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jul 24 16:26:18.323: ISAKMP: (2011):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA 

*Jul 24 16:26:18.327: ISAKMP-ERROR: (2011):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) QM_IDLE       (peer AB.CD.99.101) 
*Jul 24 16:26:18.327: ISAKMP: (0):Unlocking peer struct 0x8A929118 for isadb_mark_sa_deleted(), count 0
*Jul 24 16:26:18.327: ISAKMP: (0):Deleting peer node by peer_reap for AB.CD.99.101: 8A929118
*Jul 24 16:26:18.327: ISAKMP: (2011):deleting node -1494307278 error FALSE reason "IKE deleted"
*Jul 24 16:26:18.327: ISAKMP: (2011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.327: ISAKMP: (2011):Old State = IKE_DEST_SA  New State = IKE_DEST_SA 

*Jul 24 16:26:18.327: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 16:26:18.355: ISAKMP-PAK: (2011):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) MM_NO_STATE

The remote access VPN works fine.

I already tried a lot of things but nothing work for the site to site.

Thanks.

2 Replies 2

There are two things that directly catch my attention:

The crypto map sequence that references the dynamic crypto map always has to be the last line in the crypto-map:

crypto map staticMap 65000 ipsec-isakmp dynamic dynamicVPN

And the site-to-site VPN will establish a tunnel-mode SA. You should directly configure the transform-set that way.

 

Thank you !

The config on RemoteLab is now : 

crypto map staticMap 5 ipsec-isakmp
 set peer AB.CD.160.216
 set transform-set P2PSET
 match address 150
crypto map staticMap 10 ipsec-isakmp dynamic dynamicVPN

An I changed the tunnel mode on both : 

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac 
 mode tunnel

But I have the same output error with debug crypto isakmp.

Edit : 

I finally found the problem, the no-xauth attribute was missing : 

crypto isakmp key xxx address xxx  no-xauth

I also applied the crypto map to dialer 1 instead of Fa4 on R1.

Thanks for your help.