I have configured an IKEv2 IPSec Site-to-Site VPN between ASA (Firepower 1010) and RV260.
I make an config like https://www.cisco.com/c/de_de/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html for the ASA with PSK.
I receive the following error after succesfully authentification with PSK in Phase1 on ASA.
IKEv2-PROTO-4: (31): Redirect check with platform for load-balancing
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-4: (31): Received valid config mode data
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_SET_RECD_CONFIG_MODE
IKEv2-PROTO-4: (31): Set received config mode data
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-4: (31): Error in retrieving config mode data to send
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_FAIL_GET_CONFIG
IKEv2-PROTO-4: (31): Error in retrieving config mode data to send
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-4: (31): Auth exchange failed
IKEv2-PROTO-2: (31): Auth exchange failed
IKEv2-PROTO-2: (31): Auth exchange failed
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (31): SM Trace-> SA: I_SPI=8AA3A008A1B9673E R_SPI=26AB23C3D51385F2 (R) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (31): Abort exchange
IKEv2-PROTO-4: (31): Deleting SA
IKEv2-PROTO-7: Couldn't find matching SA
IKEv2-PROTO-2: Detected an invalid IKE SPI
IKEv2-PROTO-2: Couldn't find matching SA
IKEv2-PROTO-4: Received Packet [From 46.189.33.62:500/To 46.189.33.61:500/VRF i0:f0]
Initiator SPI : 8AA3A008A1B9673E - Responder SPI : 26AB23C3D51385F2 Message id: 1
IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 252IKEv2-PROTO-2: A supplied parameter is incorrect
IKEv2-PROTO-7: Couldn't find matching SA
IKEv2-PROTO-2: Detected an invalid IKE SPI
IKEv2-PROTO-2: Couldn't find matching SA
IKEv2-PROTO-4: Received Packet [From 46.189.33.62:500/To 46.189.33.61:500/VRF i0:f0]
Initiator SPI : 8AA3A008A1B9673E - Responder SPI : 26AB23C3D51385F2 Message id: 1
IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 252IKEv2-PROTO-2: A supplied parameter is incorrect
IKEv2-PROTO-7: Couldn't find matching SA
IKEv2-PROTO-2: Detected an invalid IKE SPI
IKEv2-PROTO-2: Couldn't find matching SA
I have not configured multiple networks (discussion: https://community.cisco.com/t5/vpn/ipsec-ikev2-rv160-to-asa/td-p/4428579).
If I replace the RV260 with a cisco 2921 with an IKEv2 VPN configuration the configured VPN to the ASA starts fine.
I does not change the ASA configuration.
If I configure the ASA and the RV260 for IKEv1 the VPN works.
Update the RV260 and ASA to latest versions does not help.
What can I do?
