Environment:

• IPsec
• proxy id
• Route-based VPN
• Proxy-ID configured manually
• Address book entries configured
• Phase 1 successful

Symptoms & Errors:

• Phase 2 failing with a Proxy ID mismatch
• No policy exist for the Proxy ID
• Get address shows

192.168.168.0/24  192.168.168.0          255.255.255.0     00 
Any               0.0.0.0                0.0.0.0           02  All Addr
Dial-Up VPN       255.255.255.255        255.255.255.255   02  Dial-Up VPN Addr
Homenet           192.168.0.0            255.255.255.0     00 
SBC Net           64.161.25.0            255.255.255.0     00

The Local ID is the encryption domain the remote client is trying to connect to.

The Remote ID is the internal address of the remote client that is trying to connect.

<0>,<0> = Indicates the Protocol and Port Number .

Verify that the address book entry is correct and make sure the Proxy ID's match from one gateway to the other (i.e. local proxy id matches with peer's remote proxy id, and vice versa).  See the image.

To check the Proxy ID of each policy-based vpn using the CLI, type the following command:

get policy id <number>

Example:

spingineer-> get policy id 3
name:"none" (id 12), zone Untrust -> Trust,action Tunnel, status "enabled"
src "Dial-Up VPN", dst "10.2.2.0/24", serv "ANY"
Policies on this vpn tunnel: 1
  [255.255.255.255/32, 10.2.2.0/24, 0-65535, 0-65535, 0]
nat off, url filtering : disabled
vpn remote-vpn, nsp tunnel 40000012, sa index 2, sa tunnel id 12
policy flag 00010000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:
  local 10.2.2.0/255.255.255.0, remote 255.255.255.255/255.255.255.255, proto 0, port 0
No Authentication
No User, User Group or Group expression set
spingineer->