Hi all In the VPN lab section 4.12, the DMVPN hub is kept behind the ASA. The DMVPN tunnel doesn't come up and fails at beggining of QM. The following error seen on the hub. This error will be seen, if the interesting access-list is not mirror or the remote peer IP address doesn't match local peer address or the transform-set doesn't match.
With IPSec profiles, the only thing that is configurable is the transform-set and for me that matches. *Mar 5 13:17:50.050: ISAKMP:(4048): IPSec policy invalidated proposal with error 32 *Mar 5 13:17:50.050: ISAKMP:(4048): phase 2 SA policy not acceptable! On the spoke, you can see interesting as following in the "sh crypto ipses sa". Notice the remote ident, it is actually the translated IP address. This is the ident that the spoke will be sending to the hub in the IPSec phase2. local ident (addr/mask/prot/port): (10.20.30.40/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.20.30.41/255.255.255.255/47/0) On the hub, the actual local address will be different and will not be the same as the remote ident sent by the spoke. Since IPSec SA on ASA will have untranslated as the local ident and the remote ident sent by the spokes are different, I think the IPSec phase 2 is failing for me. Unless the ASA translates the remote ident to the actual untranslated ident like the DNS alias feature, I don't think this will work. May be it is bug in my images as it as worked for IPexpert when they wrote the lab. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
