Problem:
On the new cisco C8500 routers, Cisco security baseline does not allow the use of DH Group 2 in the implementation of IPSEC VPNs. This means that IPSEC that wont work if it uses DH Group 2.
Solution:
Turn off this baseline restriction.
Procedure:
1. Go to Rommon on the device
2. Enter "CSDL_MODE_DISABLE=1"
3. Enter "sync" to save
4. Enter "boot" to reload the device.