Hey guys, I've been trying to get this stuff working a while and no luck. I am thinking it`s no possible but would like some insights
R1 <> ASA <> R2 R1 interface Tunnel100 ip address 1.1.1.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 136.1.122.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec_prof R2 initially had the same config and it worked just fine. Then I changed the configuration on R2 to DVTI interface Virtual-Template2 type tunnel ip address 1.1.1.2 255.255.255.0 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 The interesting is that as soon as I configured *"tunnel destination*" pointing to R1 it works. But that's exactly what I do not want to do, supposing R1 had dynamic ip, it should work without destination address. The log is: IPSec policy invalidated proposal with error 8 Mar 2 07:20:35.303: ISAKMP:(1013): phase 2 SA policy not acceptable! (local 136.1.122.2 remote 136.1.121.1) Mar 2 07:20:35.303: ISAKMP: set new node 1645030739 to QM_IDLE Mar 2 07:20:35.311: ISAKMP:(1013):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 Any idea is welcome. Cisco DOC for VTI http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
