IPSEC VPN CONNECTIVITY ISSUES

Chucks · ‎10-02-2023

I am trying to establish IPsec VPN connection between my cisco 2901 series router and Azure, but I have been unable to connect.

Captured below is my debug log:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):There was no IPSEC policy found for received TS

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Sending TS unacceptable notify

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Get my authentication method

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):My authentication method is 'PSK'

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Get peer's preshared key for Y.Y.Y.242

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Generate my authentication data

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Use preshared key for id Z.Z.Z.Z, key len 25

*Sep 28 14:39:19.578: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data

*Sep 28 14:39:19.578: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Get my authentication method

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):My authentication method is 'PSK'

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Generating IKE_AUTH message

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Constructing IDr payload: 'Z.Z.Z.Z' of type 'IPv4 address'

*Sep 28 14:39:19.578: IKEv2:(SA ID = 46):Building packet for encryption.

Payload contents:

VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)

*Sep 28 14:39:19.582: IKEv2:(SA ID = 46):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : ECEB4ADCB7629AEA - Responder SPI : 026778FC2A731858 Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

Payload contents:

ENCR

*Sep 28 14:39:19.582: IKEv2:(SA ID = 46):IKEV2 SA created; inserting SA into database. SA lifetime timer (27000 sec) started

*Sep 28 14:39:19.582: IKEv2:(SA ID = 46):Initializing DPD, configured for 10 seconds

*Sep 28 14:39:19.582: IKEv2:IKEv2 MIB tunnel started, tunnel index 46

*Sep 28 14:39:19.582: IKEv2:(SA ID = 46):Checking for duplicate IKEv2 SA

*Sep 28 14:39:19.582: IKEv2:(SA ID = 46):No duplicate IKEv2 SA found

*Sep 28 14:39:19.582: IKEv2:(SA ID = 46):Starting timer (8 sec) to delete negotiation context

*Sep 28 14:39:32.498: IKEv2:(SA ID = 220):Checking if we need to rekey the IKE SA

*Sep 28 14:39:32.498: IKEv2:Failed to decrement count for incoming negotiating

*Sep 28 14:39:32.498: IKEv2:(SA ID = 220):Abort exchange

*Sep 28 14:39:34.498: IKEv2:Received Packet [From Y.Y.Y.229:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 0F6F1F8C0A601E18 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

*Sep 28 14:39:34.498: IKEv2:(SA ID = 47):Verify SA init message

*Sep 28 14:39:34.498: IKEv2:(SA ID = 47):Insert SA

*Sep 28 14:39:34.498: IKEv2:Searching Policy with fvrf 0, local address Z.Z.Z.Z

*Sep 28 14:39:34.498: IKEv2:Found Policy 'IKEV2_POLICY-AZURE-WE'

*Sep 28 14:39:34.498: IKEv2:(SA ID = 47):Processing IKE_SA_INIT message

*Sep 28 14:39:34.498: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:39:34.498: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:39:34.498: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:39:34.502: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14

*Sep 28 14:39:34.502: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:39:34.502: IKEv2:(SA ID = 47):Request queued for computation of DH key

*Sep 28 14:39:34.502: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):Request queued for computation of DH secret

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED

*Sep 28 14:39:34.662: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):Generating IKE_SA_INIT message

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):IKE Proposal: 1, SPI size: 0 (initial negotiation),

Num. transforms: 4

AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:39:34.662: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:39:34.662: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:39:34.666: IKEv2:(SA ID = 47):Sending Packet [To Y.Y.Y.229:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 0F6F1F8C0A601E18 - Responder SPI : 48C14E7941043442 Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE

Payload contents:

SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Sep 28 14:39:34.666: IKEv2:(SA ID = 47):Completed SA init exchange

*Sep 28 14:39:34.666: IKEv2:(SA ID = 47):Starting timer (30 sec) to wait for auth message

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Received Packet [From Y.Y.Y.229:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 0F6F1F8C0A601E18 - Responder SPI : 48C14E7941043442 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

IDi AUTH SA TSi TSr

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Stopping timer to wait for auth message

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Checking NAT discovery

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):NAT not found

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Searching policy based on peer's identity 'Y.Y.Y.229' of type 'IPv4 address'

*Sep 28 14:39:34.790: IKEv2:% IKEv2 profile not found

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Failed to locate an item in the database

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Verification of peer's authentication data FAILED

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Sending authentication failure notify

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Building packet for encryption.

Payload contents:

NOTIFY(AUTHENTICATION_FAILED)

*Sep 28 14:39:34.790: IKEv2:(SA ID = 47):Sending Packet [To Y.Y.Y.229:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 0F6F1F8C0A601E18 - Responder SPI : 48C14E7941043442 Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

Payload contents:

ENCR

*Sep 28 14:39:34.794: IKEv2:(SA ID = 47):Auth exchange failed

*Sep 28 14:39:34.794: IKEv2:(SA ID = 47):Abort exchange

*Sep 28 14:39:34.794: IKEv2:(SA ID = 47):Deleting SA

*Sep 28 14:39:39.910: IKEv2:(SA ID = 45):Retransmitting packet

*Sep 28 14:39:39.910: IKEv2:(SA ID = 45):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 37E3A2987F20EBE8 - Responder SPI : 605767D9ED56573A Message id: 0

IKEv2 CREATE_CHILD_SA Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:39:43.078: IKEv2:Received Packet [From W.W.W.W:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : A5019392C7D0B0A0 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

*Sep 28 14:39:43.078: IKEv2:(SA ID = 47):Verify SA init message

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):Insert SA

*Sep 28 14:39:43.082: IKEv2:Searching Policy with fvrf 0, local address Z.Z.Z.Z

*Sep 28 14:39:43.082: IKEv2:Found Policy 'IKEV2_POLICY-AZURE-WE'

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):Processing IKE_SA_INIT message

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:39:43.082: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):Request queued for computation of DH key

*Sep 28 14:39:43.082: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):Request queued for computation of DH secret

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED

*Sep 28 14:39:43.238: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):Generating IKE_SA_INIT message

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):IKE Proposal: 1, SPI size: 0 (initial negotiation),

Num. transforms: 4

AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:39:43.238: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:39:43.238: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:39:43.242: IKEv2:(SA ID = 47):Sending Packet [To W.W.W.W:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : A5019392C7D0B0A0 - Responder SPI : 459625583C997784 Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE

Payload contents:

SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Sep 28 14:39:43.242: IKEv2:(SA ID = 47):Completed SA init exchange

*Sep 28 14:39:43.242: IKEv2:(SA ID = 47):Starting timer (30 sec) to wait for auth message

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Received Packet [From W.W.W.W:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : A5019392C7D0B0A0 - Responder SPI : 459625583C997784 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

IDi AUTH SA TSi TSr

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Stopping timer to wait for auth message

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Checking NAT discovery

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):NAT not found

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Searching policy based on peer's identity 'W.W.W.W' of type 'IPv4 address'

*Sep 28 14:39:43.366: IKEv2:% IKEv2 profile not found

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Failed to locate an item in the database

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Verification of peer's authentication data FAILED

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Sending authentication failure notify

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Building packet for encryption.

Payload contents:

NOTIFY(AUTHENTICATION_FAILED)

*Sep 28 14:39:43.366: IKEv2:(SA ID = 47):Sending Packet [To W.W.W.W:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : A5019392C7D0B0A0 - Responder SPI : 459625583C997784 Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

Payload contents:

ENCR

*Sep 28 14:39:43.370: IKEv2:(SA ID = 47):Auth exchange failed

*Sep 28 14:39:43.370: IKEv2:(SA ID = 47):Abort exchange

*Sep 28 14:39:43.370: IKEv2:(SA ID = 47):Deleting SA

*Sep 28 14:39:44.898: IKEv2:(SA ID = 45):Maximum number of retransmissions reached

*Sep 28 14:39:44.898: IKEv2:(SA ID = 45):

*Sep 28 14:39:44.898: IKEv2:(SA ID = 45):Check for existing active SA

*Sep 28 14:39:44.898: IKEv2:(SA ID = 45):Delete all IKE SAs

*Sep 28 14:39:44.898: IKEv2:(SA ID = 45):Deleting SA

*Sep 28 14:40:01.010: IKEv2:(SA ID = 219):Retransmitting packet

*Sep 28 14:40:01.010: IKEv2:(SA ID = 219):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 5D6DDBBF1E484243 - Responder SPI : 3903A427FC36AB9C Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:40:02.498: IKEv2:(SA ID = 220):Queuing IKE SA delete request reason: lifetime expired

*Sep 28 14:40:02.498: IKEv2:(SA ID = 220):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x04D64D33167FEBA7 RSPI: 0xC19E615804C37AF2]

*Sep 28 14:40:02.498: IKEv2:(SA ID = 220):Building packet for encryption.

Payload contents:

DELETE

*Sep 28 14:40:02.498: IKEv2:(SA ID = 220):Checking if request will fit in peer window

*Sep 28 14:40:02.498: IKEv2:(SA ID = 220):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 04D64D33167FEBA7 - Responder SPI : C19E615804C37AF2 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:40:02.498: IKEv2:(SA ID = 220):Check for existing active SA

*Sep 28 14:40:04.490: IKEv2:(SA ID = 220):Retransmitting packet

*Sep 28 14:40:04.490: IKEv2:(SA ID = 220):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 04D64D33167FEBA7 - Responder SPI : C19E615804C37AF2 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:40:05.534: IKEv2:(SA ID = 219):Maximum number of retransmissions reached

*Sep 28 14:40:05.534: IKEv2:(SA ID = 219):

*Sep 28 14:40:05.534: IKEv2:(SA ID = 219):Check for existing active SA

*Sep 28 14:40:05.534: IKEv2:(SA ID = 219):Delete all IKE SAs

*Sep 28 14:40:05.534: IKEv2:(SA ID = 219):Deleting SA

*Sep 28 14:40:08.118: IKEv2:(SA ID = 220):Retransmitting packet

*Sep 28 14:40:08.118: IKEv2:(SA ID = 220):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 04D64D33167FEBA7 - Responder SPI : C19E615804C37AF2 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:40:15.962: IKEv2:(SA ID = 220):Retransmitting packet

*Sep 28 14:40:15.962: IKEv2:(SA ID = 220):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 04D64D33167FEBA7 - Responder SPI : C19E615804C37AF2 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:40:31.646: IKEv2:(SA ID = 220):Retransmitting packet

*Sep 28 14:40:31.646: IKEv2:(SA ID = 220):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 04D64D33167FEBA7 - Responder SPI : C19E615804C37AF2 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:41:03.354: IKEv2:(SA ID = 220):Retransmitting packet

*Sep 28 14:41:03.354: IKEv2:(SA ID = 220):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 04D64D33167FEBA7 - Responder SPI : C19E615804C37AF2 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

*Sep 28 14:41:19.290: IKEv2:Received Packet [From Y.Y.Y.242:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : C5D2084C2A3FA882 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):Verify SA init message

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):Insert SA

*Sep 28 14:41:19.294: IKEv2:Searching Policy with fvrf 0, local address Z.Z.Z.Z

*Sep 28 14:41:19.294: IKEv2:Found Policy 'IKEV2_POLICY-AZURE-WE'

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):Processing IKE_SA_INIT message

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:41:19.294: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):Request queued for computation of DH key

*Sep 28 14:41:19.294: IKEv2:(SA ID = 45):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14

*Sep 28 14:41:19.450: IKEv2:(SA ID = 45):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:41:19.450: IKEv2:(SA ID = 45):Request queued for computation of DH secret

*Sep 28 14:41:19.450: IKEv2:(SA ID = 45):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA

*Sep 28 14:41:19.450: IKEv2:(SA ID = 45):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED

*Sep 28 14:41:19.450: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch

*Sep 28 14:41:19.450: IKEv2:(SA ID = 45):Generating IKE_SA_INIT message

*Sep 28 14:41:19.450: IKEv2:(SA ID = 45):IKE Proposal: 1, SPI size: 0 (initial negotiation),

Num. transforms: 4

AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

*Sep 28 14:41:19.454: IKEv2:(SA ID = 45):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:41:19.454: IKEv2:(SA ID = 45):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:41:19.454: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:41:19.454: IKEv2:(SA ID = 45):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : C5D2084C2A3FA882 - Responder SPI : 4FCE82EC5D835E2A Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE

Payload contents:

SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Sep 28 14:41:19.454: IKEv2:(SA ID = 45):Completed SA init exchange

*Sep 28 14:41:19.454: IKEv2:(SA ID = 45):Starting timer (30 sec) to wait for auth message

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Received Packet [From Y.Y.Y.242:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : C5D2084C2A3FA882 - Responder SPI : 4FCE82EC5D835E2A Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

IDi AUTH SA TSi TSr

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Stopping timer to wait for auth message

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Checking NAT discovery

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):NAT not found

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Searching policy based on peer's identity 'Y.Y.Y.242' of type 'IPv4 address'

*Sep 28 14:41:19.578: IKEv2:found matching IKEv2 profile 'IKEV2_PROFILE-AZURE-WE'

*Sep 28 14:41:19.578: IKEv2:% Getting preshared key from profile keyring IKEV2_KEYRING-AZURE-WE

*Sep 28 14:41:19.578: IKEv2:% Matched peer block 'Y.Y.Y.242'

*Sep 28 14:41:19.578: IKEv2:Searching Policy with fvrf 0, local address Z.Z.Z.Z

*Sep 28 14:41:19.578: IKEv2:Found Policy 'IKEV2_POLICY-AZURE-WE'

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Verify peer's policy

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Peer's policy verified

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Get peer's authentication method

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Peer's authentication method is 'PSK'

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Get peer's preshared key for Y.Y.Y.242

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Verify peer's authentication data

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Use preshared key for id Y.Y.Y.242, key len 25

*Sep 28 14:41:19.578: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data

*Sep 28 14:41:19.578: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Verification of peer's authenctication data PASSED

*Sep 28 14:41:19.578: IKEv2:(SA ID = 45):Processing IKE_AUTH message

*Sep 28 14:41:19.578: IKEv2:KMI/verify policy/sending to IPSec:

prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):There was no IPSEC policy found for received TS

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Sending TS unacceptable notify

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Get my authentication method

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):My authentication method is 'PSK'

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Get peer's preshared key for Y.Y.Y.242

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Generate my authentication data

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Use preshared key for id Z.Z.Z.Z, key len 25

*Sep 28 14:41:19.582: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data

*Sep 28 14:41:19.582: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Get my authentication method

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):My authentication method is 'PSK'

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Generating IKE_AUTH message

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Constructing IDr payload: 'Z.Z.Z.Z' of type 'IPv4 address'

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Building packet for encryption.

Payload contents:

VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Sending Packet [To Y.Y.Y.242:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : C5D2084C2A3FA882 - Responder SPI : 4FCE82EC5D835E2A Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

Payload contents:

ENCR

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):IKEV2 SA created; inserting SA into database. SA lifetime timer (27000 sec) started

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Initializing DPD, configured for 10 seconds

*Sep 28 14:41:19.582: IKEv2:IKEv2 MIB tunnel started, tunnel index 45

*Sep 28 14:41:19.582: IKEv2:(SA ID = 45):Checking for duplicate IKEv2 SA

*Sep 28 14:41:19.586: IKEv2:(SA ID = 45):No duplicate IKEv2 SA found

*Sep 28 14:41:19.586: IKEv2:(SA ID = 45):Starting timer (8 sec) to delete negotiation context

*Sep 28 14:41:30.510: IKEv2:(SA ID = 221):Checking if we need to rekey the IKE SA

*Sep 28 14:41:30.510: IKEv2:Failed to decrement count for incoming negotiating

*Sep 28 14:41:30.510: IKEv2:(SA ID = 221):Abort exchange

*Sep 28 14:41:34.494: IKEv2:Received Packet [From Y.Y.Y.229:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 10F9AF6097ADDC41 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):Verify SA init message

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):Insert SA

*Sep 28 14:41:34.494: IKEv2:Searching Policy with fvrf 0, local address Z.Z.Z.Z

*Sep 28 14:41:34.494: IKEv2:Found Policy 'IKEV2_POLICY-AZURE-WE'

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):Processing IKE_SA_INIT message

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:41:34.494: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):Request queued for computation of DH key

*Sep 28 14:41:34.494: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14

*Sep 28 14:41:34.654: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):Request queued for computation of DH secret

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED

*Sep 28 14:41:34.658: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):Generating IKE_SA_INIT message

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):IKE Proposal: 1, SPI size: 0 (initial negotiation),

Num. transforms: 4

AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:41:34.658: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:41:34.658: IKEv2:(SA ID = 47):Sending Packet [To Y.Y.Y.229:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 10F9AF6097ADDC41 - Responder SPI : 61B7BFB6494181E2 Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE

Payload contents:

SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Sep 28 14:41:34.662: IKEv2:(SA ID = 47):Completed SA init exchange

*Sep 28 14:41:34.662: IKEv2:(SA ID = 47):Starting timer (30 sec) to wait for auth message

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Received Packet [From Y.Y.Y.229:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 10F9AF6097ADDC41 - Responder SPI : 61B7BFB6494181E2 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

IDi AUTH SA TSi TSr

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Stopping timer to wait for auth message

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Checking NAT discovery

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):NAT not found

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Searching policy based on peer's identity 'Y.Y.Y.229' of type 'IPv4 address'

*Sep 28 14:41:34.786: IKEv2:% IKEv2 profile not found

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Failed to locate an item in the database

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Verification of peer's authentication data FAILED

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Sending authentication failure notify

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Building packet for encryption.

Payload contents:

NOTIFY(AUTHENTICATION_FAILED)

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Sending Packet [To Y.Y.Y.229:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : 10F9AF6097ADDC41 - Responder SPI : 61B7BFB6494181E2 Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

Payload contents:

ENCR

*Sep 28 14:41:34.786: IKEv2:(SA ID = 47):Auth exchange failed

*Sep 28 14:41:34.790: IKEv2:(SA ID = 47):Abort exchange

*Sep 28 14:41:34.790: IKEv2:(SA ID = 47):Deleting SA

*Sep 28 14:41:43.086: IKEv2:Received Packet [From W.W.W.W:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : FF6EBF5B9AEE6811 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):Verify SA init message

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):Insert SA

*Sep 28 14:41:43.086: IKEv2:Searching Policy with fvrf 0, local address Z.Z.Z.Z

*Sep 28 14:41:43.086: IKEv2:Found Policy 'IKEV2_POLICY-AZURE-WE'

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):Processing IKE_SA_INIT message

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:41:43.086: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):Request queued for computation of DH key

*Sep 28 14:41:43.086: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14

*Sep 28 14:41:43.250: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Sep 28 14:41:43.250: IKEv2:(SA ID = 47):Request queued for computation of DH secret

*Sep 28 14:41:43.250: IKEv2:(SA ID = 47):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA

*Sep 28 14:41:43.250: IKEv2:(SA ID = 47):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED

*Sep 28 14:41:43.250: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch

*Sep 28 14:41:43.250: IKEv2:(SA ID = 47):Generating IKE_SA_INIT message

*Sep 28 14:41:43.250: IKEv2:(SA ID = 47):IKE Proposal: 1, SPI size: 0 (initial negotiation),

Num. transforms: 4

AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

*Sep 28 14:41:43.254: IKEv2:(SA ID = 47):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

*Sep 28 14:41:43.254: IKEv2:(SA ID = 47):[PKI -> IKEv2] Retrieved trustpoint(s): NONE

*Sep 28 14:41:43.254: IKEv2:Failed to retrieve Certificate Issuer list

*Sep 28 14:41:43.254: IKEv2:(SA ID = 47):Sending Packet [To W.W.W.W:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : FF6EBF5B9AEE6811 - Responder SPI : ED3DAF040A1AC4CD Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE

Payload contents:

SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Sep 28 14:41:43.254: IKEv2:(SA ID = 47):Completed SA init exchange

*Sep 28 14:41:43.254: IKEv2:(SA ID = 47):Starting timer (30 sec) to wait for auth message

*Sep 28 14:41:43.378: IKEv2:(SA ID = 47):Received Packet [From W.W.W.W:500/To Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : FF6EBF5B9AEE6811 - Responder SPI : ED3DAF040A1AC4CD Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

IDi AUTH SA TSi TSr

*Sep 28 14:41:43.378: IKEv2:(SA ID = 47):Stopping timer to wait for auth message

*Sep 28 14:41:43.378: IKEv2:(SA ID = 47):Checking NAT discovery

*Sep 28 14:41:43.378: IKEv2:(SA ID = 47):NAT not found

*Sep 28 14:41:43.378: IKEv2:(SA ID = 47):Searching policy based on peer's identity 'W.W.W.W' of type 'IPv4 address'

*Sep 28 14:41:43.378: IKEv2:% IKEv2 profile not found

*Sep 28 14:41:43.378: IKEv2:(SA ID = 47):Failed to locate an item in the database

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):Verification of peer's authentication data FAILED

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):Sending authentication failure notify

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):Building packet for encryption.

Payload contents:

NOTIFY(AUTHENTICATION_FAILED)

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):Sending Packet [To W.W.W.W:500/From Z.Z.Z.Z:500/VRF i0:f0]

Initiator SPI : FF6EBF5B9AEE6811 - Responder SPI : ED3DAF040A1AC4CD Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

Payload contents:

ENCR

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):Auth exchange failed

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):Abort exchange

*Sep 28 14:41:43.382: IKEv2:(SA ID = 47):Deleting SA

Below also is my IPSEC configuration

!

crypto ikev2 proposal IKEV2_PROPOSAL-DEFAULT1

encryption aes-cbc-256

integrity sha256

group 14

!

crypto ikev2 policy IKEV2_POLICY-AZURE-WE

match address local Z.Z.Z.Z

proposal IKEV2_PROPOSAL-DEFAULT1

!

crypto ikev2 keyring IKEV2_KEYRING-AZURE-WE

peer Y.Y.Y.242

address Y.Y.Y.242

pre-shared-key 1c1da41rb23y4k4hcmp367p54

!

crypto ikev2 profile IKEV2_PROFILE-AZURE-WE

match address local Z.Z.Z.Z

match identity remote address Y.Y.Y.242 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local IKEV2_KEYRING-AZURE-WE

lifetime 27000

dpd 10 5 on-demand

!

ip ssh time-out 60

!

policy-map shape-Internet_LAYER3_Egress

class class-default

shape average 100000000 1000000 0

!

crypto ipsec transform-set AES esp-aes 256 esp-sha256-hmac

mode tunnel

!

crypto ipsec profile CRYPTO_IPSEC-WE

set security-association lifetime seconds 27000

set transform-set AES

set pfs group14

set ikev2-profile IKEV2_PROFILE-AZURE-WE

!

interface Loopback0

description mgt:

ip address 10.98.0.29 255.255.255.255

!

interface Tunnel101

ip address 169.254.0.1 255.255.255.252

ip tcp adjust-mss 1350

tunnel source GigabitEthernet0/0

tunnel destination Y.Y.Y.242

tunnel protection ipsec profile CRYPTO_IPSEC-WE