cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2367
Views
0
Helpful
23
Replies

Cisco 1921 to WatchGuard T20 No Phase 2 Security Associations

WizJ
Level 1
Level 1

Just FYI networking is not my strong suit. I do software development, so I apologize if i do not know terminology or ask a stupid question. So i am trying to use this Cisco as a test for a Site to Site Vpn tunnel for a real time HL7 project i am coding. From all the posts here i was able to get it functioning with a static ip address and working as a DHCP server. When i run a diagnostic on the VPN from the WatchGuard T20 i get the error:

Unable to find any active Phase 2 Security Associations (SAs) for tunnel route (10.0.1.0/24<->192.168.1.0/24).
Recommendation: Confirm whether either side is currently sending traffic through the tunnel.

Cisco Configuration:

Current configuration : 3120 bytes
!
! Last configuration change at 19:19:52 UTC Tue Oct 25 2022
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoConVpn
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 **********
!
no aaa new-model

!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CondorDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 71.10.216.1 71.10.216.2 4.4.4.4 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ******** privilege 15 secret 5
!
redundancy
!
crypto ikev2 proposal Wg
encryption aes-cbc-128
integrity sha256
group 14
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 14
!
!
crypto ikev2 keyring Wg
peer Wg
address XX.XXX.XXX.XXX <--- WatchGuard Static IP
pre-shared-key local test
pre-shared-key remote test
!
!
!
crypto ikev2 profile Wg
match address local interface GigabitEthernet0/0
match identity remote address XX.XXX.XXX.XXX <--- WatchGuard Static IP 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Wg
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key test address XX.XXX.XXX.XXX <--- Cisco Static IP
crypto isakmp key test address XX.XXX.XXX.XXX <--- WatchGuard Static IP
crypto isakmp profile 1
! This profile is incomplete (no match identity statement)
crypto isakmp profile toWg
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile 1
set transform-set MYSET
set pfs group14
set isakmp-profile 1
!
crypto ipsec profile Wg
set transform-set MYSET
set pfs group14
set ikev2-profile Wg
!
!
!
crypto map MYMAP 1 ipsec-isakmp
set peer XX.XXX.XXX.XXX <--- WatchGuard Static IP
set transform-set MYSET
set pfs group14
match address 100
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address XX.XXX.XXX.XXX <--- Cisco Static IP 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map MYMAP
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 XX.XXX.XXX.XXX <--- Modem Gateway
!
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.0.0.0 0.255.255.255 10.0.1.0 0.0.0.255
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input none
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
!
end

I was having an Issue finishing Phase 1 now i am stuck on Phase 2.

WatchGuard Diagnostics showing:


*** WG Diagnostic Report for Gateway "toCisco" ***
Created On: Tue Oct 25 14:29:35 2022

[Conclusion]
Tunnel Name: CiscoTunnel
tunnel route#1(10.0.1.0/24<->192.168.1.0/24) - Not established
Unable to find any active Phase 2 Security Associations (SAs) for tunnel route (10.0.1.0/24<->192.168.1.0/24).
Recommendation: Confirm whether either side is currently sending traffic through the tunnel.

[Gateway Summary]
Gateway "toCisco" contains "1" gateway endpoint(s). IKE Version is IKEv2.
Gateway Endpoint #1 (name "toCisco") Enabled
PFS: Disabled AlwaysUp: Disabled
DPD: Disabled Keepalive: Enabled
Local ID<->Remote ID: {IP_ADDR(XX.XXX.XXX.XXX <--- WatchGuard Static IP) <-> IP_ADDR(XX.XXX.XXX.XXX <--- Cisco Static IP)}
Local GW_IP<->Remote GW_IP: {XX.XXX.XXX.XXX <--- WatchGuard Static IP <-> XX.XXX.XXX.XXX <--- Cisco Static IP}
Outgoing Interface: eth0 (ifIndex=4)
ifMark=0x10000
linkStatus=2 (0:unknown, 1:down, 2:up)


[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway

Name: "CiscoTunnel" Enabled
PFS: "Enabled" DH-Group: "14"
Number of Proposals: "1"
Proposal "ESP-AES-SHA1"
ESP:
EncryptAlgo: "AES" KeyLen: "32(bytes)"
AuthAlgo: "SHA"
LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "1"
#1
Direction: "BOTH"
"10.0.1.0/24<->192.168.1.0/24"


[Run-time Info (gateway IKE_SA)]
Name: "toCisco" (IfStatus: 0x80000002)
IKE SAID: "0x7d6481eb" State: "MATURE"
Created: Tue Oct 25 12:27:16 2022
My Address: XX.XXX.XXX.XXX <--- WatchGuard Static IP:500 Peer Address: XX.XXX.XXX.XXX <--- Cisco Static IP:500
InitCookie: "f40c1dd9f710d1b8" RespCookie: "f049a6c5eb494869"
LifeTime: "86400(seconds)" LifeByte: "0(kbtyes)" DPD: "Enabled"
Serial Number: 63
msgIdSend: 248 msgIdRecv: 0


[Run-time Info (tunnel IPSEC_SA)]
"0" IPSEC SA(s) are found under tunnel "CiscoTunnel"

[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found under tunnel "CiscoTunnel"
#1
Tunnel Endpoint: "XX.XXX.XXX.XXX <--- WatchGuard Static IP->XX.XXX.XXX.XXX <--- Cisco Static IP"
Tunnel Selector: 10.0.1.0/24 -> 192.168.1.0/24 Proto: ANY
Created On: Tue Oct 25 13:27:05 2022
Gateway Name: "toCisco"
Tunnel Name: "CiscoTunnel"

[Address Pairs in Firewalld]
Address Pairs for tunnel "CiscoTunnel"
Direction: BOTH
10.0.1.0/24 <-> 192.168.1.0/24

[Policy checker result]
Tunnel name: CiscoTunnel
#1 tunnel route 10.0.1.0/24<->192.168.1.0/24
No policy checker results for this tunnel(no P2SA found or some other error)

[Related Logs]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)'DPD request' message created successfully. length:76
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Sent out DPD request message (msgId=247) from XX.XXX.XXX.XXX <--- WatchGuard Static IP:500 to XX.XXX.XXX.XXX <--- Cisco Static IP:500 for 'toCisco' gateway endpoint successfully.
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)ikeSA(0x146412f8)'s msgIdSend is updated: 247 -> 248
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)******** RECV an IKE packet at XX.XXX.XXX.XXX <--- WatchGuard Static IP:500(socket=14 ifIndex=4) from Peer XX.XXX.XXX.XXX <--- Cisco Static IP:500 ********
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Received IKEv2 "INFO response" message with message-ID:247 length:76 SPI[i=f40c1dd9f710d1b8 r=f049a6c5eb494869]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)"INFO response" message has 1 payloads [ ENCR(sz=48)]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Got IKE policy 'toCisco' from ikeSA(0x146412f8)
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)"INFO response" message has 0 payloads []
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)IKEv2 "INFO response"'s decrypted message contains 0 payloads []
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)dispatch the received INFO response message - IkeSA(0x146412f8)'s state=MATURE
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Received the DPD response from XX.XXX.XXX.XXX <--- Cisco Static IP:500 for gateway(toCisco), msgId=247
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)ike2_P1StatusChange: notify ikePcy(toCisco ver#2)'s status becomes "UP" (ikeSA=0x146412f8)
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)stop the retry object(0x146434e8) for the previous request message(name=DPD request, msgId=247)

Been stuck on this for a couple hours now. Any help would be greatly appreciated.

23 Replies 23

Ok. So before you sent this i removed ipsec profile 1 and isakmp profile 1. Changed the integrity ( did not add it, my bad) to sha1. I did not add DH group 20, but i will. WatchGuard says It cannot find an established Phase 1 SA. If you want me to post the debug from the WG let me know. The debug from the Cisco is as follows:

Oct 26 17:59:25.460: IKEv2:Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : E4E741FC8B6BCA1A - Responder SPI : 0000000000000000 Message id:0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NO
TIFY(Unknown - 16418) VID

Oct 26 17:59:25.460: IKEv2:(SESSION ID = 9,SA ID = 3):Verify SA init message
Oct 26 17:59:25.460: IKEv2:(SESSION ID = 9,SA ID = 3):Insert SA
Oct 26 17:59:25.460: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 17:59:25.460: IKEv2:Found Policy 'IKEV2_POLICY'
Oct 26 17:59:25.460: IKEv2:(SESSION ID = 9,SA ID = 3):Processing IKE_SA_INIT message
Oct 26 17:59:25.460: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Oct 26 17:59:25.460: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Oct 26 17:59:25.460: IKEv2:Failed to retrieve Certificate Issuer list
Oct 26 17:59:25.460: IKEv2:(SESSION ID = 9,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
Oct 26 17:59:25.612: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 17:59:25.612: IKEv2:(SESSION ID = 9,SA ID = 3):Request queued for computation of DH key
Oct 26 17:59:25.612: IKEv2:(SESSION ID = 9,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
Oct 26 17:59:25.800: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 17:59:25.800: IKEv2:(SESSION ID = 9,SA ID = 3):Request queued for computation of DH secret
Oct 26 17:59:25.804: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Oct 26 17:59:25.804: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Oct 26 17:59:25.804: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Oct 26 17:59:25.804: IKEv2:(SESSION ID = 9,SA ID = 3):Generating IKE_SA_INIT message
Oct 26 17:59:25.804: IKEv2:(SESSION ID = 9,SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_2048_MODP/Group 14
Oct 26 17:59:25.804: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Oct 26 17:59:25.804: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Oct 26 17:59:25.804: IKEv2:Failed to retrieve Certificate Issuer list

Oct 26 17:59:25.804: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : E4E741FC8B6BCA1A - Responder SPI : 19D5F1B545E5F774 Message id:0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Oct 26 17:59:25.804: IKEv2:(SESSION ID = 9,SA ID = 3):Completed SA init exchange

Oct 26 17:59:25.804: IKEv2:(SESSION ID = 9,SA ID = 3):Starting timer (30 sec) to wait for auth message

Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : E4E741FC8B6BCA1A - Responder SPI : 19D5F1B545E5F774 Message id:1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi IDr AUTH SA TSi TSr

Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):Stopping timer to wait for auth message
Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):Checking NAT discovery
Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):NAT not found
Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):Searching policy based onpeer's identity 'XX.XXX.253.100' of type 'IPv4 address'
Oct 26 17:59:25.844: IKEv2:found matching IKEv2 profile 'Wg'
Oct 26 17:59:25.844: ISAKMP: (0):peer matches Wg profile
Oct 26 17:59:25.844: IKEv2:% Getting preshared key from profile keyring Wg
Oct 26 17:59:25.844: IKEv2:% Matched peer block 'Wg'
Oct 26 17:59:25.844: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 17:59:25.844: IKEv2:Found Policy 'IKEV2_POLICY'
Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):not a VPN-SIP session
Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):Verify peer's policy
Oct 26 17:59:25.844: IKEv2:(SESSION ID = 9,SA ID = 3):Peer's policy verified
Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):Get peer's authenticationmethod
Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):Peer's authentication method is 'PSK'
Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):Get peer's preshared key for XX.XXX.253.100
Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):Verify peer's authentication data
Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):Use preshared key for id XX.XXX.253.100, key len 4
Oct 26 17:59:25.848: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Oct 26 17:59:25.848: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):Verification of peer's authenctication data PASSED
Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):Processing IKE_AUTH message
Oct 26 17:59:25.848: IKEv2:IPSec policy validate request sent for profile Wg with psh index 3.

Oct 26 17:59:25.848: IKEv2:(SESSION ID = 9,SA ID = 3):
Oct 26 17:59:25.848: IKEv2:(SA ID = 3):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.
Oct 26 17:59:25.852: IKEv2-ERROR:(SESSION ID = 9,SA ID = 3):: There was no IPSEC policy found for received TS
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Sending TS unacceptable notify
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Get my authentication method
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):My authentication method is 'PSK'
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Get peer's preshared key for XX.XXX.253.100
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Generate my authentication data
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Use preshared key for id XX.XXX.253.101, key len 4
Oct 26 17:59:25.852: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Oct 26 17:59:25.852: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Get my authentication method
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):My authentication method is 'PSK'
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Generating IKE_AUTH message
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Constructing IDr payload:'XX.XXX.253.101' of type 'IPv4 address'
Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Building packet for encryption.
Payload contents:
VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)

Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : E4E741FC8B6BCA1A - Responder SPI : 19D5F1B545E5F774 Message id:1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Oct 26 17:59:25.852: IKEv2:(SESSION ID = 9,SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Session present in TUPLE TREE, but absent in ID PAIR TREE
Oct 26 17:59:25.856: IKEv2-ERROR:(SESSION ID = 9,SA ID = 3):: Failed to add newSA into session DB
Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Queuing IKE SA delete request reason: unknown
Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xE4E741FC8B6BCA1A RSPI: 0x19D5F1B545E5F774]
Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Building packet for encryption.
Payload contents:
DELETE
Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Checking if request will fit in peer window

Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : E4E741FC8B6BCA1A - Responder SPI : 19D5F1B545E5F774 Message id:0
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Check for existing activeSA
Oct 26 17:59:25.856: IKEv2:(SESSION ID = 9,SA ID = 3):Delete all IKE SAs

Oct 26 17:59:25.860: IKEv2:(SESSION ID = 9,SA ID = 3):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : E4E741FC8B6BCA1A - Responder SPI : 19D5F1B545E5F774 Message id:0
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:


Oct 26 17:59:25.860: IKEv2:(SESSION ID = 9,SA ID = 3):Processing ACK to informational exchange
Oct 26 17:59:25.860: IKEv2:(SESSION ID = 9,SA ID = 3):Deleting SA

Oct 26 17:59:45.412: IKEv2:Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : 0000000000000000 Message id:0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

Oct 26 17:59:45.412: IKEv2:(SESSION ID = 10,SA ID = 3):Verify SA init message
Oct 26 17:59:45.412: IKEv2:(SESSION ID = 10,SA ID = 3):Insert SA
Oct 26 17:59:45.412: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 17:59:45.412: IKEv2:Found Policy 'IKEV2_POLICY'
Oct 26 17:59:45.412: IKEv2:(SESSION ID = 10,SA ID = 3):Processing IKE_SA_INIT message
Oct 26 17:59:45.416: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Oct 26 17:59:45.416: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Oct 26 17:59:45.416: IKEv2:Failed to retrieve Certificate Issuer list
Oct 26 17:59:45.416: IKEv2:(SESSION ID = 10,SA ID = 3):[IKEv2 -> Crypto Engine]
Computing DH public key, DH Group 14
Oct 26 17:59:45.568: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 17:59:45.568: IKEv2:(SESSION ID = 10,SA ID = 3):Request queued for computation of DH key
Oct 26 17:59:45.568: IKEv2:(SESSION ID = 10,SA ID = 3):[IKEv2 -> Crypto Engine]Computing DH secret key, DH Group 14
Oct 26 17:59:45.760: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 17:59:45.760: IKEv2:(SESSION ID = 10,SA ID = 3):Request queued for computation of DH secret
Oct 26 17:59:45.760: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Oct 26 17:59:45.760: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Oct 26 17:59:45.760: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Oct 26 17:59:45.760: IKEv2:(SESSION ID = 10,SA ID = 3):Generating IKE_SA_INIT message
Oct 26 17:59:45.760: IKEv2:(SESSION ID = 10,SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_2048_MODP/Group 14
Oct 26 17:59:45.760: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Oct 26 17:59:45.760: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Oct 26 17:59:45.760: IKEv2:Failed to retrieve Certificate Issuer list

Oct 26 17:59:45.764: IKEv2:(SESSION ID = 10,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Oct 26 17:59:45.764: IKEv2:(SESSION ID = 10,SA ID = 3):Completed SA init exchange
Oct 26 17:59:45.764: IKEv2:(SESSION ID = 10,SA ID = 3):Starting timer (30 sec) to wait for auth message

Oct 26 17:59:45.804: IKEv2:(SESSION ID = 10,SA ID = 3):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) IDr AUTH SA TSi TSr

Oct 26 17:59:45.804: IKEv2:(SESSION ID = 10,SA ID = 3):Stopping timer to wait for auth message
Oct 26 17:59:45.804: IKEv2:(SESSION ID = 10,SA ID = 3):Checking NAT discovery
Oct 26 17:59:45.804: IKEv2:(SESSION ID = 10,SA ID = 3):NAT not found
Oct 26 17:59:45.804: IKEv2:(SESSION ID = 10,SA ID = 3):Searching policy based on
peer's identity 'XX.XXX.253.100' of type 'IPv4 address'
Oct 26 17:59:45.804: IKEv2:found matching IKEv2 profile 'Wg'
Oct 26 17:59:45.804: ISAKMP: (0):peer matches Wg profile
Oct 26 17:59:45.804: IKEv2:% Getting preshared key from profile keyring Wg
Oct 26 17:59:45.804: IKEv2:% Matched peer block 'Wg'
Oct 26 17:59:45.808: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 17:59:45.808: IKEv2:Found Policy 'IKEV2_POLICY'
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):not a VPN-SIP session
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Verify peer's policy
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Peer's policy verified
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Get peer's authentication method
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Peer's authentication method is 'PSK'
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Get peer's preshared keyfor XX.XXX.253.100
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Verify peer's authentication data
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Use preshared key for idXX.XXX.253.100, key len 4
Oct 26 17:59:45.808: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Oct 26 17:59:45.808: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Verification of peer's authenctication data PASSED
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Processing INITIAL_CONTACT
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):Processing IKE_AUTH message
Oct 26 17:59:45.808: IKEv2:IPSec policy validate request sent for profile Wg with psh index 3.

Oct 26 17:59:45.808: IKEv2:(SESSION ID = 10,SA ID = 3):
Oct 26 17:59:45.808: IKEv2:(SESSION ID = 7,SA ID = 2):Check for existing activeSA
Oct 26 17:59:45.812: IKEv2:(SESSION ID = 7,SA ID = 2):Deleting SA
Oct 26 17:59:45.812: IKEv2:(SESSION ID = 6,SA ID = 1):Check for existing activeSA
Oct 26 17:59:45.812: IKEv2:(SESSION ID = 6,SA ID = 1):Deleting SA
Oct 26 17:59:45.812: IKEv2:(SA ID = 3):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

Oct 26 17:59:45.812: IKEv2-ERROR:(SESSION ID = 10,SA ID = 3):Received Policies:
: Failed to find a matching policyESP: Proposal 1: AES-CBC-256 SHA96 Don't use ESN
Oct 26 17:59:45.820:
Oct 26 17:59:45.820:
Oct 26 17:59:45.820: IKEv2-ERROR:(SESSION ID = 10,SA ID = 3):Expected Policies:: Failed to find a matching policy
Oct 26 17:59:45.820: IKEv2-ERROR:(SESSION ID = 10,SA ID = 3):: Failed to find amatching policy
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):Sending no proposal chosen notify
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):Get my authentication method
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):My authentication methodis 'PSK'
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):Get peer's preshared keyfor XX.XXX.253.100
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):Generate my authentication data
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):Use preshared key for id XX.XXX.253.101, key len 4
Oct 26 17:59:45.820: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Oct 26 17:59:45.820: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):Get my authentication method
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):My authentication method is 'PSK'
Oct 26 17:59:45.820: IKEv2:(SESSION ID = 10,SA ID = 3):Generating IKE_AUTH message
Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):Constructing IDr payload: 'XX.XXX.253.101' of type 'IPv4 address'
Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):Building packet for encryption.
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):Session with IKE ID PAIR(XX.XXX.253.100, XX.XXX.253.101) is UP
Oct 26 17:59:45.824: IKEv2:IKEv2 MIB tunnel started, tunnel index 3
Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):Checking for duplicate IKEv2 SA
Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):No duplicate IKEv2 SA found
Oct 26 17:59:45.824: IKEv2:(SESSION ID = 10,SA ID = 3):Starting timer (8 sec) to delete negotiation context

Oct 26 17:59:45.828: IKEv2:(SESSION ID = 10,SA ID = 3):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE

Oct 26 17:59:45.828: IKEv2:(SESSION ID = 10,SA ID = 3):Building packet for encryption.

Oct 26 17:59:45.828: IKEv2:(SESSION ID = 10,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

Oct 26 17:59:45.828: IKEv2:(SESSION ID = 10,SA ID = 3):Process delete request from peer
Oct 26 17:59:45.828: IKEv2:(SESSION ID = 10,SA ID = 3):Processing DELETE INFO message for IPsec SA [SPI: 0x86757D06]
Oct 26 17:59:45.828: IKEv2:(SESSION ID = 10,SA ID = 3):Check for existing active SA

Oct 26 17:59:48.836: IKEv2:(SESSION ID = 10,SA ID = 3):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


Oct 26 17:59:48.836: IKEv2:(SESSION ID = 10,SA ID = 3):Received DPD/liveness query
Oct 26 17:59:48.836: IKEv2:(SESSION ID = 10,SA ID = 3):Building packet for encryption.
Oct 26 17:59:48.836: IKEv2:(SESSION ID = 10,SA ID = 3):Sending ACK to informational exchange

Oct 26 17:59:48.836: IKEv2:(SESSION ID = 10,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR


Oct 26 18:00:18.444: IKEv2:(SESSION ID = 10,SA ID = 3):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:4
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


Oct 26 18:00:18.444: IKEv2:(SESSION ID = 10,SA ID = 3):Received DPD/liveness query
Oct 26 18:00:18.444: IKEv2:(SESSION ID = 10,SA ID = 3):Building packet for encryption.
Oct 26 18:00:18.444: IKEv2:(SESSION ID = 10,SA ID = 3):Sending ACK to informational exchange

Oct 26 18:00:18.444: IKEv2:(SESSION ID = 10,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 50115CB6E2073E54 - Responder SPI : CF089EA39CC0AE11 Message id:4
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

@WizJ logs state - "Failed to find a matching policyESP: Proposal 1: AES-CBC-256 SHA96 Don't use ESN" - but you are not using  AES-256 - "crypto ipsec transform-set MYSET esp-aes esp-sha-hmac"

Align the IPSec transform set configuration, change the cisco router to use AES 256

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

 

Ok changed transform set to 256. Debug:

Oct 26 18:32:26.149: IKEv2:% Getting preshared key from profile keyring Wg
Oct 26 18:32:26.149: IKEv2:% Matched peer block 'Wg'
Oct 26 18:32:26.149: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 18:32:26.149: IKEv2:Found Policy 'IKEV2_POLICY'
Oct 26 18:32:26.149: IKEv2:(SESSION ID = 12,SA ID = 1):Check for IPSEC rekey
Oct 26 18:32:26.149: IKEv2:(SESSION ID = 12,SA ID = 1):Set IPSEC DH group
Oct 26 18:32:26.149: IKEv2:(SESSION ID = 12,SA ID = 1):Checking for PFS configuration
Oct 26 18:32:26.149: IKEv2:(SESSION ID = 12,SA ID = 1):PFS configured, DH group14
Oct 26 18:32:26.149: IKEv2:(SESSION ID = 12,SA ID = 1):[IKEv2 -> Crypto Engine]Computing DH public key, DH Group 14
Oct 26 18:32:26.301: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 18:32:26.301: IKEv2:(SESSION ID = 12,SA ID = 1):Request queued for computation of DH key
Oct 26 18:32:26.301: IKEv2:(SESSION ID = 12,SA ID = 1):Generating CREATE_CHILD_SA exchange
Oct 26 18:32:26.301: IKEv2:(SESSION ID = 12,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 4
AES-CBC SHA96 DH_GROUP_2048_MODP/Group 14 Don't use ESN
Oct 26 18:32:26.301: IKEv2:(SESSION ID = 12,SA ID = 1):Building packet for encryption.
Payload contents:
SA N KE TSi TSr
Oct 26 18:32:26.301: IKEv2:(SESSION ID = 12,SA ID = 1):Checking if request willfit in peer window

Oct 26 18:32:26.301: IKEv2:(SESSION ID = 12,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:4
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:
ENCR


Oct 26 18:32:26.305: IKEv2:(SESSION ID = 12,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:4
IKEv2 CREATE_CHILD_SA Exchange RESPONSE
Payload contents:
NOTIFY(TS_UNACCEPTABLE)

Oct 26 18:32:26.305: IKEv2:(SESSION ID = 12,SA ID = 1):Processing any notify-messages in child SA exchange
Oct 26 18:32:26.309: IKEv2-ERROR:(SESSION ID = 12,SA ID = 1):
Oct 26 18:32:26.309: IKEv2-ERROR:(SESSION ID = 12,SA ID = 1):: Create child exchange failed
Oct 26 18:32:26.309: IKEv2:(SESSION ID = 12,SA ID = 1):IPSec SA create failed
Oct 26 18:32:26.309: IKEv2-ERROR:Failed to decrement count for incoming negotiating
Oct 26 18:32:26.309: IKEv2:(SESSION ID = 12,SA ID = 1):Abort exchange
Oct 26 18:32:26.309: IKEv2:(SESSION ID = 12,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xA7CA5068]
Oct 26 18:32:26.309: IKEv2:(SESSION ID = 12,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Oct 26 18:32:26.313: IKEv2:(SESSION ID = 12,SA ID = 1):Checking if request will fit in peer window

Oct 26 18:32:26.313: IKEv2:(SESSION ID = 12,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:5
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Oct 26 18:32:26.313: IKEv2:(SESSION ID = 12,SA ID = 1):Check for existing IPSECSA

Oct 26 18:32:26.313: IKEv2:(SESSION ID = 12,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:5
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:


Oct 26 18:32:26.313: IKEv2:(SESSION ID = 12,SA ID = 1):Processing ACK to informational exchange
Oct 26 18:32:26.317: IKEv2:(SESSION ID = 12,SA ID = 1):Check for existing IPSEC SA
Oct 26 18:32:49.621: IKEv2:(SESSION ID = 12,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:5
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


Oct 26 18:32:49.621: IKEv2:(SESSION ID = 12,SA ID = 1):Received DPD/liveness query
Oct 26 18:32:49.621: IKEv2:(SESSION ID = 12,SA ID = 1):Building packet for encryption.
Oct 26 18:32:49.621: IKEv2:(SESSION ID = 12,SA ID = 1):Sending ACK to informational exchange

Oct 26 18:32:49.621: IKEv2:(SESSION ID = 12,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:5
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

Oct 26 18:32:56.149: IKEv2:% Getting preshared key from profile keyring Wg
Oct 26 18:32:56.149: IKEv2:% Matched peer block 'Wg'
Oct 26 18:32:56.149: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 18:32:56.149: IKEv2:Found Policy 'IKEV2_POLICY'
Oct 26 18:32:56.149: IKEv2:(SESSION ID = 12,SA ID = 1):Check for IPSEC rekey
Oct 26 18:32:56.149: IKEv2:(SESSION ID = 12,SA ID = 1):Set IPSEC DH group
Oct 26 18:32:56.149: IKEv2:(SESSION ID = 12,SA ID = 1):Checking for PFS configuration
Oct 26 18:32:56.149: IKEv2:(SESSION ID = 12,SA ID = 1):PFS configured, DH group 14
Oct 26 18:32:56.149: IKEv2:(SESSION ID = 12,SA ID = 1):[IKEv2 -> Crypto Engine]Computing DH public key, DH Group 14
Oct 26 18:32:56.301: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 18:32:56.301: IKEv2:(SESSION ID = 12,SA ID = 1):Request queued for computation of DH key
Oct 26 18:32:56.301: IKEv2:(SESSION ID = 12,SA ID = 1):Generating CREATE_CHILD_SA exchange
Oct 26 18:32:56.301: IKEv2:(SESSION ID = 12,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 4
AES-CBC SHA96 DH_GROUP_2048_MODP/Group 14 Don't use ESN
Oct 26 18:32:56.301: IKEv2:(SESSION ID = 12,SA ID = 1):Building packet for encryption.
Payload contents:
SA N KE TSi TSr
Oct 26 18:32:56.301: IKEv2:(SESSION ID = 12,SA ID = 1):Checking if request willfit in peer window

Oct 26 18:32:56.301: IKEv2:(SESSION ID = 12,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:6
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:
ENCR


Oct 26 18:32:56.305: IKEv2:(SESSION ID = 12,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:6
IKEv2 CREATE_CHILD_SA Exchange RESPONSE
Payload contents:
NOTIFY(TS_UNACCEPTABLE)

Oct 26 18:32:56.309: IKEv2:(SESSION ID = 12,SA ID = 1):Processing any notify-messages in child SA exchange
Oct 26 18:32:56.309: IKEv2-ERROR:(SESSION ID = 12,SA ID = 1):
Oct 26 18:32:56.309: IKEv2-ERROR:(SESSION ID = 12,SA ID = 1):: Create child exchange failed
Oct 26 18:32:56.309: IKEv2:(SESSION ID = 12,SA ID = 1):IPSec SA create failed
Oct 26 18:32:56.309: IKEv2-ERROR:Failed to decrement count for incoming negotiating
Oct 26 18:32:56.309: IKEv2:(SESSION ID = 12,SA ID = 1):Abort exchange
Oct 26 18:32:56.309: IKEv2:(SESSION ID = 12,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x1415DA94]
Oct 26 18:32:56.313: IKEv2:(SESSION ID = 12,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Oct 26 18:32:56.313: IKEv2:(SESSION ID = 12,SA ID = 1):Checking if request willfit in peer window

Oct 26 18:32:56.313: IKEv2:(SESSION ID = 12,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:7
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Oct 26 18:32:56.313: IKEv2:(SESSION ID = 12,SA ID = 1):Check for existing IPSEC SA

Oct 26 18:32:56.313: IKEv2:(SESSION ID = 12,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:7
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:


Oct 26 18:32:56.317: IKEv2:(SESSION ID = 12,SA ID = 1):Processing ACK to informational exchange
Oct 26 18:32:56.317: IKEv2:(SESSION ID = 12,SA ID = 1):Check for existing IPSEC SA

Oct 26 18:33:19.685: IKEv2:(SESSION ID = 12,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


Oct 26 18:33:19.685: IKEv2:(SESSION ID = 12,SA ID = 1):Received DPD/liveness query
Oct 26 18:33:19.685: IKEv2:(SESSION ID = 12,SA ID = 1):Building packet for encryption.
Oct 26 18:33:19.685: IKEv2:(SESSION ID = 12,SA ID = 1):Sending ACK to informational exchange

Oct 26 18:33:19.685: IKEv2:(SESSION ID = 12,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:6
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR


Oct 26 18:33:49.749: IKEv2:(SESSION ID = 12,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:7
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:


Oct 26 18:33:49.749: IKEv2:(SESSION ID = 12,SA ID = 1):Received DPD/liveness query
Oct 26 18:33:49.749: IKEv2:(SESSION ID = 12,SA ID = 1):Building packet for encryption.
Oct 26 18:33:49.749: IKEv2:(SESSION ID = 12,SA ID = 1):Sending ACK to informational exchange

Oct 26 18:33:49.749: IKEv2:(SESSION ID = 12,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 8FBC5B92B395C0BD - Responder SPI : C23C4DFBF0243DE6 Message id:7
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

@WizJ is PFS enabled on the watchguard? If not or unsure remove it from the Cisco and try again.

Provide the full configuration of both devices (screenshot if needs be from watchguard if GUI only) - provide configs as attachements rather than paste the full config in the body of the message.

PFS is enabled on the WatchGuard. I will get you the the configs for both.

All right i have all of the VPN Configuration from the WatchGuard. If you need any other configuration shots let me know. Again Thank you for helping with this.

@WizJ well the screenshot from the watchguard says the IPsec phase 2 settings are ESP AES/SHA with PFS 14 are selected right?

So change the cisco router transform set to use AES/SHA

crypto ipsec transform-set MYSET esp-aes  esp-sha-hmac
mode tunnel

However the cisco logs previously stated "Oct 26 17:59:45.812: IKEv2-ERROR:(SESSION ID = 10,SA ID = 3):Received Policies:
: Failed to find a matching policyESP: Proposal 1: AES-CBC-256 SHA96 Don't use ESN"

So has the watchguard settings changed?

Either way the ciphers used need to match on both devices. The other phase 2 option on the watchguard is AES256/SHA256 - so if you attempt to use those settings, you'd have to change the cisco transform set to use AES256/SHA256.

 

 

Rob you are the MAN! All i needed to change was the esp-aes on the Cicso and the tunnel is UP! I was able to ping the 192.168 network from my machine connected to the watchguard on the 10. network!! Thank you very much for putting up with me and helping me get this fixed!

Really quick with this config would there be any reason i could not ping specific IP address 10.0.1.25 from the 192.168 Network?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: