Hi

I have setup an ikev2 VPN to a 3rd party and ran a packet trace, but the VPN is not coming up, im assuming this is a PSK mismatch. Can anyone confirm if that may be the case please or if there is anything else i need to check. This is the only VPN on this firewall currently and so I have only enable ikev2 and using a single ike policy

FIREWALL/admin# debug crypto ikev2 protocol 5
FIREWALL/admin# IKEv2-PROTO-4: (5): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
IKEv2-PROTO-4: (5): Request queued for computation of DH key
IKEv2-PROTO-4: (5): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (5): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(5): AES-CBC(5): SHA256(5): SHA256(5): DH_GROUP_2048_MODP/Group 14(5):
IKEv2-PROTO-4: (5): Sending Packet [To 82.82.82.82:500/From 213.213.213.213:500/VRF i0:f0]
(5): Initiator SPI : D87B6484FAF229E6 - Responder SPI : 0000000000000000 Message id: 0
(5): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (5): Next payload: SA, version: 2.0 (5): Exchange type: IKE_SA_INIT, flags: INITIATOR (5): Message id: 0, length: 518(5):
Payload contents:
(5): SA(5): Next payload: KE, reserved: 0x0, length: 48
(5): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(5): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(5): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(5): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(5): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(5): KE(5): Next payload: N, reserved: 0x0, length: 264
(5): DH group: 14, Reserved: 0x0
(5): N(5): Next payload: VID, reserved: 0x0, length: 68
(5): VID(5): Next payload: VID, reserved: 0x0, length: 23
(5): VID(5): Next payload: NOTIFY, reserved: 0x0, length: 59
(5): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(5): Next payload: VID, reserved: 0x0, length: 8
(5): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(5): VID(5): Next payload: NONE, reserved: 0x0, length: 20
(5):
IKEv2-PROTO-4: (5): Insert SA
(5):
IKEv2-PROTO-4: (5): Received Packet [From 82.82.82.82:500/To 213.213.213.213:500/VRF i0:f0]
(5): Initiator SPI : D87B6484FAF229E6 - Responder SPI : CBBE0068A4157D9F Message id: 0
(5): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (5): Next payload: SA, version: 2.0 (5): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (5): Message id: 0, length: 376(5):
Payload contents:
(5): SA(5): Next payload: KE, reserved: 0x0, length: 48
(5): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(5): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(5): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(5): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(5): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(5): KE(5): Next payload: N, reserved: 0x0, length: 264
(5): DH group: 14, Reserved: 0x0
(5): N(5): Next payload: NONE, reserved: 0x0, length: 36
(5):
(5): Data: 376 bytes
IKEv2-PROTO-4: (5): Processing IKE_SA_INIT message
IKEv2-PROTO-4: (5): Verify SA init message
IKEv2-PROTO-4: (5): Processing IKE_SA_INIT message
IKEv2-PROTO-4: (5): NAT-T is disabled
IKEv2-PROTO-4: (5): Checking NAT discovery
IKEv2-PROTO-4: (5): NAT not found
IKEv2-PROTO-4: (5): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
IKEv2-PROTO-4: (5): Request queued for computation of DH secret
IKEv2-PROTO-4: (5): Completed SA init exchange
IKEv2-PROTO-4: (5): Check for EAP exchange
IKEv2-PROTO-4: (5): Generate my authentication data
IKEv2-PROTO-4: (5): Use preshared key for id 213.213.213.213, key len 21
IKEv2-PROTO-4: (5): Get my authentication method
IKEv2-PROTO-4: (5): My authentication method is 'PSK'
IKEv2-PROTO-4: (5): Check for EAP exchange
IKEv2-PROTO-4: (5): Generating IKE_AUTH message
IKEv2-PROTO-4: (5): Constructing IDi payload: '213.213.213.213' of type 'IPv4 address'
IKEv2-PROTO-4: (5): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(5): AES-CBC(5): SHA256(5): Don't use ESNIKEv2-PROTO-4: (5): Building packet for encryption.
(5):
Payload contents:
(5): VID(5): Next payload: IDi, reserved: 0x0, length: 20
(5): IDi(5): Next payload: AUTH, reserved: 0x0, length: 12
(5): Id type: IPv4 address, Reserved: 0x0 0x0
(5): AUTH(5): Next payload: SA, reserved: 0x0, length: 40
(5): Auth method PSK, reserved: 0x0, reserved 0x0
(5): Auth data: 32 bytes
(5): SA(5): Next payload: TSi, reserved: 0x0, length: 44
(5): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(5): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(5): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(5): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(5): TSi(5): Next payload: TSr, reserved: 0x0, length: 24
(5): Num of TSs: 1, reserved 0x0, reserved 0x0
(5): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(5): start port: 0, end port: 65535
(5): start addr: 192.168.114.30, end addr: 192.168.114.30
(5): TSr(5): Next payload: NOTIFY, reserved: 0x0, length: 24
(5): Num of TSs: 1, reserved 0x0, reserved 0x0
(5): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(5): start port: 0, end port: 65535
(5): start addr: 10.235.5.82, end addr: 10.235.5.82
(5): NOTIFY(INITIAL_CONTACT)(5): Next payload: NOTIFY, reserved: 0x0, length: 8
(5): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(5): NOTIFY(ESP_TFC_NO_SUPPORT)(5): Next payload: NOTIFY, reserved: 0x0, length: 8
(5): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(5): NOTIFY(NON_FIRST_FRAGS)(5): Next payload: NONE, reserved: 0x0, length: 8
(5): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
(5):
IKEv2-PROTO-4: (5): Sending Packet [To 82.82.82.82:500/From 213.213.213.213:500/VRF i0:f0]
(5): Initiator SPI : D87B6484FAF229E6 - Responder SPI : CBBE0068A4157D9F Message id: 1
(5): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (5): Next payload: ENCR, version: 2.0 (5): Exchange type: IKE_AUTH, flags: INITIATOR (5): Message id: 1, length: 256(5):
Payload contents:
(5): ENCR(5): Next payload: VID, reserved: 0x0, length: 228
(5): Encrypted data: 224 bytes
(5):
IKEv2-PROTO-4: (5): Check for EAP exchange
(5):
IKEv2-PROTO-4: (5): Received Packet [From 82.82.82.82:500/To 213.213.213.213:500/VRF i0:f0]
(5): Initiator SPI : D87B6484FAF229E6 - Responder SPI : CBBE0068A4157D9F Message id: 1
(5): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (5): Next payload: ENCR, version: 2.0 (5): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (5): Message id: 1, length: 80(5):
Payload contents:
IKEv2-PROTO-4: decrypt queued(5):
(5): Data: 80 bytes
(5): REAL Decrypted packet:(5): Data: 8 bytes
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

IKEv2-PROTO-4: (5): Process auth response notify
IKEv2-PROTO-4: (5): Auth exchange failed
IKEv2-PROTO-2: (5): Auth exchange failed
IKEv2-PROTO-2: (5): Auth exchange failed
IKEv2-PROTO-4: (5): Abort exchange
IKEv2-PROTO-4: (5): Deleting SA