Configuring L2TP/IPSec on Cisco Router 2911

Hi all, I have problem with L2TP/IPSec configuration in Cisco Router 2911 . I cannot connect via Windows 7,8.1,10 build in vpn client.

Here is my config :

aaa new-model 
aaa authentication ppp L2TP-LOGIN local     
username l2tpuser password cisco     
! 
vpdn enable     
vpdn-group L2TP-GR     
description L2TP over IPSec    
accept-dialin     
protocol l2tp     
virtual-template 2    
exit 

no l2tp tunnel authentication     
session-limit 20 

exit 
! 
ip local pool L2TP-POOL 172.16.23.100 172.16.23.200     
interface Virtual-Template2     
description L2TP over IPSec Template     
ip unnumbered FastEthernet0/1     
peer default ip address pool L2TP-POOL     
no keepalive     
ppp authentication ms-chap-v2 L2TP-LOGIN     
ppp mtu adaptive     
exit 
! 
crypto isakmp enable     
crypto logging session     
crypto isakmp invalid-spi-recovery    
! 
crypto isakmp policy 20     
encr 3des     
authentication pre-share     
group 2     
hash md5    
exit 
! 
crypto keyring L2TP-KEY     
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123cisco     
exit 
! 
crypto isakmp profile L2TP-PROF     
keyring L2TP-KEY     
match identity address 0.0.0.0     
exit 
! 
crypto ipsec transform-set L2TP-TRSET esp-3des esp-md5-hmac     
mode transport     
exit 
! 
crypto dynamic-map DYN-L2TP-MAP 10     
set isakmp-profile L2TP-PROF     
set transform-set L2TP-TRSET     
set nat demux     
exit     
! 
crypto map L2TP-MAP 65535 ipsec-isakmp dynamic DYN-L2TP-MAP     
! 
interface gi0/0    
description WAN    
crypto map L2TP-MAP     
exit 
! 

What's the problem? Where am I wrong?

Updated

.Apr  3 08:16:16.610: ISAKMP (1070): received packet from 192.168.7.92 dport 
500 sport 500 Global (R) QM_IDLE
.Apr  3 08:16:16.610: ISAKMP: set new node -1169728138 to QM_IDLE
.Apr  3 08:16:16.610: crypto_engine: Decrypt IKE packet
.Apr  3 08:16:16.610: crypto_engine: Generate IKE hash
.Apr  3 08:16:16.610: ISAKMP:(1070): processing HASH payload. message ID = 
3125239158
.Apr  3 08:16:16.610: ISAKMP:(1070): processing DELETE payload. message ID = 
3125239158
.Apr  3 08:16:16.610: ISAKMP:(1070):peer does not do paranoid keepalives.

.Apr  3 08:16:16.610: ISAKMP:(1070):deleting node -1169728138 error FALSE 
reason "Informational (in) state 1"
.Apr  3 08:16:16.610: ISAKMP (1070): received packet from 192.168.7.92 dport 
500 sport 500 Global (R) QM_IDLE
.Apr  3 08:16:16.610: ISAKMP: set new node -1213364179 to QM_IDLE
.Apr  3 08:16:16.610: crypto_engine: Decrypt IKE packet
.Apr  3 08:16:16.610: crypto_engine: Generate IKE hash
.Apr  3 08:16:16.610: ISAKMP:(1070): processing HASH payload. message ID = 
3081603117
.Apr  3 08:16:16.614: ISAKMP:(1070): processing DELETE payload. message ID = 
3081603117
.Apr  3 08:16:16.614: ISAKMP:(1070):peer does not do paranoid keepalives.

.Apr  3 08:16:16.614: ISAKMP:(1070):deleting SA reason "No reason" state (R) 
QM_IDLE       (peer 192.168.7.92)
.Apr  3 08:16:16.614: ISAKMP:(1070):deleting node -1213364179 error FALSE 
reason "Informational (in) state 1"
.Apr  3 08:16:16.618: IPSEC(key_engine): got a queue event with 1 KMI 
message(s)
.Apr  3 08:16:16.618: IPSEC(key_engine_delete_sas): rec'd delete notify from 
ISAKMP
.Apr  3 08:16:16.618: IPSEC(key_engine_delete_sas): delete SA with spi 
0x3D3ED559 proto 50 for 192.168.7.92
.Apr  3 08:16:16.618: crypto_engine: Pull flow statistics
.Apr  3 08:16:16.618: crypto_engine_ipsec_flow_pull_statistics: calling 
driver
.Apr  3 08:16:16.618: ISAKMP: set new node -1561337744 to QM_IDLE
.Apr  3 08:16:16.618: crypto_engine: Generate IKE hash
.Apr  3 08:16:16.618: crypto_engine: Encrypt IKE packet
.Apr  3 08:16:16.618: ISAKMP:(1070): sending packet to 192.168.7.92 my_port 
500 peer_port 500 (R) QM_IDLE
.Apr  3 08:16:16.618: ISAKMP:(1070):Sending an IKE IPv4 Packet.
.Apr  3 08:16:16.618: ISAKMP:(1070):purging node -1561337744
.Apr  3 08:16:16.618: ISAKMP:(1070):Input = IKE_MESG_INTERNAL, 
IKE_PHASE1_DEL
.Apr  3 08:16:16.618: ISAKMP:(1070):Old State = IKE_P1_COMPLETE  New State = 
IKE_DEST_SA

.Apr  3 08:16:16.618: ISAKMP:(1070):deleting SA reason "No reason" state (R) 
QM_IDLE       (peer 192.168.7.92)
.Apr  3 08:16:16.618: ISAKMP: Unlocking peer struct 0x3DB5A12C for 
isadb_mark_sa_deleted(), count 0
.Apr  3 08:16:16.622: crypto engine: deleting IKE SA SW:70
.Apr  3 08:16:16.622: crypto_engine: Delete IKE SA
.Apr  3 08:16:16.622: IKE HA: Removing one interface using VIP 0.0.0.0
.Apr  3 08:16:16.622: IKE HA: No database for VIP 0.0.0.0.  Cannot delete
.Apr  3 08:16:16.622: IPSec HA: Removing one interface using VIP 0.0.0.0
.Apr  3 08:16:16.622: IPSec HA: No database for VIP 0.0.0.0.  Cannot delete
.Apr  3 08:16:16.622: ISAKMP:(1070):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Apr  3 08:16:16.622: ISAKMP:(1070):Old State = IKE_DEST_SA  New State = 
IKE_DEST_SA

.Apr  3 08:16:16.622: crypto_engine: Pull sadb-ivrf statistics
.Apr  3 08:16:16.622: crypto_engine_ipsec_sadb_ivrf_pull_statistics: call 
driver
.Apr  3 08:16:16.622: crypto_engine: Pull sadb-ivrf statistics, got error 
unsupported operation
.Apr  3 08:16:16.622:  ISAKMP: Failed to find peer index node to update 
peer_info_list
.Apr  3 08:16:16.622: IPSEC(update_current_outbound_sa): updated peer 
192.168.7.92 current outbound sa to SPI 3D3ED559
.Apr  3 08:16:16.622: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= XX, sa_proto= 50,
sa_spi= 0x6D6766BE(1835493054),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2109
sa_lifetime(k/sec)= (250000/3600),
(identity) local= XX:0, remote= 192.168.7.92:0,
local_proxy= XX/ 255.255.255.255/17/1701,
remote_proxy= 192.168.7.92/255.255.255.255/17/1701
.Apr  3 08:16:16.622: IPSEC(update_current_outbound_sa): updated peer 
192.168.7.92 current outbound sa to SPI 3D3ED559
.Apr  3 08:16:16.622: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.7.92, sa_proto= 50,
sa_spi= 0x3D3ED559(1027528025),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2110
sa_lifetime(k/sec)= (250000/3600),

(identity) local= XX:0, remote= 192.168.7.92:0,
local_proxy= XX/255.255.255.255/17/1701,
remote_proxy= 192.168.7.92/255.255.255.255/17/1701
.Apr 3 08:16:16.622: crypto engine: deleting IPSec SA Onboard VPN:109
.Apr 3 08:16:16.626: crypto_engine: Delete IPSec SA
.Apr 3 08:16:16.626: crypto engine: deleting IPSec SA Onboard VPN:110
.Apr 3 08:16:16.630: crypto_engine: Delete IPSec SA
.Apr 3 08:16:16.634: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer
192.168.7.92:500 Id: 192.168.7.92
ATVRouter#
.Apr 3 08:16:16.634: ISAKMP: Deleting peer node by peer_reap for
192.168.7.92: 3DB5A12C
.Apr 3 08:16:16.634: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
ATVRouter#
.Apr 3 08:16:20.082: ISAKMP (0): received packet from 192.168.7.92 dport 500
sport 500 Global (N) NEW SA
.Apr 3 08:16:20.082: ISAKMP: Created a peer struct for 192.168.7.92, peer
port 500
.Apr 3 08:16:20.082: ISAKMP: New peer created peer = 0x23781594 peer_handle
= 0x80000065
.Apr 3 08:16:20.082: ISAKMP: Locking peer struct 0x23781594, refcount 1 for
crypto_isakmp_process_block
.Apr 3 08:16:20.082: ISAKMP: local port 500, remote port 500
.Apr 3 08:16:20.082: ISAKMP: Find a dup sa in the avl tree during calling
isadb_insert sa = 3DA06FE8
.Apr 3 08:16:20.082: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Apr 3 08:16:20.082: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

.Apr 3 08:16:20.082: ISAKMP:(0): processing SA payload. message ID = 0
.Apr 3 08:16:20.082: ISAKMP:(0): processing vendor id payload
.Apr 3 08:16:20.082: ISAKMP:(0): processing IKE frag vendor id payload
.Apr 3 08:16:20.082: ISAKMP:(0):Support for IKE Fragmentation not enabled
.Apr 3 08:16:20.082: ISAKMP:(0): processing vendor id payload
.Apr 3 08:16:20.086: ISAKMP:(0): vendor ID seems Unity/DPD but major 69
mismatch
.Apr 3 08:16:20.086: ISAKMP (0): vendor ID is NAT-T RFC 3947
.Apr 3 08:16:20.086: ISAKMP:(0): processing vendor id payload
.Apr 3 08:16:20.086: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
.Apr 3 08:16:20.086: ISAKMP:(0): vendor ID is NAT-T v2
.Apr 3 08:16:20.086: ISAKMP:(0): processing vendor id payload
.Apr 3 08:16:20.086: ISAKMP:(0): vendor ID seems Unity/DPD but major 194
mismatch
.Apr 3 08:16:20.086: ISAKMP:(0): processing vendor id payload
.Apr 3 08:16:20.086: ISAKMP:(0): vendor ID seems Unity/DPD but major 241
mismatch
.Apr 3 08:16:20.086: ISAKMP:(0): processing vendor id payload
.Apr 3 08:16:20.086: ISAKMP:(0): vendor ID seems Unity/DPD but major 184
mismatch
.Apr 3 08:16:20.086: ISAKMP:(0): processing vendor id payload
.Apr 3 08:16:20.086: ISAKMP:(0): vendor ID seems Unity/DPD but major 134
mismatch
.Apr 3 08:16:20.086: ISAKMP:(0):found peer pre-shared key matching
192.168.7.92
.Apr 3 08:16:20.086: ISAKMP:(0): local preshared key found
.Apr 3 08:16:20.086: ISAKMP : Scanning profiles for xauth …
.Apr 3 08:16:20.086: ISAKMP:(0):Checking ISAKMP transform 1 against priority
1 policy
.Apr 3 08:16:20.086: ISAKMP: encryption AES-CBC
.Apr 3 08:16:20.086: ISAKMP: keylength of 256
.Apr 3 08:16:20.086: ISAKMP: hash SHA
.Apr 3 08:16:20.086: ISAKMP: default group 20
.Apr 3 08:16:20.086: ISAKMP: auth pre-share
.Apr 3 08:16:20.086: ISAKMP: life type in seconds
.Apr 3 08:16:20.086: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Apr 3 08:16:20.086: ISAKMP:(0):Encryption algorithm offered does not match
policy!
.Apr 3 08:16:20.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 3 08:16:20.086: ISAKMP:(0):Checking ISAKMP transform 2 against priority
1 policy
.Apr 3 08:16:20.086: ISAKMP: encryption AES-CBC
.Apr 3 08:16:20.086: ISAKMP: keylength of 128
.Apr 3 08:16:20.086: ISAKMP: hash SHA
.Apr 3 08:16:20.086: ISAKMP: default group 19
.Apr 3 08:16:20.086: ISAKMP: auth pre-share
.Apr 3 08:16:20.086: ISAKMP: life type in seconds
.Apr 3 08:16:20.086: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Apr 3 08:16:20.086: ISAKMP:(0):Encryption algorithm offered does not match
policy!
.Apr 3 08:16:20.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 3 08:16:20.086: ISAKMP:(0):Checking ISAKMP transform 3 against priority
1 policy
.Apr 3 08:16:20.086: ISAKMP: encryption AES-CBC
.Apr 3 08:16:20.086: ISAKMP: keylength of 256
.Apr 3 08:16:20.086: ISAKMP: hash SHA
.Apr 3 08:16:20.086: ISAKMP: default group 14
.Apr 3 08:16:20.086: ISAKMP: auth pre-share
.Apr 3 08:16:20.086: ISAKMP: life type in seconds
.Apr 3 08:16:20.086: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Apr 3 08:16:20.090: ISAKMP:(0):Encryption algorithm offered does not match
policy!
.Apr 3 08:16:20.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 3 08:16:20.090: ISAKMP:(0):Checking ISAKMP transform 4 against priority
1 policy
.Apr 3 08:16:20.090: ISAKMP: encryption 3DES-CBC
.Apr 3 08:16:20.090: ISAKMP: hash SHA
.Apr 3 08:16:20.090: ISAKMP: default group 14
.Apr 3 08:16:20.090: ISAKMP: auth pre-share
.Apr 3 08:16:20.090: ISAKMP: life type in seconds

.Apr 3 08:16:20.090: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

.Apr 3 08:16:20.090: ISAKMP:(0):Diffie-Hellman group offered does not match

policy!
.Apr 3 08:16:20.090: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Apr 3 08:16:20.090: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1

policy
.Apr 3 08:16:20.090: ISAKMP: encryption 3DES-CBC

.Apr 3 08:16:20.090: ISAKMP: hash SHA

.Apr 3 08:16:20.090: ISAKMP: default group 2

.Apr 3 08:16:20.090: ISAKMP: auth pre-share

.Apr 3 08:16:20.090: ISAKMP: life type in seconds

.Apr 3 08:16:20.090: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

.Apr 3 08:16:20.090: ISAKMP:(0):atts are acceptable. Next payload is 0

.Apr 3 08:16:20.090: ISAKMP:(0):Acceptable atts:actual life: 0

.Apr 3 08:16:20.090: ISAKMP:(0):Acceptable atts:life: 0

.Apr 3 08:16:20.090: ISAKMP:(0):Fill atts in sa vpi_length:4

.Apr 3 08:16:20.090: ISAKMP:(0):Fill atts in sa life_in_seconds:28800

.Apr 3 08:16:20.090: ISAKMP:(0):Returning Actual lifetime: 28800

.Apr 3 08:16:20.090: ISAKMP:(0)::Started lifetime timer: 28800.

.Apr 3 08:16:20.090: ISAKMP:(0): processing vendor id payload

.Apr 3 08:16:20.090: ISAKMP:(0): processing IKE frag vendor id payload

.Apr 3 08:16:20.090: ISAKMP:(0):Support for IKE Fragmentation not enabled

.Apr 3 08:16:20.090: ISAKMP:(0): processing vendor id payload

.Apr 3 08:16:20.094: ISAKMP:(0): vendor ID seems Unity/DPD but major 69

mismatch

.Apr 3 08:16:20.094: ISAKMP (0): vendor ID is NAT-T RFC 3947

.Apr 3 08:16:20.094: ISAKMP:(0): processing vendor id payload

.Apr 3 08:16:20.094: ISAKMP:(0): vendor ID seems Unity/DPD but major 123

mismatch

.Apr 3 08:16:20.094: ISAKMP:(0): vendor ID is NAT-T v2

.Apr 3 08:16:20.094: ISAKMP:(0): processing vendor id payload

.Apr 3 08:16:20.094: ISAKMP:(0): vendor ID seems Unity/DPD but major 194

mismatch

.Apr 3 08:16:20.094: ISAKMP:(0): processing vendor id payload

.Apr 3 08:16:20.094: ISAKMP:(0): vendor ID seems Unity/DPD but major 241

mismatch

.Apr 3 08:16:20.094: ISAKMP:(0): processing vendor id payload

.Apr 3 08:16:20.094: ISAKMP:(0): vendor ID seems Unity/DPD but major 184

mismatch

.Apr 3 08:16:20.094: ISAKMP:(0): processing vendor id payload

.Apr 3 08:16:20.094: ISAKMP:(0): vendor ID seems Unity/DPD but major 134

mismatch

.Apr 3 08:16:20.094: ISAKMP:(0):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

.Apr 3 08:16:20.094: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

.Apr 3 08:16:20.094: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

.Apr 3 08:16:20.094: ISAKMP:(0): sending packet to 192.168.7.92 my_port 500
peer_port 500 (R) MM_SA_SETUP

.Apr 3 08:16:20.094: ISAKMP:(0):Sending an IKE IPv4 Packet.

.Apr 3 08:16:20.098: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

.Apr 3 08:16:20.098: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

.Apr 3 08:16:20.106: ISAKMP (0): received packet from 192.168.7.92 dport 500

sport 500 Global (R) MM_SA_SETUP

.Apr 3 08:16:20.106: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

.Apr 3 08:16:20.106: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

.Apr 3 08:16:20.106: ISAKMP:(0): processing KE payload. message ID = 0

.Apr 3 08:16:20.106: crypto_engine: Create DH shared secret

.Apr 3 08:16:20.162: ISAKMP:(0): processing NONCE payload. message ID = 0

.Apr 3 08:16:20.162: ISAKMP:(0):found peer pre-shared key matching 192.168.7.92

.Apr 3 08:16:20.162: crypto_engine: Create IKE SA

.Apr 3 08:16:20.162: crypto engine: deleting DH phase 2 SW:75

.Apr 3 08:16:20.162: crypto_engine: Delete DH shared secret

.Apr 3 08:16:20.162: ISAKMP:received payload type 20

.Apr 3 08:16:20.162: ISAKMP (1071): His hash no match – this node outside NAT

.Apr 3 08:16:20.162: ISAKMP:received payload type 20

.Apr 3 08:16:20.162: ISAKMP (1071): No NAT Found for self or peer

.Apr 3 08:16:20.162: ISAKMP:(1071):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

.Apr 3 08:16:20.162: ISAKMP:(1071):Old State = IKE_R_MM3 New State = IKE_R_MM3

.Apr 3 08:16:20.162: ISAKMP:(1071): sending packet to 192.168.7.92 my_port 500

peer_port 500 (R) MM_KEY_EXCH

.Apr 3 08:16:20.162: ISAKMP:(1071):Sending an IKE IPv4 Packet.

.Apr 3 08:16:20.166: ISAKMP:(1071):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

.Apr 3 08:16:20.166: ISAKMP:(1071):Old State = IKE_R_MM3 New State = IKE_R_MM4

.Apr 3 08:16:20.166: ISAKMP (1071): received packet from 192.168.7.92 dport 500

sport 500 Global (R) MM_KEY_EXCH

.Apr 3 08:16:20.166: crypto_engine: Decrypt IKE packet

.Apr 3 08:16:20.166: ISAKMP:(1071):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

.Apr 3 08:16:20.166: ISAKMP:(1071):Old State = IKE_R_MM4 New State = IKE_R_MM5

.Apr 3 08:16:20.170: ISAKMP:(1071): processing ID payload. message ID = 0

.Apr 3 08:16:20.170: ISAKMP (1071): ID payload

    next-payload : 8

    type         : 1

    address      : 192.168.7.92

    protocol     : 0

    port         : 0

    length       : 12

.Apr 3 08:16:20.170: ISAKMP:(0):: peer matches none of the profiles

.Apr 3 08:16:20.170: ISAKMP:(1071): processing HASH payload. message ID = 0

.Apr 3 08:16:20.170: crypto_engine: Generate IKE hash

.Apr 3 08:16:20.170: ISAKMP:(1071):SA authentication status:

    authenticated

.Apr 3 08:16:20.170: ISAKMP:(1071):SA has been authenticated with 192.168.7.92

.Apr 3 08:16:20.170: ISAKMP: Trying to insert a peer

XX/192.168.7.92/500/, and inserted successfully 23781594.

.Apr 3 08:16:20.170: ISAKMP:(1071):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
.Apr 3 08:16:20.170: ISAKMP:(1071):Old State = IKE_R_MM5 New State = IKE_R_MM5

.Apr 3 08:16:20.170: ISAKMP:(1071):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
.Apr 3 08:16:20.170: ISAKMP (1071): ID payload
next-payload : 8
type : 1
address : XX
protocol : 17
port : 500
length : 12
.Apr 3 08:16:20.170: ISAKMP:(1071):Total payload length: 12
.Apr 3 08:16:20.170: crypto_engine: Generate IKE hash
.Apr 3 08:16:20.170: crypto_engine: Encrypt IKE packet
.Apr 3 08:16:20.170: ISAKMP:(1071): sending packet to 192.168.7.92 my_port 500 peer_port 500 (R) MM_KEY_EXCH
.Apr 3 08:16:20.170: ISAKMP:(1071):Sending an IKE IPv4 Packet.
.Apr 3 08:16:20.170: ISAKMP:(1071):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Apr 3 08:16:20.170: ISAKMP:(1071):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

.Apr 3 08:16:20.170: ISAKMP:(1071):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
.Apr 3 08:16:20.170: ISAKMP:(1071):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

.Apr 3 08:16:20.170: ISAKMP (1071): received packet from 192.168.7.92 dport 500 sport 500 Global (R) QM_IDLE
.Apr 3 08:16:20.170: ISAKMP: set new node 1 to QM_IDLE
.Apr 3 08:16:20.170: crypto_engine: Decrypt IKE packet
.Apr 3 08:16:20.174: crypto_engine: Generate IKE hash
.Apr 3 08:16:20.174: ISAKMP:(1071): processing HASH payload. message ID = 1
.Apr 3 08:16:20.174: ISAKMP:(1071): processing SA payload. message ID = 1
.Apr 3 08:16:20.174: ISAKMP:(1071):Checking IPSec proposal 1
.Apr 3 08:16:20.174: ISAKMP: transform 1, ESP_AES
.Apr 3 08:16:20.174: ISAKMP: attributes in transform:
.Apr 3 08:16:20.174: ISAKMP: encaps is 2 (Transport)
.Apr 3 08:16:20.174: ISAKMP: key length is 128
.Apr 3 08:16:20.174: ISAKMP: authenticator is HMAC-SHA
.Apr 3 08:16:20.174: ISAKMP: SA life type in seconds
.Apr 3 08:16:20.174: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
.Apr 3 08:16:20.174: ISAKMP: SA life type in kilobytes
.Apr 3 08:16:20.174: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
.Apr 3 08:16:20.174: ISAKMP:(1071):atts are acceptable.
.Apr 3 08:16:20.174: IPSEC(validate_proposal_request): proposal part #1
.Apr 3 08:16:20.174: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= XX:0, remote= 192.168.7.92:0,
local_proxy= XX/255.255.255.255/17/1701,
remote_proxy= 192.168.7.92/255.255.255.255/17/1701,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
.Apr 3 08:16:20.174: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
.Apr 3 08:16:20.174: ISAKMP:(1071): IPSec policy invalidated proposal with error 256
.Apr 3 08:16:20.174: ISAKMP:(1071):Checking IPSec proposal 2
.Apr 3 08:16:20.174: ISAKMP: transform 1, ESP_3DES
.Apr 3 08:16:20.174: ISAKMP: attributes in transform:
.Apr 3 08:16:20.174: ISAKMP: encaps is 2 (Transport)
.Apr 3 08:16:20.174: ISAKMP: authenticator is HMAC-SHA
.Apr 3 08:16:20.174: ISAKMP: SA life type in seconds
.Apr 3 08:16:20.174: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
.Apr 3 08:16:20.174: ISAKMP: SA life type in kilobytes
.Apr 3 08:16:20.174: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
.Apr 3 08:16:20.174: ISAKMP:(1071):atts are acceptable.
.Apr 3 08:16:20.174: IPSEC(validate_proposal_request): proposal part #1
.Apr 3 08:16:20.174: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= XX:0, remote= 192.168.7.92:0,
local_proxy= XX/255.255.255.255/17/1701,
remote_proxy= 192.168.7.92/255.255.255.255/17/1701,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
.Apr 3 08:16:20.174: ISAKMP:(1071): processing NONCE payload. message ID = 1
.Apr 3 08:16:20.174: ISAKMP:(1071): processing ID payload. message ID = 1
.Apr 3 08:16:20.174: ISAKMP:(1071): processing ID payload. message ID = 1
.Apr 3 08:16:20.174: ISAKMP:(1071):QM Responder gets spi
.Apr 3 08:16:20.174: ISAKMP:(1071):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
.Apr 3 08:16:20.174: ISAKMP:(1071):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
.Apr 3 08:16:20.174: crypto_engine: Generate IKE hash
.Apr 3 08:16:20.174: ISAKMP:(1071):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
.Apr 3 08:16:20.174: ISAKMP:(1071):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
.Apr 3 08:16:20.174: IPSEC(key_engine): got a queue event with 1 KMI message(s)
.Apr 3 08:16:20.174: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dyn-map
.Apr 3 08:16:20.174: crypto_engine: Generate IKE QM keys
.Apr 3 08:16:20.174: crypto_engine: Create IPSec SA (by keys)
.Apr 3 08:16:20.174: crypto_engine: Generate IKE QM keys
.Apr 3 08:16:20.174: crypto_engine: Create IPSec SA (by keys)
.Apr 3 08:16:20.178: IPSEC(create_sa): sa created,
(sa) sa_dest= XX, sa_proto= 50,
sa_spi= 0x7315891C(1930791196),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2111
sa_lifetime(k/sec)= (250000/3600)
.Apr 3 08:16:20.178: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.7.92, sa_proto= 50,
sa_spi= 0x8F7085B8(2406516152),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2112
sa_lifetime(k/sec)= (250000/3600)
.Apr 3 08:16:20.178: ISAKMP: Failed to find peer index node to update peer_info_list
.Apr 3 08:16:20.178: ISAKMP:(1071):Received IPSec Install callback… proceeding with the negotiation
.Apr 3 08:16:20.178: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 192.168.7.92:500 Id: 192.168.7.92
ATVRouter#
.Apr 3 08:16:20.178: crypto_engine: Encrypt IKE packet
.Apr 3 08:16:20.178: ISAKMP:(1071): sending packet to 192.168.7.92 my_port 500 peer_port 500 (R) QM_IDLE
.Apr 3 08:16:20.178: ISAKMP:(1071):Sending an IKE IPv4 Packet.
.Apr 3 08:16:20.178: ISAKMP:(1071):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
.Apr 3 08:16:20.178: ISAKMP:(1071):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
.Apr 3 08:16:20.902: Before decryption:
0E9A1710: 4500 00B02F21 E..0/!
0E9A1720: 00007F32 8DA7C0A8 075C5584 60CB7315 …2.'@(.\U.Ks.
0E9A1730: 891C0000 0001EFA6 247AF2C7 3279C1E2 ......o&$zrG2yAb
0E9A1740: A511DBA4 AC053704 024C %.[$,.7..L ...
.Apr 3 08:16:20.902: After decryption:
0E9A1720: 4500 00912F21 E.../!
0E9A1730: 00007F11 8DE7C0A8 075C5584 60CB06A5 .....g@(.\U.K.%
0E9A1740: 06A5007D 3DAEC802 00750000 00000000 .%.}=.H..u……
0E9A1750: 00008008 00000000 0001 ………. …
.Apr 3 08:16:21.034: ISAKMP (1071): received packet from 192.168.7.92 dport 500 sport 500 Global (R) QM_IDLE
.Apr 3 08:16:21.034: crypto_engine: Decrypt IKE packet
.Apr 3 08:16:21.034: crypto_engine: Generate IKE hash
.Apr 3 08:16:21.034: ISAKMP:(1071):deleting node 1 error FALSE reason "QM done (await)"
.Apr 3 08:16:21.034: ISAKMP:(1071):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
.Apr 3 08:16:21.034: ISAKMP:(1071):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
.Apr 3 08:16:21.034: IPSEC(key_engine): got a queue event with 1 KMI message(s)
.Apr 3 08:16:21.034: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
.Apr 3 08:16:21.034: crypto engine: updating MTU size of IPSec SA Onboard VPN:112
.Apr 3 08:16:21.034: crypto_engine: Set IPSec MTU
.Apr 3 08:16:21.034: IPSEC: Expand action denied, notify RP
.Apr 3 08:16:21.370: Before decryption:
ATVRouter#
0E77EF10: 4500 00B02F36 E..0/6
0E77EF20: 00007F32 8D92C0A8 075C5584 60CB7315 …2..@(.\U.Ks.
0E77EF30: 891C0000 00024D72 BFA1217C F028FDAC ......Mr?!!|p(},
0E77EF40: 126D1317 154D99D9 FE1D .m...M.Y~. ...
.Apr 3 08:16:21.370: After decryption:
0E77EF20: 4500 00912F36 E.../6
0E77EF30: 00007F11 8DD2C0A8 075C5584 60CB06A5 .....R@(.\U.K.%
0E77EF40: 06A5007D 3DAEC802 00750000 00000000 .%.}=.H..u……
0E77EF50: 00008008 00000000 0001 ………. …
ATVRouter#
.Apr 3 08:16:23.182: Before decryption:
0E872A90: 4500 00B02F46 E..0/F
0E872AA0: 00007F32 8D82C0A8 075C5584 60CB7315 …2..@(.\U.Ks.
0E872AB0: 891C0000 000388AF CB251180 AD8DF624 ......./K%..-.v$
0E872AC0: 3E41D021 E42A3957 AB10 >AP!d*9W+. ...
.Apr 3 08:16:23.182: After decryption:
0E872AA0: 4500 00912F46 E.../F
0E872AB0: 00007F11 8DC2C0A8 075C5584 60CB06A5 .....B@(.\U.K.%
0E872AC0: 06A5007D 3DAEC802 00750000 00000000 .%.}=.H..u……
0E872AD0: 00008008 00000000 0001 ………. …
ATVRouter#
.Apr 3 08:16:27.181: Before decryption:
0E85BE90: 4500 00B02F4D E..0/M
0E85BEA0: 00007F32 8D7BC0A8 075C5584 60CB7315 …2.{@(.\U.Ks.
0E85BEB0: 891C0000 00048C24 1EF1EE86 85AD43A7 .......$.qn..-C'
0E85BEC0: ACE56CC9 A3603B72 C3B7 ,elI#;rC7 …
.Apr 3 08:16:27.181: After decryption:
0E85BEA0: 4500 00912F4D E…/M
0E85BEB0: 00007F11 8DBBC0A8 075C5584 60CB06A5 …..;@(.\U.K.%
0E85BEC0: 06A5007D 3DAEC802 00750000 00000000 .%.}=.H..u......
0E85BED0: 00008008 00000000 0001 .......... ...
ATVRouter#
.Apr 3 08:16:35.181: Before decryption:
0E87C490: 4500 00B02F55 E..0/U
0E87C4A0: 00007F32 8D73C0A8 075C5584 60CB7315 ...2.s@(.\U.Ks.
0E87C4B0: 891C0000 000506C7 E739688F C70DF4DB …….Gg9h.G.t[
0E87C4C0: 94F2096C 79CE037A B69C .r.lyN.z6. …
.Apr 3 08:16:35.181: After decryption:
0E87C4A0: 4500 00912F55 E…/U
0E87C4B0: 00007F11 8DB3C0A8 075C5584 60CB06A5 …..3@(.\U.`K.%
0E87C4C0: 06A5007D 3DAEC802 00750000 00000000 .%.}=.H..u……
0E87C4D0: 00008008 00000000 0001 ………. …

Debug shows that 2 phases of IPSec is success, but I still cannot connect via Windows built-in vpn client.

...
crypto isakmp policy 20
encr 3des    
authentication pre-share    
group 2    
hash md5
...

Mar 31 11:22:27.869: ISAKMP:(0):Hash algorithm offered does not match policy!    
Mar 31 11:22:27.869: ISAKMP:(0):atts are not acceptable. Next payload is 0    
Mar 31 11:22:27.869: ISAKMP:(0):no offers accepted!    
Mar 31 11:22:27.869: ISAKMP:(0): phase 1 SA policy not acceptable! (local 85.132.96.203 remote 192.168.3.242)

crypto map outside_map interface outside

crypto map outside_map interface inside