Hello,

I want to set up a IPSec IKEv2 VPN to a central ASA. On my side we have a cisco 897.

First I tried a crypto map configuration. Didn't work because the IKEv2 SA goes UP and immediately goes DOWN with the error message "IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown".

Afterwards I tried a VTI configuration, but the IKEv2 SA was dropped immediately with the same error.

Below you find my configuration:

Building configuration...

Current configuration : 3177 bytes
!
! Last configuration change at 05:42:42 UTC Thu Feb 7 2036
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXXXXX
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
ip domain name XXXXX.XX
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C897VA-M-K9 sn FCZ1905C0ZJ
!
vtp mode transparent
username admin
!
crypto ikev2 proposal aes-cbc-256-proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy1
match fvrf any
match address local 193.29.25.88
proposal aes-cbc-256-proposal
!
crypto ikev2 keyring KEYRING
peer 81.14.167.232
address 81.14.167.232
pre-shared-key yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
!
peer 10.10.245.22
address 10.10.245.22
pre-shared-key yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
!
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote address 81.14.167.232 255.255.255.255
match identity remote address 10.10.245.22 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KEYRING
lifetime 3600
no config-exchange request
!
controller VDSL 0
!
vlan 2
lldp run
!
crypto logging ikev2
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set ESP-AES-SHA esp-null esp-sha-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile profile1
set security-policy limit 1
set transform-set ESP-AES-SHA
set ikev2-profile profile1
!
interface Tunnel0
ip unnumbered GigabitEthernet8
tunnel source GigabitEthernet8
tunnel mode ipsec ipv4
tunnel destination 81.14.167.232
tunnel protection ipsec profile profile1 ikev2-profile profile1
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
switchport access vlan 2
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 193.29.25.88 255.255.255.240
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 193.29.25.78 255.255.255.240
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 193.29.25.94
ip route 192.168.1.0 255.255.255.0 193.29.25.65
!
route-map XXX permit 1
match ip address 101
!
access-list 101 permit ip 193.29.25.64 0.0.0.15 192.168.0.0 0.0.255.255
access-list 101 permit ip 193.29.25.64 0.0.0.15 172.16.0.0 0.0.255.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
!
scheduler allocate 20000 1000
!
end

Now the logfile from "debug crypto ikev2"

*Feb 7 06:04:26.731: IKEv2:% Getting preshared key from profile keyring KEYRING
*Feb 7 06:04:26.731: IKEv2:% Matched peer block '81.14.167.232'
*Feb 7 06:04:26.731: IKEv2:Searching Policy with fvrf 0, local address 193.29.25.88
*Feb 7 06:04:26.731: IKEv2:Found Policy 'policy1'
*Feb 7 06:04:26.731: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Ra

*Feb 7 06:04:26.731: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Feb 7 06:04:26.731: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 7 06:04:26.731: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Feb 7 06:04:26.731: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Feb 7 06:04:26.731: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Feb 7 06:04:26.731: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

*Feb 7 06:04:26.731: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 81.14.167.232:500/From 193.29.25.88:500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 7 06:04:26.731: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 81.14.167.232:500/To 193.29.25.88:500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : B65909F3CF6A3B3A Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):NAT OUTSIDE found
*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):NAT detected float to init port 4500, resp port 4500
*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Feb 7 06:04:26.763: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Feb 7 06:04:26.775: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 7 06:04:26.775: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Feb 7 06:04:26.775: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Feb 7 06:04:26.775: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 193.29.25.88, key len 32
*Feb 7 06:04:26.779: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 7 06:04:26.779: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '193.29.25.88' of type 'IPv4 address'
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
NULL SHA96 Don't use ESN
*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Feb 7 06:04:26.779: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 81.14.167.232:4500/From 193.29.25.88:4500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : B65909F3CF6A3B3A Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 81.14.167.232:4500/To 193.29.25.88:4500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : B65909F3CF6A3B3A Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)

*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Feb 7 06:04:26.807: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '10.10.245.22' of type 'IPv4 address'
*Feb 7 06:04:26.807: IKEv2:Searching Policy with fvrf 0, local address 193.29.25.88
*Feb 7 06:04:26.807: IKEv2:Found Policy 'policy1'
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 10.10.245.22
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 10.10.245.22, key len 32
*Feb 7 06:04:26.807: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 7 06:04:26.807: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (3600 sec) startd
*Feb 7 06:04:26.807: %IKEV2-5-SA_UP: SA UP

*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (10.10.245.22, 193.29.25.88) is UP
*Feb 7 06:04:26.807: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xF2415CCB]
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window

*Feb 7 06:04:26.807: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 81.14.167.232:4500/From 193.29.25.88:4500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : B65909F3CF6A3B3A Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Feb 7 06:04:26.811: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Feb 7 06:04:26.811: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Feb 7 06:04:26.811: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x327D7DBC17FFE20E RSPI: 0xB6590]
*Feb 7 06:04:26.811: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Feb 7 06:04:26.811: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*Feb 7 06:04:26.811: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
*Feb 7 06:04:26.811: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs

*Feb 7 06:04:26.835: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 81.14.167.232:4500/To 193.29.25.88:4500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : B65909F3CF6A3B3A Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Feb 7 06:04:26.835: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Feb 7 06:04:26.835: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Feb 7 06:04:26.835: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs

*Feb 7 06:04:26.835: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 81.14.167.232:4500/From 193.29.25.88:4500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : B65909F3CF6A3B3A Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Feb 7 06:04:26.859: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 81.14.167.232:4500/To 193.29.25.88:4500/VRF i0:f0]
Initiator SPI : 327D7DBC17FFE20E - Responder SPI : B65909F3CF6A3B3A Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
DELETE

*Feb 7 06:04:26.859: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Feb 7 06:04:26.859: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
*Feb 7 06:04:26.859: %IKEV2-5-SA_DOWN: SA DOWN

Does anybody has an idea, why the ikev2 sa will be dropped?

Many thanks in advance for support.

Regards

Rolf