I am able to get the phone to establish IKE Phase 1, but I get "IKE Phase 2 no response" on the phone set. VPN Event log agrees with this. XAUTH is successful. The phone set gets an IP address from the configured range, but I get a Status of failure and Result of ERROR in the log.

When I run "diag vpn tunnel list name tunnelname", the last line I get is the one that starts with "natt". The guide I'm looking at says that I need to look at the value of "sa=X", which would be on the next line, so I don't know where to go from here.

name=Avaya_VPN_3 ver=1 serial=771 XXX.XXX.XXX.XXX:XXXX->XXX.XXX.XXX.XXX:XXXXX bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/392 options[0188]=npu rgwy-chg rport-chg  parent=Avaya_VPN index=3 proxyid_num=0 child_num=0 refcnt=5 ilast=27 olast=27 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=135 natt: mode=silent draft=32 interval=10 remote_port=12162

I have verified, re-verified, re-re-verified and then checked again to make sure that my encryption and auth protocols and DH groups match. Could this be a problem with my local/remote address selectors? I have the local set to an Address Group that contains the subnets we use on our LAN, and the remote is set to the DHCP range that the phones will get.

Any guidance would be appreciated!