I'm having some issues with a L2L tunnel where the remote end has a DHCP address on the outside interface, it's a

WRVS4400N Wireless-N Gigabit Security Router with VPN, and I'm locked into a particular configuration on that end.  My end is a ASA5540, which needs to accept a dynamic connection, and I can do whatever I need to to get this up and running....

Remote end in Rome

192.168.252.0/24 inside network and needs to be able to talk to my end 192.168.240.0/24; 192.168.241.0/24; and 192.168.242.0/24

IPSec setup in Rome that cannot be changed:

IKE with preshared key

Phase1 3DES, MD5, DH 2, key lifetime 86400

Phase2 3DES, MD5, PFS Enable, DH 2, key lifetime 28800, preshared key XXXXX

On my end I have the ACL's and NAT exemption correct....I can actually treat the current remote outside IP as a static and bring the tunnel up no problem.  My issue is getting the dynamic crypto correct.

Here's what I have currently (or should I say have previously configured) on the ASA as far as dynamic crypto:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5

crypto dynamic-map cisco 1 set security-association lifetime seconds 28800

crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

So my isakmp policy 5 matches my needed phase1.  My ESP-3DES-MD5 transform matches my needed phase 2 encryption/authentication....

I believe all I'm missing is a way to match PFS and DH 2 for phase2?

And since my ACL is named Rome, then my tunnel-group should be named Rome as well?

Thank you.