The "No SPI to identify Phase 2 SA" could occur for a number of different reasons.
Basic checks:
-make sure the crypto ACLs are exact mirror images of one another. be mindful of the subnet masks when youre checking also
-make sure the transform sets match on both sides
-PFS needs to be either disabled on both sides or enabled on both sides. You cannot have it enabled on one side and not the other
-make sure you have nat exemption for the vpn traffic - nat (inside) 0 access-list
To get more information about why its failing, run "debug cry isa 127" and "debug cry ipsec 127"