Hi

I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:

Oct  3 13:11:33: IPSEC(validate_proposal_request): proposal part #1

Oct  3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,

    local_proxy= 10.255.68.246/255.255.255.255/256/0,

    remote_proxy= 10.200.25.106/255.255.255.255/256/0,

    protocol= ESP, transform= NONE  (Transport),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Oct  3 13:11:33: Crypto mapdb : proxy_match

        src addr     : 10.255.68.246

        dst addr     : 10.200.25.106

        protocol     : 0

        src port     : 0

        dst port     : 0

Oct  3 13:11:33: map_db_check_isakmp_profile profile did not match

Oct  3 13:11:33: Crypto mapdb : proxy_match

        src addr     : 10.255.68.246

        dst addr     : 10.200.25.106

        protocol     : 0

        src port     : 0

        dst port     : 0

Oct  3 13:11:33: map_db_check_isakmp_profile profile did not match

Oct  3 13:11:33: map_db_find_best did not find matching map

Oct  3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported

Oct  3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32

Oct  3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)

anybody could help me to troubleshoot why it doesn´t work?

I post you involved configuration sections from ASR and 819G routers

B.R.