try clearing the df-bit and also setting a tcp mss value on the lan facing interface. you can zero down on the mss vlaue by doing an extended ping,ping x.x.x.x -l 1400 -fkeep on reducing the value after -l till you get a successful reply. subtract 60...
I think the phase 1 policies are not configured on the router whose debugs are attached, do you really wanna do isakmp authentication with certificates or you have pre-shared key configured? please configure the phase 1 policy matching teh remote pee...
this message is due to the fact that one side is holding the IPSec SA and the other side does not have similar IPSec SA's, so definitely traffic will not pass.You should make sure that the lifetimes for both phase 1 and phase 2 are exactly the same o...