Screen OS

I have a VPN that phase 1 is up and I have a phase 2 that is working.  I can't seem to get the second phase 2 up and running.  The first phase 2 I'm using a dip to nat all traffic to and that is working.  The second I don't want to nat at all, I want to just route the traffic over the vpn.   Essentially I want to send traffic from 10.144.0.30 to 10.144.190.14 over the tunnel.  What am I missing?  Here is my config

!!!!!! PHASE 2 and ROUTE !!!!!!!
!!! Working
set vpn "SITEBVPN-107.30.15.0" gateway "SITEBVPN-P1" no-replay tunnel idletime 0 proposal "g2-esp-aes256-sha1-14400" 
set vpn "SITEBVPN-107.30.15.0" id 483 bind interface tunnel.1
set vpn "SITEBVPN-107.30.15.0" proxy-id local-ip 135.50.222.0/24 remote-ip 107.30.15.0/24 "ANY" 
set interface tunnel.96 nhtb 135.50.222.6 vpn "SITEBVPN-107.30.15.0"
set route 107.30.15.0/24 interface tunnel.1 gateway 135.50.222.6

!!! Not Working
set vpn "SITEBVPN-10.144.190.0" gateway "SITEBVPN-P1" no-replay tunnel idletime 0 proposal "g2-esp-aes256-sha1-14400" 
set vpn "SITEBVPN-10.144.190.0" id 498 bind interface tunnel.1
set vpn "SITEBVPN-10.144.190.0" proxy-id local-ip 135.50.222.0/24 remote-ip 10.144.190.0/24 "ANY" 
set interface tunnel.1 nhtb 135.50.222.56 vpn "SITEBVPN-10.144.190.0"
set route 10.144.190.0/24 interface tunnel.1 gateway 135.50.222.56

!!!!!! Firewall !!!!!!!
set interface tunnel.96 dip 7 135.50.222.26 135.50.222.26

set address VPN "SITEB-10.144.190.0" 10.144.190.0 255.255.255.0
set address VPN "SITEB-107.30.15.0" 107.30.15.0 255.255.255.0
set group address "VPN" "SITEB-NETWORK"
set group address "VPN" "SITEB-NETWORK" add "SITEB-10.246.190.0"
set group address "VPN" "SITEB-NETWORK" add "SITEB-107.30.15.0"
set address "Corp" "SITEA-135.50.222.0" 135.50.222.0 255.255.255.0
set address "Corp" "SITEA-10.144.0.0" 10.144.0.0 255.255.128.0
set group address "Corp" "SITEA-NETWORK"
set group address "Corp" "SITEA-NETWORK" add "SITEA-135.50.222.0"
set group address "Corp" "SITEA-NETWORK" add "SITEA-10.144.0.0"

set policy id 611 from "VPN" to "Corp"  "SITEB-NETWORK" "SITEA-NETWORK" "ANY" permit 
set policy id 610 from "Corp" to "VPN"  "SITEA-NETWORK" "SITEB-NETWORK" "ANY" permit 
set policy id 602 from "Corp" to "B2B-VPN"  "SITEA-NETWORK" "SITEB-HTTPS" "HTTPS" nat src dip-id 7 permit log 
set policy id 601 from "Corp" to "B2B-VPN"  "SITEA-NETWORK" "SITEB-HTTP" "HTTP" nat src dip-id 7 permit log 

and a Picture

Hi,

Is the second VPN up, but not carrying traafic - or - does not get established?

You can check using 'get sa'. If both Phase-2s are up, it should show 4 active SAs.

If the second SA is not getting established, check the event logs. There will be related events, holding clues for why the P2 negotiation is failing.

I'm pretty sure this is the related error

IKE<134.220.35.15>: Received a notification message for DOI <1> <18> <INVALID-ID-INFORMATION>.

That would tell me that the encryption domains don't match and my proxy-id local statement is incorrect.

The only other way I would think to try would be this:

set vpn "SITEBVPN-10.144.190.0" proxy-id local-ip 10.144.0.0/17 remote-ip 10.144.190.0/24 "ANY"

Strangely enough that was it.

set vpn "SITEBVPN-10.144.190.0" proxy-id local-ip 10.144.0.0/17 remote-ip 10.144.190.0/24 "ANY".  That needed to match the encrytpion acl on the remote side and it wasn't.  Thanks for your help.