cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2262
Views
15
Helpful
11
Replies

GRE/IPSec Between Router and Router/ASA with IKEv2

davem1
Level 1
Level 1

I'm trying to setup a GRE tunnel between two routers, where one router (DC) is having an ASA do the encryption and the encryption on the end is being done in the router itself.  Each router has loopbacks to be encrypted so that they be used as the endpoints for the GRE tunnels.

 

The problem I'm having is that I'm unable to get Phase 1 up at all even though both sides can ping each other.  The PSKs have been simplified with no luck thus far.  I've run a debug on the router doing the encryption, and part of the output just says no poilcy found.

 

I'm sure there is a mis-configuration somewhere that I'm overlooking. I'll attach both ends of the config.

11 Replies 11

Asa dont support gre,

Use vti instead where both router and asa support vti. 

I know ASA doesn't support GRE.  The GRE is on the the DC and remote routers.  On one side, there is a router/firewall setup where the router hosts the GRE tunnel and the firewall does the encryption.  On the remote side, the router hosts the GRE and does the encryption. 

So you use multi tier, the gre end in one point and ipsec is end by asa ?

@davem1 it's not included in your output, but is ikev2 and the crypto map enabled on the outside interface?

 

crypto ikev2 enable OUTSIDE
crypto map VPN interface OUTSIDE

Can you provide the output of the IKEv2 debugs from both devices.

 

Obviously the IPSec needs to be established before the GRE tunnels connect, but you've got "tunnel mode ipsec ipv4" enabled on the remote router Tunnel202. On DC router Tunnel623 you don't have this defined, the default I still believe is GRE. You will need to amend the configuration Tunnel202 to use GRE.

The firewall is already running IKEv1 and IKEv2 S2S tunnels the outside interface is good to go.

I've tried having it on both tunnels and have removed it on both tunnels with the same result.

Router

1-Out interface config it with crypto map, the other peer is asa out interface

2-Config gre use out interface as tunnel srouce, and tunnel destion point behid asa.

3- asa config out interface ikev2  peeris out of router,

You may be need allow gre tunnel to pass through asa.

4-router behid the asa config it gre tunnel.

The outside interface is configured with the crypto map. 

We can't use the public addresses as the source/destination on the router/firewall design.  There is no public address on the DC edge router, hence the need for using loopback addresses.

I've done plenty of GRE/IPSec tunnel with a router/firewall on both ends where the router hosts the GRE tunnel with the firewalls doing the encryption, but the encryption was IKEv1.  I've never done a GRE/IPSec tunnel with a router/firewall on one end and just a router on the other with either IKEv1 or IKEv2.

Phase1 is not pass,

Try use 0.0.0.0 as peer address of kerning,

I think that you miss config the peer for key.

davem1
Level 1
Level 1

Here is a debug from the router doing the encryption

 

Apr 8 21:41:56.479: IKEv2:% Getting preshared key from profile keyring keyring-VPN-B2B-To-DC
Apr 8 21:41:56.479: IKEv2:% Matched peer block 'B2B-DC'
Apr 8 21:41:56.479: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.2
Apr 8 21:41:56.479: IKEv2:Found Policy '10'
Apr 8 21:41:56.479: IKEv2:(SESSION ID = 2890,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
Apr 8 21:41:56.479: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 8 21:41:56.479: IKEv2:(SESSION ID = 2890,SA ID = 1):Request queued for computation of DH key
Apr 8 21:41:56.479: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
Apr 8 21:41:56.479: IKEv2:(SESSION ID = 2890,SA ID = 1):Generating IKE_SA_INIT message
Apr 8 21:41:56.483: IKEv2:(SESSION ID = 2890,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA256 DH_GROUP_2048_MODP/Group 14

Apr 8 21:41:56.483: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Apr 8 21:41:56.483: IKEv2:(SESSION ID = 2890,SA ID = 1):Insert SA

Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : D219BBF50C251EEA Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing IKE_SA_INIT message
Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):Verify SA init message
Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing IKE_SA_INIT message
Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking NAT discovery
Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):NAT not found
Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
Apr 8 21:41:56.519: IKEv2:(SESSION ID = 2890,SA ID = 1):Request queued for computation of DH secret
Apr 8 21:41:56.535: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 8 21:41:56.535: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Apr 8 21:41:56.535: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Completed SA init exchange
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for EAP exchange
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Generate my authentication data
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Use preshared key for id 2.2.2.2, key len 8
Apr 8 21:41:56.535: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Apr 8 21:41:56.535: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Get my authentication method
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):My authentication method is 'PSK'
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for EAP exchange
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Generating IKE_AUTH message
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Constructing IDi payload: '2.2.2.2' of type 'IPv4 address'
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Apr 8 21:41:56.535: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : D219BBF50C251EEA Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : D219BBF50C251EEA Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Process auth response notify
Apr 8 21:41:56.571: IKEv2-ERROR:(SESSION ID = 2890,SA ID = 1):
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Searching policy based on peer's identity '1.1.1.1' of type 'IPv4 address'
Apr 8 21:41:56.571: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.2
Apr 8 21:41:56.571: IKEv2:Found Policy '10'
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Verify peer's policy
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Peer's policy verified
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Get peer's authentication method
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Peer's authentication method is 'PSK'
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Get peer's preshared key for 1.1.1.1
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Verify peer's authentication data
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Use preshared key for id 1.1.1.1, key len 8
Apr 8 21:41:56.571: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Apr 8 21:41:56.571: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Apr 8 21:41:56.571: IKEv2:(SESSION ID = 2890,SA ID = 1):Verification of peer's authenctication data PASSED
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for EAP exchange
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Session with IKE ID PAIR (1.1.1.1, 2.2.2.2) is UP
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Initializing DPD, configured for 10 seconds
Apr 8 21:41:56.575: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking for duplicate IKEv2 SA
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):No duplicate IKEv2 SA found
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Queuing IKE SA delete request reason: unknown
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xAD042F75]
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking if request will fit in peer window

Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : D219BBF50C251EEA Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for existing IPSEC SA
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Delete all IKE SAs
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x4A907DB0BBE96287 RSPI: 0xD219BBF50C251EEA]
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking if request will fit in peer window
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for existing active SA
Apr 8 21:41:56.575: IKEv2:(SESSION ID = 2890,SA ID = 1):Delete all IKE SAs

Apr 8 21:41:56.611: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : D219BBF50C251EEA Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

Apr 8 21:41:56.611: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing ACK to informational exchange
Apr 8 21:41:56.611: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for existing IPSEC SA
Apr 8 21:41:56.611: IKEv2:(SESSION ID = 2890,SA ID = 1):Delete all IKE SAs

Apr 8 21:41:56.611: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : D219BBF50C251EEA Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Apr 8 21:41:56.643: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 4A907DB0BBE96287 - Responder SPI : D219BBF50C251EEA Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
DELETE

Apr 8 21:41:56.647: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing ACK to informational exchange
Apr 8 21:41:56.647: IKEv2:(SESSION ID = 2890,SA ID = 1):Deleting SA.....
Success rate is 0 percent (0/5)
HURLEYS_ROUTER#
Apr 8 21:42:26.480: IKEv2:% Getting preshared key from profile keyring kr_TEST
Apr 8 21:42:26.480: IKEv2:% Matched peer block 'B2B-DC'
Apr 8 21:42:26.480: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.2
Apr 8 21:42:26.480: IKEv2:Found Policy '10'
Apr 8 21:42:26.480: IKEv2:(SESSION ID = 2890,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
Apr 8 21:42:26.480: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 8 21:42:26.480: IKEv2:(SESSION ID = 2890,SA ID = 1):Request queued for computation of DH key
Apr 8 21:42:26.480: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
Apr 8 21:42:26.480: IKEv2:(SESSION ID = 2890,SA ID = 1):Generating IKE_SA_INIT message
Apr 8 21:42:26.480: IKEv2:(SESSION ID = 2890,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA256 DH_GROUP_2048_MODP/Group 14

Apr 8 21:42:26.480: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Apr 8 21:42:26.480: IKEv2:(SESSION ID = 2890,SA ID = 1):Insert SA

Apr 8 21:42:26.516: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 5F531A1EB45F2484 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

Apr 8 21:42:26.516: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing IKE_SA_INIT message
Apr 8 21:42:26.520: IKEv2:(SESSION ID = 2890,SA ID = 1):Verify SA init message
Apr 8 21:42:26.520: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing IKE_SA_INIT message
Apr 8 21:42:26.520: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking NAT discovery
Apr 8 21:42:26.520: IKEv2:(SESSION ID = 2890,SA ID = 1):NAT not found
Apr 8 21:42:26.520: IKEv2:(SESSION ID = 2890,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
Apr 8 21:42:26.520: IKEv2:(SESSION ID = 2890,SA ID = 1):Request queued for computation of DH secret
Apr 8 21:42:26.532: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 8 21:42:26.532: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Apr 8 21:42:26.532: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Completed SA init exchange
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for EAP exchange
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Generate my authentication data
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Use preshared key for id 2.2.2.2, key len 8
Apr 8 21:42:26.532: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Apr 8 21:42:26.532: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Get my authentication method
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):My authentication method is 'PSK'
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for EAP exchange
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Generating IKE_AUTH message
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Constructing IDi payload: '2.2.2.2' of type 'IPv4 address'
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Apr 8 21:42:26.532: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 5F531A1EB45F2484 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 5F531A1EB45F2484 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Process auth response notify
Apr 8 21:42:26.568: IKEv2-ERROR:(SESSION ID = 2890,SA ID = 1):
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Searching policy based on peer's identity '1.1.1.1' of type 'IPv4 address'
Apr 8 21:42:26.568: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.2
Apr 8 21:42:26.568: IKEv2:Found Policy '10'
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Verify peer's policy
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Peer's policy verified
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Get peer's authentication method
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Peer's authentication method is 'PSK'
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Get peer's preshared key for 1.1.1.1
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Verify peer's authentication data
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Use preshared key for id 1.1.1.1, key len 8
Apr 8 21:42:26.568: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Apr 8 21:42:26.568: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Verification of peer's authenctication data PASSED
Apr 8 21:42:26.568: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for EAP exchange
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Session with IKE ID PAIR (1.1.1.1, 2.2.2.2) is UP
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Initializing DPD, configured for 10 seconds
Apr 8 21:42:26.572: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking for duplicate IKEv2 SA
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):No duplicate IKEv2 SA found
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Queuing IKE SA delete request reason: unknown
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xD385E6FC]
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking if request will fit in peer window

Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 5F531A1EB45F2484 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for existing IPSEC SA
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Delete all IKE SAs
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x6690064A1D157D35 RSPI: 0x5F531A1EB45F2484]
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Checking if request will fit in peer window
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for existing active SA
Apr 8 21:42:26.572: IKEv2:(SESSION ID = 2890,SA ID = 1):Delete all IKE SAs

Apr 8 21:42:26.604: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 5F531A1EB45F2484 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

Apr 8 21:42:26.608: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing ACK to informational exchange
Apr 8 21:42:26.608: IKEv2:(SESSION ID = 2890,SA ID = 1):Check for existing IPSEC SA
Apr 8 21:42:26.608: IKEv2:(SESSION ID = 2890,SA ID = 1):Delete all IKE SAs

Apr 8 21:42:26.608: IKEv2:(SESSION ID = 2890,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 5F531A1EB45F2484 Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Apr 8 21:42:26.640: IKEv2:(SESSION ID = 2890,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 6690064A1D157D35 - Responder SPI : 5F531A1EB45F2484 Message id: 3

HURLEYS_ROUTER#IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
DELETE

Apr 8 21:42:26.640: IKEv2:(SESSION ID = 2890,SA ID = 1):Processing ACK to informational exchange
Apr 8 21:42:26.644: IKEv2:(SESSION ID = 2890,SA ID = 1):Deleting SA

fvrf 0 <- from debug you send 


The tunnel and tunnel source is VRF-aware and the Kerning and Policy not VRF aware. 
I think this issue here.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/214938-configuring-ikev2-vrf-aware-svti.html