On the new cisco C8500 routers, Cisco security baseline does not allow the use of DH Group 2 in the implementation of IPSEC VPNs. This means that IPSEC that wont work if it uses DH Group 2.
Turn off this baseline restriction.
1. Go to Rommon on the device
2. Enter "CSDL_MODE_DISABLE=1"
3. Enter "sync" to save
4. Enter "boot" to reload the device.