Refer to the exhibit. This error message is displayed while troubleshooting a newly set up IPsec VPN tunnel. Which cause is the most probable?
A. Peer information is incorrectly configured on the remote IPsec router
B. The phase 1 policies are not compatible
C. The phase 2 policies are not compatible
D. Crypto ACLs are not correctly mirrored on both ends of the tunnel
E. Peer information is incorrectly configured on both sides of the tunnel
I concur with AsA for D. Here is the link straight from Cisco with EXACT match for the right answer !
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#proxy
Seems that right answer is D. Crypto ACL´s are not correctly mirrored on both ends of the tunnel.
Abstract from book: “The Complete Cisco VPN Configuration Guide” Topic ISAKMP/IKE PHASE 2 CONNECTIONS
“Mismatched Crypto ACLs
If the crypto ACLs are not mirrored on the two peers, you’ll see debug output from the debug crypto ipsec and debug crypto isakmp commands shown in Example 23-12. The proxy identities not supported message indicates that the crypto ACLs (if routers or PIXs), or network lists (if concentrators), do not match (are not mirrored) on the two IPsec peers. This misconfiguration is commonly called an “invalid proxy ID.” When this error occurs, examine the crypto ACLs (or network lists, if the peer’s a concentrator) to see where the ACL entries are not mirrored”