Dear @rvarelac,

thank you for your reply,

as per your instruction to remove *permit ip any any* from crypto ACL on R1 and R3, I did it but still they're not establishing VPN connection. but this time when I tried to ping R3 to R1 then I get this error message on R1 "" %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 1.1.1.3, prot= 1""""

I'm just testing before the implementation on HQ and branch offices.

kindly suggest me what I do and I'm testing this scenario on GNS3 1.3.0

Hi Muhammad, 

The configuration looks fine on both ends. 

R1

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key ycisco address 1.1.1.3

Crypto map cmap 2 ipsec-isakmp
set peer 1.1.1.3
set transform-set yts
match address yacl

crypto ipsec transform-set yts esp-3des esp-md5-hmac


ip access-list extended yacl
permit ip 192.168.0.0 0.0.0.255 192.168.105.0 0.0.0.255



-----------------------------------------------------------------

R3

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ycisco address 1.1.1.1

crypto map cmap 2 ipsec-isakmp
set peer 1.1.1.1
set transform-set yts
match address hqacl


crypto ipsec transform-set yts esp-3des esp-md5-hma

ip access-list extended hqacl
permit ip 192.168.105.0 0.0.0.255 192.168.0.0 0.0.0.255

The error you are getting is  cause by a mismatch on the crypto ACL or because one of the ends is not encrypting correctly,  in your case the ACL is correct, looks like this could be GNS3 thing.

Hope it helps

-Randy-

Hi rvarelac  

thank you for your corporation.

it was gns3 problem and all configuration looks fine.

finally I'm configuring IPsec DMVPN with HQ and branch offices.

Hub==>Spoke1 and spoke2 terminology

Usman