Hi, I am trying to setup DVTI on vrf-aware Flexvpn

I am facing a trouble with phase2 settings, I do not know where the problem comes from , any idea ?

You can find output from my configs and debugs below, the message " Failed to find a matching policyESP: Proposal 1:  AES-CBC-256 SHA96 Don't use ESN" is the one I would like to solve.

Thanks for your help,

/////////////////////////////

Hub

Config :

crypto ikev2 proposal prop-1
 encryption aes-cbc-256 aes-cbc-128 3des
 prf sha1
 integrity sha256
 group 5 14
!
crypto ikev2 policy POL-DSC
 match fvrf any
 proposal prop-1

Debug :

017600: Oct 23 15:23:53.119 UTC: IKEv2:Searching Policy with fvrf 3, local address xx.xx.xx.xx
017601: Oct 23 15:23:53.119 UTC: IKEv2:Found Policy 'POL-DSC'
017602: Oct 23 15:23:53.119 UTC: IKEv2:Adding Proposal prop-1 to toolkit policy
017603: Oct 23 15:23:53.119 UTC: IKEv2:(SA ID = 1):Using IKEv2 profile 'prof-dsc'
...
017607: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Verify peer's policy
017608: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Peer's policy verified
017609: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_WAIT_AUTH Event: EV_CHK_AUTH4EAP
017610: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_WAIT_AUTH Event: EV_CHK_POLREQEAP
017611: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_CHK_AUTH_TYPE
017612: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Get peer's authentication method
017613: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Peer's authentication method is 'PSK'
017614: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_GET_PRESHR_KEY
017615: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Get peer's preshared key for labrtr.dsc.com
017616: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH
017617: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Verify peer's authentication data
017618: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Use preshared key for id labrtr.dsc.com, key len 10
017619: Oct 23 15:23:53.119 UTC: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
017620: Oct 23 15:23:53.119 UTC: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
017621: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Verification of peer's authenctication data PASSED
017622: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_CHK4_IC
017623: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Processing INITIAL_CONTACT
017624: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_CHK_REDIRECT
017625: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Redirect check is not needed, skipping it
017626: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_NOTIFY_AUTH_DONE
017627: Oct 23 15:23:53.119 UTC: IKEv2:Using mlist LOCALIKEv2 and username AUTHOR-POLICY for group author request
017628: Oct 23 15:23:53.119 UTC: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
017629: Oct 23 15:23:53.119 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_NO_EVENT
017630: Oct 23 15:23:53.119 UTC: IKEv2:IKEv2 local AAA author request for 'AUTHOR-POLICY'
017631: Oct 23 15:23:53.119 UTC: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
017632: Oct 23 15:23:53.119 UTC: IKEv2:Received group author attributes:
ipv4-pool: POOL, route-accept any tag:1 distance:1,
017633: Oct 23 15:23:53.119 UTC: IKEv2:AAA user authorization is not configured
017634: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_OK_NOTIFY_AUTH_DONE
017635: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Action: Action_Null
017636: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_CHK_CONFIG_MODE
017637: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Received valid config mode data
...
017651: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Attrib type: app-version, length: 241, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.5(1)T, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 19-Nov-14 06:05 by prod_rel_team
017652: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Attrib type: split-dns, length: 0
017653: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Attrib type: banner, length: 0
017654: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Attrib type: config-url, length: 0
017655: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Attrib type: backup-gateway, length: 0
017656: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Attrib type: def-domain, length: 0
017657: Oct 23 15:23:53.123 UTC: IKEv2:Allocated addr 192.168.0.8 from local pool POOL
017658: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Set received config mode data
017659: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_CHK_GKM
017660: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_PROC_SA_TS
017661: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Processing IKE_AUTH message
017662: Oct 23 15:23:53.123 UTC: IKEv2:% DVTI create request sent for profile prof-dsc with PSH index 1.

017663: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):
017664: Oct 23 15:23:53.123 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):SM Trace-> SA: I_SPI=30A3FCED07586C3F R_SPI=4A67497E31CDE0E8 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_NO_EVENT
017665: Oct 23 15:23:53.127 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
017666: Oct 23 15:23:53.135 UTC: IKEv2:% DVTI Vi1 created for profile prof-dsc with PSH index 1.

017667: Oct 23 15:23:53.135 UTC: IKEv2:IPSec policy validate request sent for profile prof-dsc with psh index 1.

017668: Oct 23 15:23:53.135 UTC: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

017669: Oct 23 15:23:53.139 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Received Policies: : Failed to find a matching policyESP: Proposal 1:  AES-CBC-256 SHA96 Don't use ESN
017670: Oct 23 15:23:53.143 UTC:
017671: Oct 23 15:23:53.143 UTC:
017672: Oct 23 15:23:53.143 UTC: IKEv2:(SESSION ID = 627,SA ID = 1):Expected Policies: : Failed to find a matching policy

Spoke :

Config :
crypto ikev2 proposal prop-1
 encryption aes-cbc-256 aes-cbc-128 3des
 prf sha1
 integrity sha256
 group 5 14

crypto ikev2 policy site-policy
 match fvrf any
 proposal prop-1

Debugs :

*Oct 23 14:59:08.207: IKEv2:Searching Policy with fvrf 0, local address 80.125.139.212
*Oct 23 14:59:08.207: IKEv2:Found Policy 'site-policy'
*Oct 23 14:59:08.207: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
*Oct 23 14:59:08.207: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified