In addition, this document provides information on how to translate certain debug lines in a configuration. Zscaler support IP-SLA HTTP probes to check the cloud proxy health, on traditional routers you are able to use 'track' features to, for example, change the admin distance of a static route based on the results of the IP-SLA test. currently using 4.8, seems to have solved all issues. INFO_R Event: EV_CHK_INFO_TYPE IKEv2-PROTO-5: (99): SM Trace-> SA: I . Bug Details Include The CHILD_SA packet typically contains: Router 1 receives the response packet from Router 2 and completes activating the CHILD_SA. This section lists the configurations used in this document. All traffic must be accepted and specific routing is needed to direct traffic into specific tunnels. All of the devices used in this document started with a cleared (default) configuration. 0 Helpful Share Reply JW_UK Beginner In response to JW_UK Options 09-28-2019 03:19 AM Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. This is reposted from the Networking Academy area since there were no replies. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. Are you seeing encrypts and decrypts over your IPSEC tunnel? Related Community Discussions View Bug Details in Bug Search Tool Why Is Login Required? The CHILD_SA packet typically contains: Router 2 now builds the reply for the CHILD_SA exchange. Find answers to your questions by entering keywords or phrases in the Search bar above. The address range specifies that all traffic to and from that range are tunnelled. IKEv2 Payload Types Transform Type Values IKEv2 Transform Attribute Types Transform Type 1 - Encryption Algorithm Transform IDs Transform Type 2 - Pseudorandom Function Transform IDs Transform Type 3 - Integrity Algorithm Transform IDs Transform Type 4 - Key Exchange Method Transform IDs Transform Type 5 - Extended Sequence Numbers Transform IDs Learn more about how Cisco is using Inclusive Language. You can also check the output of theshow crypto sessioncommand on both routers; this output shows the tunnel session status as UP-ACTIVE. Same in every possible way. Tunnel is up on the Initiator and the status shows. For more information, refer to IKEv2 Packet Exchange and Protocol Level Debugging. *Nov 11 19:31:35.873: IKEv2:Got a packet from dispatcher *Nov 11 19:31:35.873: IKEv2:Processing an item off the pak queue *Nov 11 19:31:35.873: IKEv2:(SA ID = 2):Request has mess_id 3; expected 3 through 7 *Nov 11 19:31:35.873: IKEv2:(SA ID = 2):Next payload: ENCR, version: 2.0Exchange type: CREATE_CHILD_SA, flags:INITIATORMessage id: 3, length: 396 Payload contents: SANext payload: N, reserved: 0x0, length: 152 last proposal: 0x0, reserved: 0x0, length: 148 Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: MD5 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: MD596 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 NNext payload: KE, reserved: 0x0, length: 24 KE Next payload: NOTIFY, reserved: 0x0, length: 136 DH group: 2, Reserved: 0x0 *Nov 11 19:31:35.874: IKEv2:Parse Notify Payload: SET_WINDOW_SIZENOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: READY Event:EV_RECV_CREATE_CHILD *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):Action: Action_Null *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_INIT Event: EV_RECV_CREATE_CHILD *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):Action: Action_Null *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_INIT Event: EV_VERIFY_MSG *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_INIT Event: EV_CHK_CC_TYPE *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_IKE Event:EV_REKEY_IKESA *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_IKE Event: EV_GET_IKE_POLICY *Nov 11 19:31:35.874: IKEv2:%Getting preshared key by address 10.0.0.2 *Nov 11 19:31:35.874: IKEv2:% Getting preshared key by address 10.0.0.2 *Nov 11 19:31:35.874: IKEv2:Adding Proposal PHASE1-prop to toolkit policy *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):Using IKEv2 profile 'IKEV2-SETUP' *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_IKE Event: EV_PROC_MSG *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_IKE Event: EV_SET_POLICY *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):Setting configured policies *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event: EV_GEN_DH_KEY *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event: EV_NO_EVENT *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event: EV_OK_RECD_DH_PUBKEY_RESP *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):Action: Action_Null *Nov 11 19:31:35.874: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event:EV_GEN_DH_SECRET *Nov 11 19:31:35.881: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event: EV_NO_EVENT *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event: EV_OK_RECD_DH_SECRET_RESP *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Action: Action_Null *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event: EV_BLD_MSG *Nov 11 19:31:35.882:IKEv2:ConstructNotify Payload: SET_WINDOW_SIZE Payload contents: SANext payload: N, reserved: 0x0, length: 56 last proposal: 0x0, reserved: 0x0, length: 52 Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 NNext payload: KE, reserved: 0x0, length: 24 KE Next payload: NOTIFY, reserved: 0x0, length: 136 DH group: 2, Reserved: 0x0 NOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE, *Nov 11 19:31:35.869: IKEv2:(SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type:CREATE_CHILD_SA, flags:INITIATORMessage id: 2, length: 460 Payload contents: ENCR Next payload: SA, reserved: 0x0, length: 432, *Nov 11 19:31:35.873: IKEv2:Construct Notify Payload: SET_WINDOW_SIZE Payload contents: SANext payload: N, reserved: 0x0, length: 152 last proposal: 0x0, reserved: 0x0, length: 148 Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: MD5 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: MD596 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 NNext payload: KE, reserved: 0x0, length: 24 KENext payload: NOTIFY, reserved: 0x0, length: 136 DH group: 2, Reserved: 0x0 NOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE, *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type:CREATE_CHILD_SA,flags:RESPONDER MSG-RESPONSEMessage id: 3, length: 300 Payload contents: SANext payload: N, reserved: 0x0, length: 56 last proposal: 0x0, reserved: 0x0, length: 52 Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 NNext payload: KE, reserved: 0x0, length: 24 KENext payload: NOTIFY, reserved: 0x0, length: 136 DH group: 2, Reserved: 0x0 *Nov 11 19:31:35.882: IKEv2:Parse Notify Payload: SET_WINDOW_SIZENOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState:CHILD_I_WAITEvent:EV_RECV_CREATE_CHILD *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Action: Action_Null *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState:CHILD_I_PROCEvent: EV_CHK4_NOTIFY *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event:EV_VERIFY_MSG *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event: EV_PROC_MSG *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event: EV_CHK4_PFS *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event: EV_GEN_DH_SECRET *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event: EV_NO_EVENT *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event: EV_OK_RECD_DH_SECRET_RESP *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):Action: Action_Null *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event: EV_CHK_IKE_REKEY *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_PROC Event: EV_GEN_SKEYID *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):Generate skeyid *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState:CHILD_I_DONEEvent:EV_ACTIVATE_NEW_SA *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_DONE Event: EV_UPDATE_CAC_STATS *Nov 11 19:31:35.890: IKEv2:New ikev2 sa request activated *Nov 11 19:31:35.890: IKEv2:Failed to decrement count for outgoing negotiating *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_DONE Event: EV_CHECK_DUPE *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: CHILD_I_DONE Event: EV_OK *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003 CurState: EXIT Event: EV_CHK_PENDING *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):Processed response with message id 3, Requests can be sent from range 4 to 8 *Nov 11 19:31:35.890: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (I) MsgID = 00000003CurState: EXITEvent: EV_NO_EVENT, *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type:CREATE_CHILD_SA, flags:RESPONDER MSG-RESPONSEMessage id: 3, length: 300 Payload contents: ENCR Next payload: SA, reserved: 0x0, length: 272 *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event:EV_CHK_IKE_REKEY *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_BLD_MSG Event: EV_GEN_SKEYID *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Generate skeyid *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_DONE Event:EV_ACTIVATE_NEW_SA *Nov 11 19:31:35.882: IKEv2:Store mib index ikev2 3, platform 62 *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_DONE Event: EV_UPDATE_CAC_STATS *Nov 11 19:31:35.882: IKEv2:New ikev2 sa request activated *Nov 11 19:31:35.882: IKEv2:Failed to decrement count for incoming negotiating *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState:CHILD_R_DONEEvent: EV_CHECK_DUPE *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_DONE Event: EV_OK *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: CHILD_R_DONE Event: EV_START_DEL_NEG_TMR *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Action: Action_Null *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003 CurState: EXIT Event: EV_CHK_PENDING *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Sent response with message id 3, Requests can be accepted from range 4 to 8 *Nov 11 19:31:35.882: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=0C33DB40DBAAADE6 R_SPI=F14E2BBA78024DE3 (R) MsgID = 00000003CurState: EXITEvent: EV_NO_EVENT. Cisco recommends that you have knowledge of the packet exchange for IKEv2. Remote Type = 0. . I believe it is specific to ISR4K's and being fixed in the November code release. It might be initiated by either end of the IKE_SA after the initial exchanges are completed. 4 Sep 18 2018 17:40:58 750003 Local:80.x.y.z:500 Remote:51.a.b.c:500 Username:51.a.b.c IKEv2 Negotiation aborted due to ERROR: Detected unsupported . Update: This was a version error, using wrong version of anyconnect, this has now been resolved. If the SA offers include different DH groups, KEi must be an element of the group the initiator expects the responder to accept. : crypto ikev2 profile default . IOS XE routers must source IPSEC interfaces from the Service side VPN (not VPN0), but also, it is necessary to add a inbound IPv4 ACL to the Interface in VPN0 to permit UDP 500 (IPSEC) and if using NAT UDP 4500 as well.After the tunnel is established you can add a IPv4 static route on the Service side with a next hop of the Tunnel interface to route traffic via the tunnel. The IKE_AUTH packet contains: ISAKMP Header(SPI/ version/flags), IDi(initiator's identity), AUTH payload, SAi2(initiates the SA-similar to the phase 2 transform set exchange in IKEv1), and TSi and TSr (Initiator and Responder Traffic selectors): They contain the source and destination address of the initiator and responder respectively for forwarding/receiving encrypted traffic. tanyatamir53355. In the IKEv1 Phase 1 settings, you can select one of these modes: Main Mode. Looks like its working after I added the ACL to the outside interface. 05-18-2021 12:04 PM. I have a similar problem with an IPSec Tunnel to an external Firewall. All but the headers of all the messages that follow are encrypted and authenticated. This mode is more secure, and uses three . For more information, refer to IKEv2 Packet Exchange and Protocol Level Debugging. IKEv2 Packet Exchange and Protocol Level Debugging, Technical Support & Documentation - Cisco Systems, Router 1 receives a packet that matches the crypto acl for peer ASA 10.0.0.2. You cannot use PSK for authentication of a Remote Access FlexVPN, see this screenshot below from Cisco live presentation BRKSEX-2881. The connection uses a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option, as described in this article.. These debug commands are used in this document: *Nov 11 20:28:34.003: IKEv2:Got a packet from dispatcher *Nov 11 20:28:34.003: IKEv2: Processing an item off the pak queue *Nov 11 19:30:34.811: IKEv2:% Getting preshared key by address 10.0.0.2 *Nov 11 19:30:34.811: IKEv2:Adding Proposal PHASE1-prop to toolkit policyle *Nov 11 19:30:34.811: IKEv2:(1): Choosing IKE profile IKEV2-SETUP *Nov 11 19:30:34.811: IKEv2:New ikev2 sa request admitted *Nov 11 19:30:34.811: IKEv2:Incrementing outgoing negotiating sa count by one. Local Address = 0.0.0.0. #crypto ikev2 policy cisco. Router 2 builds the response to IKE_AUTH packet that it received from Router 1. High Performance gateway uses IKEv2 and have applied the following IKE policy on Azure Gateway. Template applied to Service VPN 1, Source interface from VPN 0 (Internet Interface with public IP to reach external Firewall via Internet). 189035: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14, 189036: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s), 189037: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-653483565', 189038: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints, 189039: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED, 189040: *Aug 8 14:01:22.161 Chicago: IKEv2:Failed to retrieve Certificate Issuer list, 189041: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Sending Packet [To 2.2.2.2:500/From 1.1.1.1:500/VRF i0:f0], Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 0, SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP), 189042: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Completed SA init exchange, 189043: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Starting timer (30 sec) to wait for auth message, 189044: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:500/VRF i0:f0], Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 1, IDi NOTIFY(INITIAL_CONTACT) NOTIFY(Unknown - 16396) IDr AUTH CFG NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) SA TSi TSr, 189045: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Stopping timer to wait for auth message, 189046: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Checking NAT discovery, 189047: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):NAT OUTSIDE found, 189048: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):NAT detected float to init port 4500, resp port 4500, 189049: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Searching policy based on peer's identity '10.5.1.70' of type 'IPv4 address', 189050: *Aug 8 14:01:22.433 Chicago: IKEv2:found matching IKEv2 profile 'FlexVPN', 189051: *Aug 8 14:01:22.433 Chicago: IKEv2:% Getting preshared key from profile keyring keys, 189052: *Aug 8 14:01:22.433 Chicago: IKEv2:% Matched peer block 'DYNAMIC', 189053: *Aug 8 14:01:22.433 Chicago: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1, 189054: *Aug 8 14:01:22.433 Chicago: IKEv2:Found Policy 'ikev2policy', 189055: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify peer's policy, 189056: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Peer's policy verified, 189057: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Get peer's authentication method, 189058: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Peer's authentication method is 'PSK', 189059: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Get peer's preshared key for 10.5.1.70, 189060: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify peer's authentication data, 189061: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Use preshared key for id 10.5.1.70, key len 7, 189062: *Aug 8 14:01:22.433 Chicago: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data, 189063: *Aug 8 14:01:22.433 Chicago: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED, 189064: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verification of peer's authenctication data PASSED, 189065: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Processing INITIAL_CONTACT, 189066: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Received valid config mode data.