Symptom
The tunnel fails on phase 1 with the following error message:
If the router works as "INITIATOR":
*Sep 2 04:41:43.095: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Sep 2 04:41:43.095: IKEv2:% Getting preshared key from profile keyring KEYRING
*Sep 2 04:41:43.095: IKEv2:% Matched peer block 'ALL'
*Sep 2 04:41:43.095: IKEv2:Searching Policy with fvrf 0, local address 10.96.22.10
*Sep 2 04:41:43.096: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 10.96.22.10
*Sep 2 04:41:43.096: IKEv2-ERROR:Failed to initiate sa
If the router works as "RESPONDER":
*Sep 2 04:42:27.099: IKEv2:(SESSION ID = 16,SA ID = 1):Verify SA init message
*Sep 2 04:42:27.099: IKEv2:(SESSION ID = 16,SA ID = 1):Insert SA
*Sep 2 04:42:27.100: IKEv2:Searching Policy with fvrf 0, local address 10.96.22.10
*Sep 2 04:42:27.100: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 10.96.22.10
*Sep 2 04:42:27.101: IKEv2-ERROR:(SESSION ID = 16,SA ID = 1):: Failed to locate an item in the database
*Sep 2 04:42:27.101: IKEv2:(SESSION ID = 16,SA ID = 1):Failed SA init exchange
*Sep 2 04:42:27.101: IKEv2-ERROR:(SESSION ID = 16,SA ID = 1):Initial exchange failed: Initial exchange failed
*Sep 2 04:42:27.102: IKEv2:(SESSION ID = 16,SA ID = 1):Abort exchange
*Sep 2 04:42:27.102: IKEv2:(SESSION ID = 16,SA ID = 1):Deleting SA
Conditions
Incomplete IKEv2 Policy configured:
u22-r1#sh run all | sec ikev2 policy
crypto ikev2 policy Test
! Policy Incomplete(MUST have atleast one complete proposal attached)
crypto ikev2 policy default
match fvrf any
proposal default
Workaround
> Configure a complete IKEv2 Policy (set a complete proposal), or
> Remove the incomplete IKEv2 Policy to use the default one
Further Problem Description
We have seen that, if we configure an incomplete IKEv2 Proposal, the router fallbacks to the default one with no issues, we would like to implement this ability on the IKEv2 Policy as well
