Asa 5520 L2TP IPSEC and Cisco 837:Challenge 1

[jaramos]

Dear team.
I waste at least a week, trying to solve this trouble. I'm going crazy...
Road Warriors using l2tp ipse windows can't connect.
Schema:
Inside Network (VLAN5)---ASA--Cisco 837(PAT)---Internet Cloud---DSLRouter---L2tp ipsec Windows Client
Cisco 837 is connected directly to ASA Internet Interface. Cisco 837 is working with PAT. Config:
Current configuration : 4252 bytes
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router_ADSL_CQM
!
boot-start-marker
boot-end-marker
!
logging buffered 32000 warnings
enable secret 5 xxxxxxxxxxxx
!
no aaa new-model
clock timezone ESP 1
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.32
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.10
!
ip dhcp pool CLIENT
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 80.58.61.250 80.58.61.254
lease 0 2
!
!
ip cef
ip name-server 80.58.61.250
ip name-server 80.58.61.254
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw esmtp timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet2
ip address 192.168.2.1 255.255.255.0
ip virtual-reassembly
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
bundle-enable
dsl operating-mode auto
hold-queue 208 in
pvc 0/16 ilmi
!
!
interface ATM0.1 point-to-point
ip address X.X.X.X X.X.X.X
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
pvc 8/32
encapsulation aal5snap
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
no ip http secure-server
!
ip nat inside source list 102 interface ATM0.1 overload
ip nat inside source static 192.168.1.10 interface ATM0.1
!
logging history size 250
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit icmp host 192.168.1.38 any
access-list 105 permit ip host 192.168.1.38 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq domain any
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit tcp any any eq 5000
access-list 111 permit tcp any any eq 5010
access-list 111 permit tcp any any eq 5020
access-list 111 permit udp any eq isakmp any eq isakmp
access-list 111 permit esp any any
access-list 111 permit udp any any eq 1701
access-list 111 permit esp any any log
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit tcp any any eq 51
access-list 122 permit ip any any
no cdp run
!
!
!
control-plane
!
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
exec-timeout 120 0
login local
length 0
transport input all
transport output all
!
scheduler max-task-time 5000
end

##########ASA main config#############
interface GigabitEthernet0/0
description VLAN5
speed 1000
duplex full
nameif VLAN5
security-level 100
ip address 57.236.92.69 255.255.255.240 standby 57.236.92.70
ospf cost 10
!
interface GigabitEthernet0/1.123
description ES-Internet-VLAN123
vlan 123
nameif INTERNET
security-level 0
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
ospf cost 10

access-list DefaultRAGroup_splitTunnelAcl standard permit 57.236.92.0 255.255.255.0
access-list VLAN5_nat0_outbound extended permit ip 57.236.92.0 255.255.255.0 209.165.201.0 255.255.255.0
nat (VLAN5) 0 access-list VLAN5_nat0_outbound
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set l2tp-ipsec esp-3des esp-md5-hmac
crypto ipsec transform-set l2tp-ipsec mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 20 set transform-set l2tp-ipsec
crypto dynamic-map cisco 20 set security-association lifetime seconds 28800
crypto dynamic-map cisco 20 set security-association lifetime kilobytes 4608000
crypto map mymap 60000 ipsec-isakmp dynamic cisco
crypto map mymap interface INTERNET
crypto isakmp enable INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
route INTERNET 212.122.120.186 255.255.255.255 192.168.1.1 1
(212.122.120.186 Ip address of road warrior, Interface Internet doesn't have 0.0.0.0 0.0.0.0 route)
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username uservpn1 password xxxxxxxxxxx nt-encrypted privilege 0
username uservpn1 attributes
vpn-group-policy DfltGrpPolicy
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
tunnel-group DefaultRAGroup general-attributes
address-pool IP_Pool_VPN
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
sysopt connection permit-vpn

If I connect my laptop to cisco 837 router, vpn is created sucesfully, but if I try to connect from Internet, doesn't connect, NAT-T issue?. LOG output:

CQM1-CASA5520-01# debug crypto isakmp 5
CQM1-CASA5520-01# terminal monitor
CQM1-CASA5520-01# May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, Oakley proposal is acceptable
May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, IKE SA Proposal # 1, Transform # 3 acceptable Matches global IKE entry # 2
May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Freeing previously allocated memory for authorization-dn-attributes
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 1 COMPLETED
May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Keep-alive type for this connection: None
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P1 rekey timer: 21600 seconds.
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 79.148.252.117, Protocol 17, Port 1701
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed old sa not found by addr
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Remote Peer configured for crypto map: cisco
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, processing IPSec SA payload
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 20
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE: requesting SPI!
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Transmitting Proxy Id:
Remote host: 212.122.120.186 Protocol 17 Port 0
Local host: 192.168.1.10 Protocol 17 Port 1701
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Security negotiation complete for User () Responder, Inbound SPI = 0x7b12214f, Outbound SPI = 0x4435f6f8
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P2 rekey timer: 3060 seconds.
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 2 COMPLETED (msgid=e1965ba4)
May 19 11:37:34 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <212.122.120.186> mask <0xFFFFFFFF> port <4500>
May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, Oakley proposal is acceptable
May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, IKE SA Proposal # 1, Transform # 3 acceptable Matches global IKE entry # 2
May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Freeing previously allocated memory for authorization-dn-attributes
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Peer negotiated phase 1 rekey
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 1 COMPLETED
May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Keep-alive type for this connection: None
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P1 rekey timer: 21600 seconds.
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Remote Peer configured for crypto map: cisco
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, processing IPSec SA payload
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 20
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE: requesting SPI!
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Transmitting Proxy Id:
Remote host: 212.122.120.186 Protocol 17 Port 0
Local host: 192.168.1.10 Protocol 17 Port 1701
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Security negotiation complete for User () Responder, Inbound SPI = 0xf50dff95, Outbound SPI = 0xba3278ff
May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P2 rekey timer: 3060 seconds.
May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 2 COMPLETED (msgid=6bdc6d8e)
May 19 11:37:34 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <212.122.120.186> mask <0xFFFFFFFF> port <4500>
May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, Oakley proposal is acceptable
May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, IKE SA Proposal # 1, Transform # 3 acceptable Matches global IKE entry # 2
May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
May 19 11:37:35 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Freeing previously allocated memory for authorization-dn-attributes
May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Peer negotiated phase 1 rekey
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 1 COMPLETED
May 19 11:37:35 [IKEv1]: IP = 212.122.120.186, Keep-alive type for this connection: None
May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P1 rekey timer: 21600 seconds.
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc94686a8, mess id 0x24983b7f)!
May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc94686a8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc927c758, mess id 0x24983b7f)!
May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc927c758) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc927c758, mess id 0x24983b7f)!
May 19 11:37:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc927c758) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc927c758, mess id 0x24983b7f)!
May 19 11:37:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc927c758) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
May 19 11:37:47 [IKEv1]: IP = 212.122.120.186, Received encrypted packet with no matching SA, dropping
May 19 11:37:47 [IKEv1]: IP = 212.122.120.186, Received encrypted packet with no matching SA, dropping
May 19 11:37:47 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Connection terminated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
May 19 11:37:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Deleting SA: Remote Proxy 212.122.120.186, Local Proxy 192.168.1.10
May 19 11:37:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Deleting SA: Remote Proxy 212.122.120.186, Local Proxy 192.168.1.10
May 19 11:37:47 [IKEv1]: Ignoring msg to mark SA with dsID 1449984 dead because SA deleted

As you can see tree times is stablished PHASE 1, and two times PHASE 2... very strange...
Thanks in advance for you support!!

 

[unclerico]

what error do you receive on the client??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jaramos]

Error 678: the remote computer did not respond. for further assistance ...
Windows XP SP3. I tested without pat in the client side, but it didn't work too.
So, maybe something wrong with NAT-T in the ASA side. I checked whith another router Dlink instead cisco 837, but the error was the same.
Tip: ASA is working in failover mode and with VLAN in the internet interface.
Maybe its help you...

 

[jaramos]

Resolved:

http://support.microsoft.com/?scid=kb;en-us;885407&x=13&y=7

with:
AssumeUDPEncapsulationContextOnSendRule=2

 

[unclerico]

good call. thanks for posting the resolution. have a star

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)