Remote-Store#sh ver Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2) Remote-Store#show crypto ikev2 stats ext-service -------------------------------------------------------------- AAA OPERATION PASSED FAILED -------------------------------------------------------------- RECEIVING PSKEY 0 0 AUTHENTICATION USING EAP 0 0 START ACCOUNTING 0 0 STOP ACCOUNTING 0 0 AUTHORIZATION 0 0 -------------------------------------------------------------- IPSEC OPERATION PASSED FAILED -------------------------------------------------------------- IPSEC POLICY VERIFICATION 0 0 SA CREATION 0 0 SA DELETION 0 0 --------------------------------------------------------------- CRYPTO ENGINE OPERATION PASSED FAILED --------------------------------------------------------------- DH PUBKEY GENERATED 3521 0 DH SHARED SECKEY GENERATED 3521 0 SIGNATURE SIGN 3521 0 SIGNATURE VERIFY 0 0 -------------------------------------------------------------- PKI OPERATION PASSED FAILED -------------------------------------------------------------- VERIFY CERTIFICATE 0 0 FETCHING CERTIFICATE USING HTTP 0 0 FETCHING PEER CERTIFICATE USING HTTP 0 0 GET ISSUERS 3521 0 GET CERTIFICATES FROM ISSUERS 3521 0 GET DN FROM CERT 0 0 -------------------------------------------------------------- GKM OPERATION PASSED FAILED -------------------------------------------------------------- GET_POLICY 0 0 SET_POLICY 0 0 Remote-Store# Remote-Store#show crypto ikev2 stats exchange detail -------------------------------------------------------------------------- EXCHANGE/NOTIFY TX(REQ) TX(RES) RX(REQ) RX(RES) EXCHANGES IKE_SA_INIT 3521 0 0 3521 IKE_AUTH 3521 0 0 0 CREATE_CHILD_SA 0 0 0 0 CREATE_CHILD_SA_IPSEC 0 0 0 0 CREATE_CHILD_SA_IPSEC_REKEY 0 0 0 0 CREATE_CHILD_SA_IKE_REKEY 0 0 0 0 GSA_AUTH 0 0 0 0 GSA_REGISTRATION 0 0 0 0 GSA_REKEY 0 0 0 0 GSA_REKEY_ACK 0 0 0 0 INFORMATIONAL 0 0 0 0 ERROR NOTIFY UNSUPPORTED_CRITICAL_PAYLOAD 0 0 0 0 INVALID_IKE_SPI 0 0 0 0 INVALID_MAJOR_VERSION 0 0 0 0 INVALID_SYNTAX 0 0 0 0 INVALID_MESSAGE_ID 0 0 0 0 INVALID_SPI 0 0 0 0 NO_PROPOSAL_CHOSEN 0 0 0 0 INVALID_KE_PAYLOAD 0 0 0 0 AUTHENTICATION_FAILED 0 0 0 0 SINGLE_PAIR_REQUIRED 0 0 0 0 NO_ADDITIONAL_SAS 0 0 0 0 INTERNAL_ADDRESS_FAILURE 0 0 0 0 FAILED_CP_REQUIRED 0 0 0 0 TS_UNACCEPTABLE 0 0 0 0 INVALID_SELECTORS 0 0 0 0 OTHER NOTIFY INITIAL_CONTACT 3521 0 0 0 SET_WINDOW_SIZE 3521 0 0 0 ADDITIONAL_TS_POSSIBLE 0 0 0 0 IPCOMP_SUPPORTED 0 0 0 0 NAT_DETECTION_SOURCE_IP 3521 0 0 3521 NAT_DETECTION_DESTINATION_IP 3521 0 0 3521 COOKIE 0 0 0 0 USE_TRANSPORT_MODE 0 0 0 0 HTTP_CERT_LOOKUP_SUPPORTED 0 0 0 0 REKEY_SA 0 0 0 0 ESP_TFC_PADDING_NOT_SUPPORTED 0 0 0 0 DELETE_REASON 0 0 0 0 CUSTOM 0 0 0 0 REDIRECT_SUPPORTED 0 0 0 0 REDIRECT 0 0 0 0 REDIRECTED_FROM 0 0 0 0 DPD 0 0 0 0 CONFIG PAYLOAD TYPE TX RX CFG_REQUEST 3521 0 CFG_REPLY 0 0 CFG_SET 0 0 CFG_ACK 0 0 OTHER COUNTERS NAT_INSIDE 0 NAT_OUTSIDE 0 NO_NAT 3521 -------------------------------------------------------------------------- Remote-Store# Remote-Store#show crypto ikev2 stats timeout ----------------------------------------- IKEV2 TIMER TIMED OUT ----------------------------------------- EXT SERVICE TIMER 0 AUTH TIMER 0 PACKET MAXIMUM RETRANS TIMER 3494 DPD MAX RETRANS TIMER 0 Remote-Store# =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.04.10 07:48:50 =~=~=~=~=~=~=~=~=~=~=~= clear crypto ikev2 sa Remote-Store# Apr 10 10:46:24.946: %CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:172.16.2.2 local_id:172.16.2.2 remote:172.16.1.2 remote_id:172.16.1.2 IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:1 Remote-Store#clear crypto ikev2 sa Remote-Store# Apr 10 10:46:54.249: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 Apr 10 10:46:54.250: IKEv2:Found Policy 'FLEX_POL' Apr 10 10:46:54.268: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session Apr 10 10:46:54.269: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED Apr 10 10:46:54.270: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 Apr 10 10:46:54.271: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED Apr 10 10:46:54.272: IKEv2:(SESSION ID = 54,SA ID = 1):Request queued for computation of DH key Apr 10 10:46:54.273: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch Apr 10 10:46:54.274: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_SA_INIT message Apr 10 10:46:54.275: IKEv2:(SESSION ID = 54,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 Apr 10 10:46:54.281: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Apr 10 10:46:54.283: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 476 Payload contents: SA Next payload: KE, reserved: 0x0, length: 48 last proposal: 0x0, reserved: 0x0, length: 44 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14 KE Next payload: N, reserved: 0x0, length: 264 DH group: Remote-Store# 14, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 36 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28 Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP Apr 10 10:46:54.294: IKEv2:(SESSION ID = 54,SA ID = 1):Insert SA Apr 10 10:46:54.395: IKEv2:(SESSION ID = 54,SA ID = 1):Received Packet [From 172.25.1.2:500/To 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 041FE39B8AE4AB72 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Apr 10 10:46:54.397: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 501 Payload contents: SA Next payload: KE, reserved: 0x0, length: 48 last proposal: 0x0, reserved: 0x0, length: 44 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14 KE Next payload: N, reserved: 0x0, length: 264 DH group: 14, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 36 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION Remote-Store#_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28 Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP CERTREQ Next payload: NONE, reserved: 0x0, length: 25 Cert encoding X.509 Certificate - signature Apr 10 10:46:54.413: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message Apr 10 10:46:54.414: IKEv2:(SESSION ID = 54,SA ID = 1):Verify SA init message Apr 10 10:46:54.414: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message Apr 10 10:46:54.418: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) Apr 10 10:46:54.420: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' Apr 10 10:46:54.421: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint WANLAB-CA Apr 10 10:46:54.463: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED Apr 10 10:46:54.464: IKEv2:(SESSION ID = 54,SA ID = 1):Checking NAT discovery Apr 10 10:46:54.465: IKEv2:(SESSION ID = 54,SA ID = 1):NAT not found Apr 10 10:46:54.466: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 Apr 10 10:46:54.491: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED Apr 10 10:46:54.493: IKEv2:(SESSION ID = 54,SA ID = 1):Request queued for computation of DH secret Apr 10 10:46:54.494: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA Apr 10 10:46:54.496: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED Apr 10 10:46:54.497: IKEv2:(SESSION ID = 54,SA ID = 1):Completed SA init exchange Apr 10 10:46:54.501: IKEv2:Config data to send: Apr 10 10:46:54.502: IKEv2:(SESSION ID = 54,SA ID = 1):Config-type: Config-request Apr 10 10:46:54.503: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-dns, length: 0 Apr 10 10:46:54.504: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib Remote-Store# type: ipv4-dns, length: 0 Apr 10 10:46:54.504: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 Apr 10 10:46:54.505: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 Apr 10 10:46:54.506: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-subnet, length: 0 Apr 10 10:46:54.507: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-dns, length: 0 Apr 10 10:46:54.508: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-subnet, length: 0 Apr 10 10:46:54.509: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: app-version, length: 245, data: Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Tue 22-Mar-16 16:19 by prod_rel_team Apr 10 10:46:54.510: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: split-dns, length: 0 Apr 10 10:46:54.510: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: banner, length: 0 Apr 10 10:46:54.511: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: config-url, length: 0 Apr 10 10:46:54.512: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: backup-gateway, length: 0 Apr 10 10:46:54.513: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: def-domain, length: 0 Apr 10 10:46:54.519: IKEv2:(SESSION ID = 54,SA ID = 1):Have config mode data to send Apr 10 10:46:54.520: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange Apr 10 10:46:54.521: IKEv2:(SESSION ID = 54,SA ID = 1):Generate my authentication data Apr 10 10:46:54.522: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data Apr 10 10:46:54.523: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED Apr 10 10:46:54.524: IKEv2:(SESSION ID = 54,SA ID = 1):Get my authentication method Apr 10 10:46:54.525: IKEv2:(SESSION ID = 54,SA ID = 1):My authentication method is 'RSA' Apr 10 10:46:54.525: IKEv2:(SESSION ID = 54,SA ID = 1):Sign authentication data Apr 10 10:46:54.527: Remote-Store# IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key Apr 10 10:46:54.528: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED Apr 10 10:46:54.528: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data Apr 10 10:46:54.977: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED Apr 10 10:46:54.978: IKEv2:(SESSION ID = 54,SA ID = 1):Authentication material has been sucessfully signed Apr 10 10:46:54.979: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange Apr 10 10:46:54.980: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_AUTH message Apr 10 10:46:54.981: IKEv2:(SESSION ID = 54,SA ID = 1):Constructing IDi payload: 'Remote-Store.wanlab.wan' of type 'FQDN' Apr 10 10:46:54.982: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) Apr 10 10:46:54.983: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' Apr 10 10:46:54.984: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints Apr 10 10:46:54.985: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED Apr 10 10:46:54.990: IKEv2:(SESSION ID = 54,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN Apr 10 10:46:54.992: IKEv2:(SESSION ID = 54,SA ID = 1):Building packet for encryption. Payload contents: VID Next payload: IDi, reserved: 0x0, length: 20 IDi Next payload: CERT, reserved: 0x0, length: 31 Id type: FQDN, Reserved: 0x0 0x0 CERT Next payload: CERTREQ, reserved: 0x0, length: 1449 Cert encoding X.509 Certificate - signature CERTREQ Next payload: AUTH, reserved: 0x0, length: 25 Cert encoding X.509 Certificate - signature AUTH Next payload: CFG, reserved: 0x0, length: 264 Auth method RSA, reserved: 0x0, reserved 0x0 CFG Next payload: SA, reserved: 0x0, length: 305 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0 Apr 10 10:46:54.996: attrib type: interna Remote-Store#l IP4 DNS, length: 0 Apr 10 10:46:54.996: attrib type: internal IP4 DNS, length: 0 Apr 10 10:46:54.997: attrib type: internal IP4 NBNS, length: 0 Apr 10 10:46:54.997: attrib type: internal IP4 NBNS, length: 0 Apr 10 10:46:54.998: attrib type: internal IP4 subnet, length: 0 Apr 10 10:46:54.999: attrib type: internal IP6 DNS, length: 0 Apr 10 10:46:54.999: attrib type: internal IP6 subnet, length: 0 Apr 10 10:46:55.000: attrib type: application version, length: 245 attrib type: Unknown - 28675, length: 0 Apr 10 10:46:55.000: attrib type: Unknown - 28672, length: 0 Apr 10 10:46:55.001: attrib type: Unknown - 28692, length: 0 Apr 10 10:46:55.002: attrib type: Unknown - 28681, length: 0 Apr 10 10:46:55.002: attrib type: Unknown - 28674, length: 0 Apr 10 10:46:55.003: SA Next payload: TSi, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 172.16.1.2, end addr: 172.16.1.2 TSr Next payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 172.25.1.2, end addr: 172.25.1.2 NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: Unknown - 0, spi size: 0, type: INITIAL_CONTACT NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Remote-Store# Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS Apr 10 10:46:55.012: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 041FE39B8AE4AB72 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Apr 10 10:46:55.013: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 2288 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 2260 Apr 10 10:46:56.362: %CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:172.16.2.2 local_id:172.16.2.2 remote:172.16.1.2 remote_id:172.16.1.2 IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:1 Apr 10 10:46:56.946: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet Apr 10 10:46:56.947: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 041FE39B8AE4AB72 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Apr 10 10:46:56.948: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 2288 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 2260 Apr 10 10:47:00.721: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet Apr 10 10:47:00.722: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 041FE39B8AE4AB72 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Apr 10 10:47:00.724: IK Remote-Store#Ev2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 2288 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 2260 Remote-Store# Apr 10 10:47:08.666: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet Apr 10 10:47:08.668: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 041FE39B8AE4AB72 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Apr 10 10:47:08.669: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 2288 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 2260 Remote-Store# Apr 10 10:47:24.249: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 Apr 10 10:47:24.250: IKEv2:Found Policy 'FLEX_POL' Apr 10 10:47:24.265: IKEv2:SA is already in negotiation, hence not negotiating again Apr 10 10:47:24.407: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet Apr 10 10:47:24.408: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 041FE39B8AE4AB72 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Apr 10 10:47:24.409: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Remote-Store#Message id: 1, length: 2288 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 2260 Remote-Store# Apr 10 10:47:54.249: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 Apr 10 10:47:54.249: IKEv2:Found Policy 'FLEX_POL' Apr 10 10:47:54.264: IKEv2:SA is already in negotiation, hence not negotiating again Apr 10 10:47:54.785: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet Apr 10 10:47:54.786: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : A7230F6B3D6920A8 - Responder SPI : 041FE39B8AE4AB72 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Apr 10 10:47:54.788: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Remote-Store#Message id: 1, length: 2288 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 2260 Remote-Store# Apr 10 10:47:56.698: %CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:172.16.2.2 local_id:172.16.2.2 remote:172.16.1.2 remote_id:172.16.1.2 IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:2 Remote-Store#