Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5960
Views
0
Helpful
11
Replies

Tunnel Vpn Cisco 1841 vs Watchguard Firebox x750e

Luis Nunez Mejias
Level 1
Level 1

‎01-21-2011 11:18 AM

     Hi Fellas, I'm having some troubles since a year ago trying to connect vpn tunnels site to site with cisco 1841 routers with security features and watchguard firebox x750e firewall.

     I have point to point leased lines or frame relay links between my Main site and the branch offices and I really need to maintain the operativity when this services are down. I thought having some kind of VPN tunnels as backup links but I've tried so hard connecting the 1841 and my watchguard with no success. I hope you can give me some ideas, commands or anything helpful to acomplish this very important task to my business.

I am attaching the network topology

1 person had this problem
Labels:
Preview file
71 KB
0 Helpful
11 Replies 11

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-21-2011 11:53 AM

Hi Luis,

Can you be more specific as to what kind of problems you had experienced with this setup?

IPsec is an industry standard and should work fine between different vendors.

Sometimes keepalives and timers need to be disable or tuned for IPsec to work between different vendors also.

Please provide more information so we can help you out.

Federico.

0 Helpful

Luis Nunez Mejias
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-24-2011 01:22 PM

Hi Federico, I'm sending you the debug message


*Sep  8 11:22:37.095: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.0.14, remote= 200.75.141.94,
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xCD95F4F5(3449156853), conn_id= 0, keysize= 0, flags= 0x400A
*Sep  8 11:22:37.099: ISAKMP: local port 500, remote port 500
*Sep  8 11:22:37.099: ISAKMP: set new node 0 to QM_IDLE     
*Sep  8 11:22:37.099: insert sa successfully sa = 4552FFE0
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.75.141.94
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Sep  8 11:22:37.099: ISAKMP:(0:0:N/A:0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep  8 11:22:37.519: ISAKMP (0:0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Sep  8 11:22:37.519: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Sep  8 11:22:37.519: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Sep  8 11:22:37.519: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Sep  8 11:22:37.519: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Sep  8 11:22:37.519: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.75.141.94 
*Sep  8 11:23:07.095: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 192.168.0.14, remote= 200.75.141.94,
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Sep  8 11:23:07.095: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.0.14, remote= 200.75.141.94,
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x98BC5FC1(2562482113), conn_id= 0, keysize= 0, flags= 0x400A
*Sep  8 11:23:07.095: ISAKMP: set new node 0 to QM_IDLE     
*Sep  8 11:23:07.095: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 192.168.0.14, remote 200.75.141.94)
*Sep  8 11:23:37.095: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 192.168.0.14, remote= 200.75.141.94,
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Sep  8 11:23:37.095: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Sep  8 11:23:37.095: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 200.75.141.94)
*Sep  8 11:23:37.095: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 200.75.141.94)
*Sep  8 11:23:37.095: ISAKMP:(0:0:N/A:0):deleting node -514074880 error FALSE reason "IKE deleted"
*Sep  8 11:23:37.095: ISAKMP:(0:0:N/A:0):deleting node -106686846 error FALSE reason "IKE deleted"
*Sep  8 11:23:37.095: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Sep  8 11:23:37.095: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Sep  8 11:23:37.095: IPSEC(key_engine): got a queue event with 1 kei messages
Router#

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Luis Nunez Mejias

‎01-24-2011 01:56 PM

What exactly happens with the VPN client?

According to the logs, phase 1 establishes and phase 2 initiates (does not show if it completes or not)...

Can you provide more information, for example:

Are you getting prompted for user/password? (should you get prompted)?

What error do you receive on the client?

The problem could be something on phase 2, try to see if you get more errors when connecting.

Federico.

0 Helpful

Luis Nunez Mejias
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-28-2011 05:42 AM

Hi federico, we exactly are looking for documentation about this topic. if anyone have it please send it to mi mail.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to Luis Nunez Mejias

‎01-28-2011 05:58 AM

Hi,

It looks like there is some configuration mismatch. Do you see any logs on the watchguard?

P.S:  I noticed in ur topology that you have another router at the remote end. Why not try terminating the VPN tunnel on that 2821?

Cheers,

Prapanch

0 Helpful

Luis Nunez Mejias
Level 1
Level 1
In response to praprama

‎02-04-2011 05:11 AM

Hi fellas to give you some more information, yesterday I tried again to make the vpn tunnel, I think I'm getting closer but no connect yet. The devices implicated are, Cisco 2811 (Advance Security K9 IOS) vs Watchguard Firebox x750e. If you notice I changed the 1841 for a 2811 looking for some light at the end of the tunnel but with no success. At the cisco side I'm configuring it with SDM.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This log was at 2811 router just after sending the commands trough SDM... Watchguard is in aggressive mode

Router(config)#
*Feb  3 15:42:00.927: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Feb  3 15:46:42.903: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,

    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 15:46:42.907: ISAKMP: local port 500, remote port 500
*Feb  3 15:46:42.907: ISAKMP: set new node 0 to QM_IDLE
*Feb  3 15:46:42.907: ISAKMP:(0):insert sa successfully sa = 46D2D1F4
*Feb  3 15:46:42.907: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Feb  3 15:46:42.907: ISAKMP:(0):found peer pre-shared key matching 200.75.141.9
4
*Feb  3 15:46:42.907: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb  3 15:46:42.907: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb  3 15:46:42.907: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb  3 15:46:42.907: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb  3 15:46:42.907: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb  3 15:46:42.907: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb  3 15:46:42.911: ISAKMP:(0): beginning Main Mode exchange
*Feb  3 15:46:42.911: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Feb  3 15:46:42.911: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:46:43.327: ISAKMP (0): received packet from 200.75.141.94 dport 500 s
port 500 Global (I) MM_NO_STATE
*Feb  3 15:46:43.327: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:46:43.327: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOT
IFY:  state = IKE_I_MM1
*Feb  3 15:46:43.327: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:46:43.327: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:46:43.331: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m
ode failed with peer at 200.75.141.94
*Feb  3 15:46:52.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:46:52.911: ISAKMP (0): incrementing error counter on sa, attempt 1 of
5: retransmit phase 1
*Feb  3 15:46:52.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:46:52.911: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Feb  3 15:46:52.911: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:46:53.443: ISAKMP (0): received packet from 200.75.141.94 dport 500 s
port 500 Global (I) MM_NO_STATE
*Feb  3 15:46:53.443: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:46:53.443: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOT
IFY:  state = IKE_I_MM1
*Feb  3 15:46:53.443: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:46:53.443: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:47:02.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:47:02.911: ISAKMP (0): incrementing error counter on sa, attempt 2 of
5: retransmit phase 1
*Feb  3 15:47:02.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:47:02.911: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Feb  3 15:47:02.911: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:47:03.575: ISAKMP (0): received packet from 200.75.141.94 dport 500 s
port 500 Global (I) MM_NO_STATE
*Feb  3 15:47:03.575: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:47:03.575: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOT
IFY:  state = IKE_I_MM1
*Feb  3 15:47:03.575: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:47:03.575: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:47:12.903: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 15:47:12.903: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,

    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 15:47:12.903: ISAKMP: set new node 0 to QM_IDLE
*Feb  3 15:47:12.903: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 190.39.111.96, remote 200.75.141.94)
*Feb  3 15:47:12.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:47:12.911: ISAKMP (0): incrementing error counter on sa, attempt 3 of
5: retransmit phase 1
*Feb  3 15:47:12.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:47:12.911: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Feb  3 15:47:12.911: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:47:13.463: ISAKMP (0): received packet from 200.75.141.94 dport 500 s
port 500 Global (I) MM_NO_STATE
*Feb  3 15:47:13.463: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:47:13.463: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOT
IFY:  state = IKE_I_MM1
*Feb  3 15:47:13.463: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:47:13.463: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:47:22.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:47:22.911: ISAKMP (0): incrementing error counter on sa, attempt 4 of
5: retransmit phase 1
*Feb  3 15:47:22.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:47:22.911: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Feb  3 15:47:22.911: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:47:23.707: ISAKMP (0): received packet from 200.75.141.94 dport 500 s
port 500 Global (I) MM_NO_STATE
*Feb  3 15:47:23.707: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:47:23.707: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOT
IFY:  state = IKE_I_MM1
*Feb  3 15:47:23.707: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:47:23.707: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:47:32.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:47:32.911: ISAKMP (0): incrementing error counter on sa, attempt 5 of
5: retransmit phase 1
*Feb  3 15:47:32.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:47:32.911: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Feb  3 15:47:32.911: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:47:33.215: ISAKMP (0): received packet from 200.75.141.94 dport 500 s
port 500 Global (I) MM_NO_STATE
*Feb  3 15:47:33.219: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:47:33.219: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOT
IFY:  state = IKE_I_MM1
*Feb  3 15:47:33.219: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:47:33.219: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:47:42.903: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 15:47:42.911: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:47:42.911: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb  3 15:47:42.911: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 200.75.141.94)
*Feb  3 15:47:42.911: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 200.75.141.94)
*Feb  3 15:47:42.911: ISAKMP:(0):deleting node 38751264 error FALSE reason "IKE
deleted"
*Feb  3 15:47:42.911: ISAKMP:(0):deleting node 1861148795 error FALSE reason "IK
E deleted"
*Feb  3 15:47:42.915: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb  3 15:47:42.915: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This log was typing the debug crypto isakmp... The watchguard is in aggresssive mode


*Feb  3 15:52:55.303: No peer struct to get peer description
*Feb  3 15:53:32.663: No peer struct to get peer description
*Feb  3 15:53:34.303: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 15:53:34.307: ISAKMP: local port 500, remote port 500
*Feb  3 15:53:34.307: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 15:53:34.307: ISAKMP:(0):insert sa successfully sa = 47EDE4D8
*Feb  3 15:53:34.307: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb  3 15:53:34.307: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 15:53:34.307: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb  3 15:53:34.307: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb  3 15:53:34.307: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb  3 15:53:34.307: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb  3 15:53:34.307: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb  3 15:53:34.307: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb  3 15:53:34.307: ISAKMP:(0): beginning Main Mode exchange
*Feb  3 15:53:34.307: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 15:53:34.307: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:53:34.691: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 15:53:34.691: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:53:34.691: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 15:53:34.691: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:53:34.691: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:53:34.691: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.75.141.94
*Feb  3 15:53:44.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:53:44.307: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb  3 15:53:44.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:53:44.307: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 15:53:44.307: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:53:45.043: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 15:53:45.043: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:53:45.043: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 15:53:45.043: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:53:45.043: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:53:54.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:53:54.307: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Feb  3 15:53:54.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:53:54.307: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 15:53:54.307: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:53:54.907: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 15:53:54.907: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:53:54.907: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 15:53:54.907: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:53:54.907: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:54:04.303: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 15:54:04.303: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 15:54:04.303: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 15:54:04.303: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 190.39.111.96, remote 200.75.141.94)
*Feb  3 15:54:04.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:54:04.307: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Feb  3 15:54:04.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:54:04.307: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 15:54:04.307: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:54:04.767: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 15:54:04.771: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:54:04.771: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 15:54:04.771: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:54:04.771: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:54:14.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:54:14.307: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Feb  3 15:54:14.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:54:14.307: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 15:54:14.307: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:54:14.615: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 15:54:14.615: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:54:14.615: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 15:54:14.615: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:54:14.615: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:54:24.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:54:24.307: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Feb  3 15:54:24.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 15:54:24.307: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 15:54:24.307: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 15:54:24.707: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 15:54:24.707: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 15:54:24.707: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 15:54:24.707: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 15:54:24.707: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 15:54:34.303: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 15:54:34.307: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 15:54:34.307: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb  3 15:54:34.307: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 200.75.141.94)
*Feb  3 15:54:34.307: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 200.75.141.94)
*Feb  3 15:54:34.307: ISAKMP:(0):deleting node 1497803509 error FALSE reason "IKE deleted"
*Feb  3 15:54:34.307: ISAKMP:(0):deleting node 1326321502 error FALSE reason "IKE deleted"
*Feb  3 15:54:34.307: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb  3 15:54:34.307: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Watching at the SDM troubleshoot i realized there was no peer connectivity, so i create a rule in the watchguard in which allow the icmp traffic between the 2811 and the firebox. After it the peer connectivity was successfull.

ping 200.75.141.94                                                           200.75.141.94             ping 200.44.32.12                 sh ip int brie                    debug crypto isakmp
Crypto ISAKMP debugging is on
Router#
*Feb  3 16:02:16.363: No peer struct to get peer description
*Feb  3 16:02:39.323: No peer struct to get peer description
*Feb  3 16:02:39.851: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:02:39.851: ISAKMP: local port 500, remote port 500
*Feb  3 16:02:39.851: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:02:39.851: ISAKMP:(0):insert sa successfully sa = 47ED940C
*Feb  3 16:02:39.851: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb  3 16:02:39.851: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 16:02:39.851: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb  3 16:02:39.851: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb  3 16:02:39.855: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb  3 16:02:39.855: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb  3 16:02:39.855: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb  3 16:02:39.855: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb  3 16:02:39.855: ISAKMP:(0): beginning Main Mode exchange
*Feb  3 16:02:39.855: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:02:39.855: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:02:40.215: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:02:40.215: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 16:02:40.215: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 16:02:40.215: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:02:40.215: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 16:02:40.215: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.75.141.94
*Feb  3 16:02:49.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 16:02:49.855: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb  3 16:02:49.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 16:02:49.855: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:02:49.855: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:02:50.371: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:02:50.371: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 16:02:50.371: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 16:02:50.371: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:02:50.371: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 16:02:59.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 16:02:59.855: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Feb  3 16:02:59.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 16:02:59.855: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:02:59.855: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:03:00.503: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:03:00.503: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 16:03:00.503: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 16:03:00.503: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:03:00.503: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 16:03:09.851: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 16:03:09.851: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:03:09.851: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:03:09.851: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 190.39.111.96, remote 200.75.141.94)
*Feb  3 16:03:09.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 16:03:09.855: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Feb  3 16:03:09.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 16:03:09.855: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:03:09.855: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:03:10.039: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:03:10.039: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 16:03:10.039: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 16:03:10.039: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:03:10.039: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 16:03:19.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 16:03:19.855: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Feb  3 16:03:19.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 16:03:19.855: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:03:19.855: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:03:20.683: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:03:20.683: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 16:03:20.683: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 16:03:20.683: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:03:20.683: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 16:03:29.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 16:03:29.855: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Feb  3 16:03:29.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb  3 16:03:29.855: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:03:29.855: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:03:30.403: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:03:30.403: ISAKMP:(0):Notify has no hash. Rejected.
*Feb  3 16:03:30.403: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Feb  3 16:03:30.403: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:03:30.403: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Feb  3 16:03:39.851: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 16:03:39.855: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 16:03:39.855: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb  3 16:03:39.855: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 200.75.141.94)
*Feb  3 16:03:39.855: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 200.75.141.94)
*Feb  3 16:03:39.855: ISAKMP:(0):deleting node -574549606 error FALSE reason "IKE deleted"
*Feb  3 16:03:39.855: ISAKMP:(0):deleting node -1236183812 error FALSE reason "IKE deleted"
*Feb  3 16:03:39.855: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb  3 16:03:39.855: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Then I tried with the watchguard in main mode. Here's the debug crypto isakmp log


*Feb  3 16:14:10.903: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:14:10.907: ISAKMP: local port 500, remote port 500
*Feb  3 16:14:10.907: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:14:10.907: ISAKMP:(0):insert sa successfully sa = 46046728
*Feb  3 16:14:10.907: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb  3 16:14:10.907: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 16:14:10.907: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb  3 16:14:10.907: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb  3 16:14:10.907: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb  3 16:14:10.907: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb  3 16:14:10.907: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb  3 16:14:10.907: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb  3 16:14:10.907: ISAKMP:(0): beginning Main Mode exchange
*Feb  3 16:14:10.907: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:14:10.907: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:14:11.195: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:14:11.195: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:14:11.195: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Feb  3 16:14:11.199: ISAKMP:(0): processing SA payload. message ID = 0
*Feb  3 16:14:11.199: ISAKMP:(0): processing vendor id payload
*Feb  3 16:14:11.199: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
*Feb  3 16:14:11.199: ISAKMP:(0): vendor ID is XAUTH
*Feb  3 16:14:11.199: ISAKMP:(0): processing vendor id payload
*Feb  3 16:14:11.199: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb  3 16:14:11.199: ISAKMP:(0): vendor ID is NAT-T v2
*Feb  3 16:14:11.199: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 16:14:11.199: ISAKMP:(0): local preshared key found
*Feb  3 16:14:11.199: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Feb  3 16:14:11.199: ISAKMP:      encryption AES-CBC
*Feb  3 16:14:11.199: ISAKMP:      keylength of 128
*Feb  3 16:14:11.199: ISAKMP:      hash MD5
*Feb  3 16:14:11.199: ISAKMP:      default group 2
*Feb  3 16:14:11.199: ISAKMP:      auth pre-share
*Feb  3 16:14:11.199: ISAKMP:      life type in seconds
*Feb  3 16:14:11.199: ISAKMP:      life duration (basic) of 28800
*Feb  3 16:14:11.199: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Feb  3 16:14:11.199: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Feb  3 16:14:11.199: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Feb  3 16:14:11.199: ISAKMP:      encryption AES-CBC
*Feb  3 16:14:11.199: ISAKMP:      keylength of 128
*Feb  3 16:14:11.199: ISAKMP:      hash MD5
*Feb  3 16:14:11.199: ISAKMP:      default group 2
*Feb  3 16:14:11.199: ISAKMP:      auth pre-share
*Feb  3 16:14:11.199: ISAKMP:      life type in seconds
*Feb  3 16:14:11.199: ISAKMP:      life duration (basic) of 28800
*Feb  3 16:14:11.203: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb  3 16:14:11.203: ISAKMP:(0):Acceptable atts:actual life: 0
*Feb  3 16:14:11.203: ISAKMP:(0):Acceptable atts:life: 0
*Feb  3 16:14:11.203: ISAKMP:(0):Basic life_in_seconds:28800
*Feb  3 16:14:11.203: ISAKMP:(0):Returning Actual lifetime: 28800
*Feb  3 16:14:11.203: ISAKMP:(0)::Started lifetime timer: 28800.

*Feb  3 16:14:11.243: ISAKMP:(0): processing vendor id payload
*Feb  3 16:14:11.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
*Feb  3 16:14:11.243: ISAKMP:(0): vendor ID is XAUTH
*Feb  3 16:14:11.243: ISAKMP:(0): processing vendor id payload
*Feb  3 16:14:11.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb  3 16:14:11.243: ISAKMP:(0): vendor ID is NAT-T v2
*Feb  3 16:14:11.243: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb  3 16:14:11.243: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Feb  3 16:14:11.243: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb  3 16:14:11.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:14:11.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  3 16:14:11.247: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Feb  3 16:14:11.447: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb  3 16:14:11.451: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:14:11.451: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Feb  3 16:14:11.451: ISAKMP:(0): processing KE payload. message ID = 0
*Feb  3 16:14:11.503: ISAKMP:(0): processing NONCE payload. message ID = 0
*Feb  3 16:14:11.503: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 16:14:11.503: ISAKMP:received payload type 20
*Feb  3 16:14:11.503: ISAKMP (1001): His hash no match - this node outside NAT
*Feb  3 16:14:11.503: ISAKMP:received payload type 20
*Feb  3 16:14:11.503: ISAKMP (1001): No NAT Found for self or peer
*Feb  3 16:14:11.503: ISAKMP:(1001): processing vendor id payload
*Feb  3 16:14:11.503: ISAKMP:(1001): vendor ID is DPD
*Feb  3 16:14:11.507: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb  3 16:14:11.507: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Feb  3 16:14:11.507: ISAKMP:(1001):Send initial contact
*Feb  3 16:14:11.507: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb  3 16:14:11.507: ISAKMP (1001): ID payload
    next-payload : 8
    type         : 1
    address      : 190.39.111.96
    protocol     : 17
    port         : 500
    length       : 12
*Feb  3 16:14:11.507: ISAKMP:(1001):Total payload length: 12
*Feb  3 16:14:11.507: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Feb  3 16:14:11.507: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:14:11.511: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  3 16:14:11.511: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Feb  3 16:14:11.803: ISAKMP (1001): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Feb  3 16:14:11.803: ISAKMP:(1001): processing ID payload. message ID = 0
*Feb  3 16:14:11.803: ISAKMP (1001): ID payload
    next-payload : 8
    type         : 1
    address      : 200.75.141.94
    protocol     : 0
    port         : 0
    length       : 12
*Feb  3 16:14:11.803: ISAKMP:(1001): processing HASH payload. message ID = 0
*Feb  3 16:14:11.803: ISAKMP:(1001):SA authentication status:
    authenticated
*Feb  3 16:14:11.803: ISAKMP:(1001):SA has been authenticated with 200.75.141.94
*Feb  3 16:14:11.803: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:14:11.803: ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Feb  3 16:14:11.803: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb  3 16:14:11.807: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Feb  3 16:14:11.807: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  3 16:14:11.807: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Feb  3 16:14:11.807: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1139346354
*Feb  3 16:14:11.807: ISAKMP:(1001):QM Initiator gets spi
*Feb  3 16:14:11.811: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:14:11.811: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:14:11.811: ISAKMP:(1001):Node 1139346354, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:14:11.811: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:14:11.811: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb  3 16:14:11.811: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  3 16:14:11.971: ISAKMP (1001): received packet from 200.75.141.94 dport 500 sport 500 Global (I) QM_IDLE     
*Feb  3 16:14:11.971: ISAKMP: set new node -270146460 to QM_IDLE     
*Feb  3 16:14:11.975: ISAKMP:(1001): processing HASH payload. message ID = -270146460
*Feb  3 16:14:11.975: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 1601635130, message ID = -270146460, sa = 0x46046728
*Feb  3 16:14:11.975: ISAKMP:(1001): deleting spi 1601635130 message ID = 1139346354
*Feb  3 16:14:11.975: ISAKMP:(1001):deleting node 1139346354 error TRUE reason "Delete Larval"
*Feb  3 16:14:11.975: ISAKMP:(1001):deleting node -270146460 error FALSE reason "Informational (in) state 1"
*Feb  3 16:14:11.975: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:14:11.975: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  3 16:14:40.903: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 16:14:40.903: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:14:40.903: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:14:40.903: SA has outstanding requests  (local 70.4.104.172 port 500, remote 70.4.104.144 port 500)
*Feb  3 16:14:40.903: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:14:40.903: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 380898039
*Feb  3 16:14:40.903: ISAKMP:(1001):QM Initiator gets spi
*Feb  3 16:14:40.907: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:14:40.907: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:14:40.907: ISAKMP:(1001):Node 380898039, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:14:40.907: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:14:41.071: ISAKMP (1001): received packet from 200.75.141.94 dport 500 sport 500 Global (I) QM_IDLE     
*Feb  3 16:14:41.071: ISAKMP: set new node -1926816704 to QM_IDLE     
*Feb  3 16:14:41.075: ISAKMP:(1001): processing HASH payload. message ID = -1926816704
*Feb  3 16:14:41.075: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 405937281, message ID = -1926816704, sa = 0x46046728
*Feb  3 16:14:41.075: ISAKMP:(1001): deleting spi 405937281 message ID = 380898039
*Feb  3 16:14:41.075: ISAKMP:(1001):deleting node 380898039 error TRUE reason "Delete Larval"
*Feb  3 16:14:41.075: ISAKMP:(1001):deleting node -1926816704 error FALSE reason "Informational (in) state 1"
*Feb  3 16:14:41.075: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:14:41.075: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  3 16:15:01.975: ISAKMP:(1001):purging node 1139346354
*Feb  3 16:15:01.975: ISAKMP:(1001):purging node -270146460
*Feb  3 16:15:10.903: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)

Router#
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The Firebox has an additional option also "main mode" and "aggressive mode", which is "main fallback to aggressive". Of course I tried too. Here's the debug crypto isakmp


*Feb  3 16:23:26.171: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:23:26.175: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:23:26.175: SA has outstanding requests  (local 70.4.104.172 port 500, remote 70.4.104.144 port 500)
*Feb  3 16:23:26.175: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:23:26.175: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of -997366561
*Feb  3 16:23:26.175: ISAKMP:(1001):QM Initiator gets spi
*Feb  3 16:23:26.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:23:26.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:23:26.179: ISAKMP:(1001):Node -997366561, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:23:26.179: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:23:36.175: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       -997366561 ...
*Feb  3 16:23:36.175: ISAKMP (1001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb  3 16:23:36.175: ISAKMP (1001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Feb  3 16:23:36.175: ISAKMP:(1001): retransmitting phase 2 -997366561 QM_IDLE     
*Feb  3 16:23:36.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:23:36.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:23:46.175: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       -997366561 ...
*Feb  3 16:23:46.175: ISAKMP (1001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Feb  3 16:23:46.175: ISAKMP (1001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Feb  3 16:23:46.175: ISAKMP:(1001): retransmitting phase 2 -997366561 QM_IDLE     
*Feb  3 16:23:46.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:23:46.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:23:56.171: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 16:23:56.171: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:23:56.171: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:23:56.171: SA has outstanding requests  (local 70.4.104.172 port 500, remote 70.4.104.144 port 500)
*Feb  3 16:23:56.171: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:23:56.171: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 413714750
*Feb  3 16:23:56.171: ISAKMP:(1001):QM Initiator gets spi
*Feb  3 16:23:56.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:23:56.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:23:56.175: ISAKMP:(1001):Node 413714750, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:23:56.175: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:23:56.175: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       -997366561 ...
*Feb  3 16:23:56.175: ISAKMP (1001): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*Feb  3 16:23:56.175: ISAKMP (1001): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*Feb  3 16:23:56.175: ISAKMP:(1001): retransmitting phase 2 -997366561 QM_IDLE     
*Feb  3 16:23:56.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:23:56.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:24:06.175: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       413714750 ...
*Feb  3 16:24:06.175: ISAKMP (1001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb  3 16:24:06.175: ISAKMP (1001): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
*Feb  3 16:24:06.175: ISAKMP:(1001): retransmitting phase 2 413714750 QM_IDLE     
*Feb  3 16:24:06.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:24:06.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:24:06.175: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       -997366561 ...
*Feb  3 16:24:06.175: ISAKMP (1001): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
*Feb  3 16:24:06.175: ISAKMP (1001): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
*Feb  3 16:24:06.175: ISAKMP:(1001): retransmitting phase 2 -997366561 QM_IDLE     
*Feb  3 16:24:06.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:24:06.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:24:16.175: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       413714750 ...
*Feb  3 16:24:16.175: ISAKMP:(1001):peer does not do paranoid keepalives.

*Feb  3 16:24:16.175: ISAKMP:(1001):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer 200.75.141.94)
*Feb  3 16:24:16.175: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       -997366561 ...
*Feb  3 16:24:16.175: ISAKMP:(1001):peer does not do paranoid keepalives.

*Feb  3 16:24:16.175: ISAKMP: set new node 1773349946 to QM_IDLE     
*Feb  3 16:24:16.175: ISAKMP:(1001): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:24:16.175: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb  3 16:24:16.175: ISAKMP:(1001):purging node 1773349946
*Feb  3 16:24:16.175: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb  3 16:24:16.179: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Feb  3 16:24:16.179: ISAKMP:(1001):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer 200.75.141.94)
*Feb  3 16:24:16.183: ISAKMP:(1001):deleting node -997366561 error FALSE reason "IKE deleted"
*Feb  3 16:24:16.183: ISAKMP:(1001):deleting node 413714750 error FALSE reason "IKE deleted"
*Feb  3 16:24:16.183: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:24:16.183: ISAKMP:(1001):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Feb  3 16:24:26.171: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
Router#

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Then at the transform set of the sdm I change a parameter from "encrypt ip header and data" to "encrypt data only" .  Here's the debug crypto isakmp


*Feb  3 16:29:14.791: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:29:14.791: ISAKMP: local port 500, remote port 500
*Feb  3 16:29:14.791: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:29:14.791: ISAKMP:(0):insert sa successfully sa = 4604B270
*Feb  3 16:29:14.791: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb  3 16:29:14.791: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 16:29:14.791: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb  3 16:29:14.795: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb  3 16:29:14.795: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb  3 16:29:14.795: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb  3 16:29:14.795: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb  3 16:29:14.795: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb  3 16:29:14.795: ISAKMP:(0): beginning Main Mode exchange
*Feb  3 16:29:14.795: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 16:29:14.795: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:29:16.059: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb  3 16:29:16.059: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:29:16.059: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Feb  3 16:29:16.059: ISAKMP:(0): processing SA payload. message ID = 0
*Feb  3 16:29:16.059: ISAKMP:(0): processing vendor id payload
*Feb  3 16:29:16.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
*Feb  3 16:29:16.059: ISAKMP:(0): vendor ID is XAUTH
*Feb  3 16:29:16.059: ISAKMP:(0): processing vendor id payload
*Feb  3 16:29:16.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb  3 16:29:16.059: ISAKMP:(0): vendor ID is NAT-T v2
*Feb  3 16:29:16.059: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 16:29:16.059: ISAKMP:(0): local preshared key found
*Feb  3 16:29:16.059: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Feb  3 16:29:16.059: ISAKMP:      encryption AES-CBC
*Feb  3 16:29:16.059: ISAKMP:      keylength of 128
*Feb  3 16:29:16.059: ISAKMP:      hash MD5
*Feb  3 16:29:16.059: ISAKMP:      default group 2
*Feb  3 16:29:16.059: ISAKMP:      auth pre-share
*Feb  3 16:29:16.059: ISAKMP:      life type in seconds
*Feb  3 16:29:16.063: ISAKMP:      life duration (basic) of 28800
*Feb  3 16:29:16.063: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Feb  3 16:29:16.063: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Feb  3 16:29:16.063: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Feb  3 16:29:16.063: ISAKMP:      encryption AES-CBC
*Feb  3 16:29:16.063: ISAKMP:      keylength of 128
*Feb  3 16:29:16.063: ISAKMP:      hash MD5
*Feb  3 16:29:16.063: ISAKMP:      default group 2
*Feb  3 16:29:16.063: ISAKMP:      auth pre-share
*Feb  3 16:29:16.063: ISAKMP:      life type in seconds
*Feb  3 16:29:16.063: ISAKMP:      life duration (basic) of 28800
*Feb  3 16:29:16.063: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb  3 16:29:16.063: ISAKMP:(0):Acceptable atts:actual life: 0
*Feb  3 16:29:16.063: ISAKMP:(0):Acceptable atts:life: 0
*Feb  3 16:29:16.063: ISAKMP:(0):Basic life_in_seconds:28800
*Feb  3 16:29:16.063: ISAKMP:(0):Returning Actual lifetime: 28800
*Feb  3 16:29:16.063: ISAKMP:(0)::Started lifetime timer: 28800.

*Feb  3 16:29:16.063: ISAKMP:(0): processing vendor id payload
*Feb  3 16:29:16.063: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
*Feb  3 16:29:16.063: ISAKMP:(0): vendor ID is XAUTH
*Feb  3 16:29:16.063: ISAKMP:(0): processing vendor id payload
*Feb  3 16:29:16.063: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb  3 16:29:16.063: ISAKMP:(0): vendor ID is NAT-T v2
*Feb  3 16:29:16.063: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb  3 16:29:16.063: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Feb  3 16:29:16.067: ISAKMP:(0): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb  3 16:29:16.067: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb  3 16:29:16.067: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  3 16:29:16.067: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Feb  3 16:29:17.331: ISAKMP (0): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb  3 16:29:17.331: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:29:17.331: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Feb  3 16:29:17.331: ISAKMP:(0): processing KE payload. message ID = 0
*Feb  3 16:29:17.383: ISAKMP:(0): processing NONCE payload. message ID = 0
*Feb  3 16:29:17.383: ISAKMP:(0):found peer pre-shared key matching 200.75.141.94
*Feb  3 16:29:17.383: ISAKMP:received payload type 20
*Feb  3 16:29:17.383: ISAKMP (1002): His hash no match - this node outside NAT
*Feb  3 16:29:17.383: ISAKMP:received payload type 20
*Feb  3 16:29:17.383: ISAKMP (1002): No NAT Found for self or peer
*Feb  3 16:29:17.383: ISAKMP:(1002): processing vendor id payload
*Feb  3 16:29:17.387: ISAKMP:(1002): vendor ID is DPD
*Feb  3 16:29:17.387: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb  3 16:29:17.387: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Feb  3 16:29:17.387: ISAKMP:(1002):Send initial contact
*Feb  3 16:29:17.387: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb  3 16:29:17.387: ISAKMP (1002): ID payload
    next-payload : 8
    type         : 1
    address      : 190.39.111.96
    protocol     : 17
    port         : 500
    length       : 12
*Feb  3 16:29:17.387: ISAKMP:(1002):Total payload length: 12
*Feb  3 16:29:17.387: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Feb  3 16:29:17.387: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:29:17.391: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  3 16:29:17.391: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Feb  3 16:29:18.323: ISAKMP (1002): received packet from 200.75.141.94 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Feb  3 16:29:18.323: ISAKMP:(1002): processing ID payload. message ID = 0
*Feb  3 16:29:18.323: ISAKMP (1002): ID payload
    next-payload : 8
    type         : 1
    address      : 200.75.141.94
    protocol     : 0
    port         : 0
    length       : 12
*Feb  3 16:29:18.327: ISAKMP:(1002): processing HASH payload. message ID = 0
*Feb  3 16:29:18.327: ISAKMP:(1002):SA authentication status:
    authenticated
*Feb  3 16:29:18.327: ISAKMP:(1002):SA has been authenticated with 200.75.141.94
*Feb  3 16:29:18.327: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:29:18.327: ISAKMP:(1002):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Feb  3 16:29:18.327: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb  3 16:29:18.327: ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Feb  3 16:29:18.327: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  3 16:29:18.327: ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Feb  3 16:29:18.331: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -1157468569
*Feb  3 16:29:18.331: ISAKMP:(1002):QM Initiator gets spi
*Feb  3 16:29:18.331: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:29:18.331: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:29:18.331: ISAKMP:(1002):Node -1157468569, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:29:18.331: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:29:18.335: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb  3 16:29:18.335: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  3 16:29:18.671: ISAKMP (1002): received packet from 200.75.141.94 dport 500 sport 500 Global (I) QM_IDLE     
*Feb  3 16:29:18.671: ISAKMP: set new node -780745246 to QM_IDLE     
*Feb  3 16:29:18.675: ISAKMP:(1002): processing HASH payload. message ID = -780745246
*Feb  3 16:29:18.675: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 3961037450, message ID = -780745246, sa = 0x4604B270
*Feb  3 16:29:18.675: ISAKMP:(1002): deleting spi 3961037450 message ID = -1157468569
*Feb  3 16:29:18.675: ISAKMP:(1002):deleting node -1157468569 error TRUE reason "Delete Larval"
*Feb  3 16:29:18.675: ISAKMP:(1002):deleting node -780745246 error FALSE reason "Informational (in) state 1"
*Feb  3 16:29:18.675: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:29:18.675: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  3 16:29:44.791: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 16:29:44.791: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:29:44.791: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:29:44.791: SA has outstanding requests  (local 70.4.179.244 port 500, remote 70.4.179.216 port 500)
*Feb  3 16:29:44.791: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:29:44.791: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 611381614
*Feb  3 16:29:44.791: ISAKMP:(1002):QM Initiator gets spi
*Feb  3 16:29:44.795: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:29:44.795: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:29:44.795: ISAKMP:(1002):Node 611381614, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:29:44.795: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:29:45.167: ISAKMP (1002): received packet from 200.75.141.94 dport 500 sport 500 Global (I) QM_IDLE     
*Feb  3 16:29:45.167: ISAKMP: set new node -976052095 to QM_IDLE     
*Feb  3 16:29:45.167: ISAKMP:(1002): processing HASH payload. message ID = -976052095
*Feb  3 16:29:45.167: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 2873715219, message ID = -976052095, sa = 0x4604B270
*Feb  3 16:29:45.167: ISAKMP:(1002): deleting spi 2873715219 message ID = 611381614
*Feb  3 16:29:45.167: ISAKMP:(1002):deleting node 611381614 error TRUE reason "Delete Larval"
*Feb  3 16:29:45.167: ISAKMP:(1002):deleting node -976052095 error FALSE reason "Informational (in) state 1"
*Feb  3 16:29:45.167: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:29:45.167: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  3 16:30:08.675: ISAKMP:(1002):purging node -1157468569
*Feb  3 16:30:08.675: ISAKMP:(1002):purging node -780745246
*Feb  3 16:30:14.791: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
Router#

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Because on the logs always shows up some kind of information about the port 500, then I create a rule on the wathcguard which allows the traffic between both peers on port 500 tcp/udp... The firebox was in aggressive mode


*Feb  3 16:45:38.795: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:45:38.795: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:45:38.795: SA has outstanding requests  (local 70.4.179.244 port 500, remote 70.4.179.216 port 500)
*Feb  3 16:45:38.795: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:45:38.795: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -546313401
*Feb  3 16:45:38.799: ISAKMP:(1002):QM Initiator gets spi
*Feb  3 16:45:38.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:45:38.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:45:38.799: ISAKMP:(1002):Node -546313401, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:45:38.799: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:45:48.799: ISAKMP:(1002): retransmitting phase 2 QM_IDLE       -546313401 ...
*Feb  3 16:45:48.799: ISAKMP (1002): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb  3 16:45:48.799: ISAKMP (1002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Feb  3 16:45:48.799: ISAKMP:(1002): retransmitting phase 2 -546313401 QM_IDLE     
*Feb  3 16:45:48.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:45:48.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:45:58.799: ISAKMP:(1002): retransmitting phase 2 QM_IDLE       -546313401 ...
*Feb  3 16:45:58.799: ISAKMP (1002): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Feb  3 16:45:58.799: ISAKMP (1002): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Feb  3 16:45:58.799: ISAKMP:(1002): retransmitting phase 2 -546313401 QM_IDLE     
*Feb  3 16:45:58.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:45:58.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:46:08.795: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 16:46:08.795: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:46:08.795: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:46:08.795: SA has outstanding requests  (local 70.4.179.244 port 500, remote 70.4.179.216 port 500)
*Feb  3 16:46:08.795: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:46:08.795: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -413703856
*Feb  3 16:46:08.795: ISAKMP:(1002):QM Initiator gets spi
*Feb  3 16:46:08.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:46:08.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:46:08.799: ISAKMP:(1002):Node -413703856, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:46:08.799: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:46:08.799: ISAKMP:(1002): retransmitting phase 2 QM_IDLE       -546313401 ...
*Feb  3 16:46:08.799: ISAKMP (1002): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*Feb  3 16:46:08.799: ISAKMP (1002): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*Feb  3 16:46:08.799: ISAKMP:(1002): retransmitting phase 2 -546313401 QM_IDLE     
*Feb  3 16:46:08.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:46:08.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:46:18.799: ISAKMP:(1002): retransmitting phase 2 QM_IDLE       -413703856 ...
*Feb  3 16:46:18.799: ISAKMP (1002): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb  3 16:46:18.799: ISAKMP (1002): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
*Feb  3 16:46:18.799: ISAKMP:(1002): retransmitting phase 2 -413703856 QM_IDLE     
*Feb  3 16:46:18.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:46:18.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:46:18.799: ISAKMP:(1002): retransmitting phase 2 QM_IDLE       -546313401 ...
*Feb  3 16:46:18.799: ISAKMP (1002): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
*Feb  3 16:46:18.799: ISAKMP (1002): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
*Feb  3 16:46:18.799: ISAKMP:(1002): retransmitting phase 2 -546313401 QM_IDLE     
*Feb  3 16:46:18.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:46:18.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:46:28.799: ISAKMP:(1002): retransmitting phase 2 QM_IDLE       -413703856 ...
*Feb  3 16:46:28.799: ISAKMP:(1002):peer does not do paranoid keepalives.

*Feb  3 16:46:28.799: ISAKMP:(1002):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer 200.75.141.94)
*Feb  3 16:46:28.799: ISAKMP:(1002): retransmitting phase 2 QM_IDLE       -546313401 ...
*Feb  3 16:46:28.799: ISAKMP:(1002):peer does not do paranoid keepalives.

*Feb  3 16:46:28.799: ISAKMP: set new node 108764145 to QM_IDLE     
*Feb  3 16:46:28.799: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:46:28.799: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:46:28.799: ISAKMP:(1002):purging node 108764145
*Feb  3 16:46:28.803: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb  3 16:46:28.803: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Feb  3 16:46:28.803: ISAKMP:(1002):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer 200.75.141.94)
*Feb  3 16:46:28.803: ISAKMP:(1002):deleting node -546313401 error FALSE reason "IKE deleted"
*Feb  3 16:46:28.803: ISAKMP:(1002):deleting node -413703856 error FALSE reason "IKE deleted"
*Feb  3 16:46:28.803: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  3 16:46:28.803: ISAKMP:(1002):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Feb  3 16:46:38.795: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
Router#

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I tried it again in main mode


*Feb  3 16:39:01.287: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:39:01.287: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:39:01.287: SA has outstanding requests  (local 70.4.179.244 port 500, remote 70.4.179.216 port 500)
*Feb  3 16:39:01.287: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:39:01.287: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -1926067407
*Feb  3 16:39:01.291: ISAKMP:(1002):QM Initiator gets spi
*Feb  3 16:39:01.291: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:39:01.291: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:39:01.291: ISAKMP:(1002):Node -1926067407, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:39:01.291: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:39:01.563: ISAKMP (1002): received packet from 200.75.141.94 dport 500 sport 500 Global (I) QM_IDLE     
*Feb  3 16:39:01.563: ISAKMP: set new node -192692349 to QM_IDLE     
*Feb  3 16:39:01.563: ISAKMP:(1002): processing HASH payload. message ID = -192692349
*Feb  3 16:39:01.563: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 113663412, message ID = -192692349, sa = 0x4604B270
*Feb  3 16:39:01.563: ISAKMP:(1002): deleting spi 113663412 message ID = -1926067407
*Feb  3 16:39:01.563: ISAKMP:(1002):deleting node -1926067407 error TRUE reason "Delete Larval"
*Feb  3 16:39:01.563: ISAKMP:(1002):deleting node -192692349 error FALSE reason "Informational (in) state 1"
*Feb  3 16:39:01.563: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:39:01.567: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Router#
*Feb  3 16:39:31.287: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
*Feb  3 16:39:31.287: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 190.39.111.96:500, remote= 200.75.141.94:500,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb  3 16:39:31.287: ISAKMP: set new node 0 to QM_IDLE     
*Feb  3 16:39:31.287: SA has outstanding requests  (local 70.4.179.244 port 500, remote 70.4.179.216 port 500)
*Feb  3 16:39:31.287: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  3 16:39:31.287: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 1932344004
*Feb  3 16:39:31.287: ISAKMP:(1002):QM Initiator gets spi
*Feb  3 16:39:31.291: ISAKMP:(1002): sending packet to 200.75.141.94 my_port 500 peer_port 500 (I) QM_IDLE     
*Feb  3 16:39:31.291: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  3 16:39:31.291: ISAKMP:(1002):Node 1932344004, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  3 16:39:31.291: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  3 16:39:31.455: ISAKMP (1002): received packet from 200.75.141.94 dport 500 sport 500 Global (I) QM_IDLE     
*Feb  3 16:39:31.455: ISAKMP: set new node -1825141925 to QM_IDLE     
*Feb  3 16:39:31.455: ISAKMP:(1002): processing HASH payload. message ID = -1825141925
*Feb  3 16:39:31.455: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 807016726, message ID = -1825141925, sa = 0x4604B270
*Feb  3 16:39:31.455: ISAKMP:(1002): deleting spi 807016726 message ID = 1932344004
*Feb  3 16:39:31.455: ISAKMP:(1002):deleting node 1932344004 error TRUE reason "Delete Larval"
*Feb  3 16:39:31.459: ISAKMP:(1002):deleting node -1825141925 error FALSE reason "Informational (in) state 1"
*Feb  3 16:39:31.459: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb  3 16:39:31.459: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  3 16:39:51.563: ISAKMP:(1002):purging node -1926067407
*Feb  3 16:39:51.563: ISAKMP:(1002):purging node -192692349
*Feb  3 16:40:01.287: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 190.39.111.96:0, remote= 200.75.141.94:0,
    local_proxy= 192.168.150.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.8.0/255.255.255.0/0/0 (type=4)
Router#

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Well fellas I really hope this information can help you to help me find the solution of it.

Thanx a lot.

0 Helpful

Nüüül
Level 1
Level 1
In response to Luis Nunez Mejias

‎05-05-2011 06:54 AM

Hi Luis,

did you got it working?

At the moment I have a similar problem..

VPN between Cisco IOS and a Watchguard Firebox with following Error output

deleting node  error TRUE reason "Delete Larval"

cheers

daniel

0 Helpful

Luis Nunez Mejias
Level 1
Level 1
In response to Nüüül

‎05-05-2011 07:06 AM

Hi Daniel, it was really hard but we did it. I Actually have around 10 tunnels working this way. I'll post the solution here eventually, just give me some moment cuz I'm really busy at work. I'll be contacting you this way as soon as i can.

Regards,

0 Helpful

Nüüül
Level 1
Level 1
In response to Luis Nunez Mejias

‎05-20-2011 03:23 AM

Hi Luis,

could you please send me the solution?

thanks in advance

daniel

0 Helpful

moquin
Level 1
Level 1
In response to Luis Nunez Mejias

‎08-08-2013 03:51 PM

Hey it's been 2 years.  How long does it take to post something.

0 Helpful

baydragon
Level 1
Level 1
In response to Nüüül

‎06-13-2013 08:49 PM

where is the solution man.....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents