Here are some relevant logs
179392: 1y4w: ISAKMP-PAK: (2554):received packet from <spoke-wan> dport 4500 sport 4500 Global (R) QM_IDLE
179393: 1y4w: ISAKMP: (2554):set new node 295634559 to QM_IDLE
179394: 1y4w: ISAKMP: (2554):processing HASH payload. message ID = 295634559
179395: 1y4w: ISAKMP: (2554):processing SA payload. message ID = 295634559
179396: 1y4w: ISAKMP: (2554):processing NAT-OAi payload. addr = <spoke-wan>, message ID = 295634559
179397: 1y4w: ISAKMP: (2554):processing NAT-OAr payload. addr = <hub-wan>, message ID = 295634559
179398: 1y4w: ISAKMP: (2554):Checking IPSec proposal 1
179399: 1y4w: ISAKMP: (2554):transform 1, ESP_AES
179400: 1y4w: ISAKMP: (2554): attributes in transform:
179401: 1y4w: ISAKMP: (2554): key length is 128
179402: 1y4w: ISAKMP: (2554): authenticator is HMAC-SHA
179403: 1y4w: ISAKMP: (2554): encaps is 4 (Transport-UDP)
179404: 1y4w: ISAKMP: (2554): SA life type in seconds
179405: 1y4w: ISAKMP: (2554): SA life duration (basic) of 28800
179406: 1y4w: ISAKMP: (2554):atts are acceptable.
179407: 1y4w: ISAKMP: (2554):Checking IPSec proposal 1
179408: 1y4w: ISAKMP: (2554):transform 2, ESP_AES
179409: 1y4w: ISAKMP: (2554): attributes in transform:
179410: 1y4w: ISAKMP: (2554): key length is 128
179411: 1y4w: ISAKMP: (2554): authenticator is HMAC-SHA256
179412: 1y4w: ISAKMP: (2554): encaps is 4 (Transport-UDP)
179413: 1y4w: ISAKMP: (2554): SA life type in seconds
179414: 1y4w: ISAKMP: (2554): SA life duration (basic) of 28800
179415: 1y4w: ISAKMP: (2554):atts are acceptable.
179416: 1y4w: ISAKMP: (2554):Checking IPSec proposal 1
179417: 1y4w: ISAKMP: (2554):ransform 3, ESP_GCM
179418: 1y4w: ISAKMP: (2554): attributes in transform:
179419: 1y4w: ISAKMP: (2554): key length is 128
179420: 1y4w: ISAKMP: (2554): encaps is 4 (Transport-UDP)
179421: 1y4w: ISAKMP: (2554): SA life type in seconds
179422: 1y4w: ISAKMP: (2554): SA life duration (basic) of 28800
179423: 1y4w: ISAKMP: (2554):atts are acceptable.
179424: 1y4w: IPSEC(validate_proposal_request): proposal part #1
179425: 1y4w: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <hub-wan>:0, remote= <spoke-wan>:0,
local_proxy= <hub-wan>/255.255.255.255/256/0,
remote_proxy= <spoke-wan>/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
179426: 1y4w: map_db_find_best did not find matching map
179427: 1y4w: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
There were other logs about the transform proposal not supported for the SHA-256 and AES-GCM proposals but those are expected.
Below is a successful Phase 2 from another Cisco 881
179451: 1y4w: ISAKMP-PAK: (2552):received packet from <cisco-wan> dport 4500 sport 53734 Global (R) QM_IDLE
179452: 1y4w: ISAKMP: (2552):set new node 393274008 to QM_IDLE
179453: 1y4w: ISAKMP: (2552):processing HASH payload. message ID = 393274008
179454: 1y4w: ISAKMP: (2552):processing SA payload. message ID = 393274008
179455: 1y4w: ISAKMP: (2552):Checking IPSec proposal 1
179456: 1y4w: ISAKMP: (2552):transform 1, ESP_AES
179457: 1y4w: ISAKMP: (2552): attributes in transform:
179458: 1y4w: ISAKMP: (2552): encaps is 3 (Tunnel-UDP)
179459: 1y4w: ISAKMP: (2552): SA life type in seconds
179460: 1y4w: ISAKMP: (2552): SA life duration (basic) of 3600
179461: 1y4w: ISAKMP: (2552): SA life type in kilobytes
179462: 1y4w: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
179463: 1y4w: ISAKMP: (2552): authenticator is HMAC-SHA
179464: 1y4w: ISAKMP: (2552): key length is 128
179465: 1y4w: ISAKMP: (2552):atts are acceptable.
179466: 1y4w: IPSEC(validate_proposal_request): proposal part #1
179467: 1y4w: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <hub-wan>:0, remote= <cisco-wan>:0,
local_proxy= <hub-wan>/255.255.255.255/47/0,
remote_proxy= <cisco-wan>/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
179468: 1y4w: Crypto mapdb : proxy_match
src addr : <hub-wan>
dst addr : <cisco-wan>
protocol : 47
src port : 0
dst port : 0
This is the output from ipsec 'up <vpn-name>-<vpn-name>_c': <vpn-name>-<vpn-name>_c is the name of the IPSEC interface
initiating Main Mode IKE_SA <vpn-name>-<vpn-name>_c[2] to <hub-wan>
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from <spoke-wan>[500] to <hub-wan>[500] (236 bytes)
received packet: from <hub-wan>[500] to <spoke-wan>[500] (100 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from <spoke-wan>[500] to <hub-wan>[500] (236 bytes)
received packet: from <hub-wan>[500] to <spoke-wan>[500] (296 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: 19:33:e8:6d:ad:5e:22:58:da:f1:a3:6d:cf:c3:87:20
received XAuth vendor ID
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from <spoke-wan>[4500] to <hub-wan>[4500] (68 bytes)
received packet: from <hub-wan>[4500] to <spoke-wan>[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA <vpn-name>[2] established between <spoke-wan>[<spoke-wan>]...<hub-wan>[<hub-wan>]
scheduling reauthentication in 28158s
maximum IKE_SA lifetime 28698s
generating QUICK_MODE request 295634559 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from <spoke-wan>[4500] to <hub-wan>[4500] (244 bytes)
received packet: from <hub-wan>[4500] to <spoke-wan>[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 2846982686 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection '<vpn-name>' failed