Solved: cisco router error ikev2-error key not found, failed to initiate sa

amoth00011 · ‎08-07-2023

Trying to establish tunnel between cisco router and asa, the router has dynamic ip address so trying to use fqdn and psk authentication.

I've created the tunnel-group on the ASA with name but i'm getting error from the router of ikev2 error key not found, failed to initate the sa. Config is enclosed and names changed for confidentiality.

tvotna · ‎08-07-2023

Don't know if this is a typo, but you configured "crypto ikev2 profile VPN", but referenced it as "set ikev2-profile VPN-PROFILE" in the crypto map. Anyway, if the router complains that it cannot initiate the tunnel, the problem is on the router side.

In general, everything should work just fine so long as the router with dynamic IP is initiator and ASA with static IP is a responder. The ASA can (and should) have dynamic crypto map, because "set peer FQDN" is either not supported or will be resolved during config time.

"tunnel-group-map enable ike-id" is enabled by default on ASA, which means it should be able to map incoming connection to the tunnel-group by name.

View solution in original post

tvotna · ‎08-07-2023

Don't know if this is a typo, but you configured "crypto ikev2 profile VPN", but referenced it as "set ikev2-profile VPN-PROFILE" in the crypto map. Anyway, if the router complains that it cannot initiate the tunnel, the problem is on the router side.

In general, everything should work just fine so long as the router with dynamic IP is initiator and ASA with static IP is a responder. The ASA can (and should) have dynamic crypto map, because "set peer FQDN" is either not supported or will be resolved during config time.

"tunnel-group-map enable ike-id" is enabled by default on ASA, which means it should be able to map incoming connection to the tunnel-group by name.

Rob Ingram · ‎08-07-2023

@amoth00011 you have not referenced the keyring under the IKEv2 profile.

I assume the tunnel-group on the ASA is cisco-r-1-2 ?