This is an ASA 5515-X with software 9.6(3)20.

The remote side didn't tell me what they use, it must be Strongswan or something.

Using the following debug commands

debug crypto ipsec 255
debug crypto ikev2 protocol 255
debug crypto ikev2 platform 255

I see this:

(7):
IKEv2-PLAT-3: (7): SENT PKT [IKE_AUTH] [1.1.1.243]:4500->[2.2.2.195]:4500 InitSPI=0x2607a73b2bbe1574 RespSPI=0xbf1c43e8a9529db1 MID=00000001
IKEv2-PROTO-5: (7): SM Trace-> SA: I_SPI=2607A73B2BBE1574 R_SPI=BF1C43E8A9529DB1 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.10.10.10, sport=21927, daddr=11.11.11.1, dport=21927
IPSEC(crypto_map_check)-3: Checking crypto map Internet_map4 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.10.10.10, sport=21927, daddr=11.11.11.1, dport=21927
IPSEC(crypto_map_check)-3: Checking crypto map Internet_map4 1: matched.
IKEv2-PROTO-5: (7): SM Trace-> SA: I_SPI=2607A73B2BBE1574 R_SPI=BF1C43E8A9529DB1 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-5: (7): SM Trace-> SA: I_SPI=2607A73B2BBE1574 R_SPI=BF1C43E8A9529DB1 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-1: (7): Maximum number of retransmissions reached

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

IKEv2-PROTO-1: (7):
IKEv2-PROTO-5: (7): SM Trace-> SA: I_SPI=2607A73B2BBE1574 R_SPI=BF1C43E8A9529DB1 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-2: (7): Auth exchange failed
IKEv2-PROTO-1: (7): Auth exchange failed
IKEv2-PROTO-1: (7): Auth exchange failed
IKEv2-PROTO-5: (7): SM Trace-> SA: I_SPI=2607A73B2BBE1574 R_SPI=BF1C43E8A9529DB1 (I) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (7): SM Trace-> SA: I_SPI=2607A73B2BBE1574 R_SPI=BF1C43E8A9529DB1 (I) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT

Any idea what part of the config may pose the problem? The config is essentially this:

crypto ikev2 policy 1
 encryption aes-256
 integrity sha512
 group 21
 prf sha512

PFS is group 21 also, and a pre-shared key is used.

Thanks.

Marki