Showing results for 
Search instead for 
Did you mean: 

FlexVPN IPSEC using default transform set instead of the one we defined.


I am in the process of setting up an FlexVPN connection between two ASR 1001-X routers running  IOS XE Version 03.13.02.S.  The routers are currently in a lab but will ultimately be used to connect the corporate office with a remote data center.  I am experiencing an issue with the IPSEC SA being deleted right after it is created caused by the router trying to use the default transform set instead of the defined transform set TSET.

Here is the IPSEC debug from the OFFICE router:

030833: Feb 16 11:03:53.803: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
030834: 5d00h: IPSEC(key_engine): got a queue event with 1 KMI message(s)
030835: 5d00h: IPSEC(validate_proposal_request): proposal part #1
030836: 5d00h: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local=, remote=,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
030837: 5d00h: Crypto mapdb : proxy_match
src addr :
dst addr :
protocol : 0
src port : 0
dst port : 0
030838: 5d00h: Crypto mapdb : proxy_match
src addr :
dst addr :
protocol : 0
src port : 0
dst port : 0
030839: 5d00h: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
030840: 5d00h: IPSEC(key_engine): failed to process KMI message 42
030841: Feb 16 11:03:53.835: %IKEV2-5-SA_UP: SA UP
030842: Feb 16 11:03:53.841: %IKEV2-5-SA_DOWN: SA DOWN

I am currently using ESP-GCM as the transform but previously used esp-aes 256 and esp-sha384-hmac but received the same error.

Here is my crypto config:

crypto ikev2 proposal IKEV2_PROPOSAL 
encryption aes-gcm-256 aes-gcm-128
prf sha384 sha256
group 21 20 19
crypto ikev2 policy 10
crypto ikev2 keyring IKEV2_KEY
peer Data_Center
hostname Data_Center
pre-shared-key Key_1
crypto ikev2 profile IKEV2_PROFILE
match identity remote address
identity local address
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY
crypto ipsec transform-set TSET esp-aes 256 esp-sha384-hmac
mode tunnel
crypto ipsec df-bit clear
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile IKEV2_PROFILE
interface Tunnel0
ip address
ip mtu 1400
tunnel source GigabitEthernet0/0/2
tunnel mode ipsec ipv4
tunnel destination
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC_PROFILE
interface GigabitEthernet0/0/2
description VPLS Circuit
ip address
negotiation auto

When I query the transform sets you can see that it is trying to use the default:

OFFICE#sh crypto ipsec transform-set 
Transform set default: { esp-aes esp-sha-hmac } 
will negotiate = { Transport, },

Transform set TSET: { esp-gcm }
will negotiate = { Tunnel, },

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers