Have been requesting it for days but they don´t want to share it, but like I said, this same configuration worked on the test router. As for the ACL, here it is:

ip access-list extended ACL_VPN_BAN
permit ip host 172.25.25.xx host 15.128.4.xx
permit ip host 172.25.25.xx host 15.128.1.xx

Behind this router we have a Cisco ASA for traffic filter too:

access-list adient_acl extended permit tcp host 15.128.1.xx host 172.25.25.xx eq 7001
access-list adient_acl extended permit tcp host 15.128.4.xx host 172.25.25.xx eq 443

Hello,

can you try and configure a VTI instead of the 'traditional' crypto map ?

Hi, can I have the VTI only for the IKEv2 tunnel and the IKEv1 as a map, or do I have to put both on the VTI? I know I can assingne the VRF interface to the ipsec profile and key ring (as below) in v1 but have´nt been able to do it for the v2.

crypto keyring adient-keyring vrf ADIENT
pre-shared-key address 198.35.73.10 key 

crypto isakmp profile adient-peer
vrf ADIENT
keyring adient-keyring
match identity address 198.35.73.xx 255.255.255.255 ADIENT
isakmp authorization list default

Regards.

Hello,

I think you can keep the IKEv2 VTI completely separated from the IKEv1 crypto map. Below is a configuration example:

https://popravak.wordpress.com/2015/01/31/ikev2-between-ios-routers-svti-static-virtual-tunnel-interface/

I just configured VTI but the interface does not come upcoul it be the crypto map interfieren, or tdoes the ather side has to configure a VTI too? Here is what I configured.

crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha256
group 14

crypto ikev2 policy 1
proposal test

crypto ikev2 keyring KR-Banorte
peer Banorte
address 200.33.200.xx
pre-shared-key remote xxxxxxxxxx
pre-shared-key local xxxxxxxxx

crypto ikev2 profile banorte-peer
match identity remote address 200.33.200.xx 255.255.255.255
identity local address 201.174.34.xxx
authentication local pre-share
authentication remote pre-share
keyring local KR-Banorte
lifetime 28800

crypto ipsec profile Banorte
set transform-set AES-SHA2
set ikev2-profile banorte-peer

interface Tunnel0

ip address 192.168.12.1 255.255.255.252
tunnel source GigabitEthernet0/0/3.109
tunnel mode ipsec ipv4
tunnel destination 200.33.200.xx
tunnel protection ipsec profile Banorte

ip route 200.33.200.xx 255.255.255.255 Tunnel0
ip route 15.128.1.xx 255.255.255.255 Tunnel0
ip route 15.128.4.xx 255.255.255.255 Tunnel0

R1-JRZ(config)#do sho ip interface brief tunnel 0
Interface IP-Address OK? Method Status Protocol
Tunnel0 192.168.12.1 YES manual up down

Thank you all for your help, since the other part won´t make any other modification we decided to configure a new device.

Regards.