Symptom
- An IOS-XE router will fail an IKEv2 phase 2 rekey, when device and/or peer is behind a NAT/PAT device.
- When receiving the CREATE_CHILD_SA exchange with TSi, TSr, Nonce, and SA data, it will log the following messages:
*Jan 5 22:40:36.002: IKEv2:(SESSION ID = 73,SA ID = 1):Validating create child message
*Jan 5 22:40:36.002: IKEv2-INTERNAL:(SESSION ID = 73,SA ID = 1):SM Trace-> SA: I_SPI=BC35C337F8344C7D R_SPI=3948A7C86A2C9F6B (I) MsgID = 8 CurState: CHILD_I_PROC Event: EV_PROC_MSG
*Jan 5 22:40:36.002: IKEv2:(SESSION ID = 73,SA ID = 1):Processing CREATE_CHILD_SA exchange
*Jan 5 22:40:36.002: IKEv2-INTERNAL:(SESSION ID = 73,SA ID = 1):Failed to verify the proposed policies
*Jan 5 22:40:36.002: IKEv2-ERROR:(SESSION ID = 73,SA ID = 1):: There was no IPSEC policy found for received TS
Conditions
- IOS-XE router running 17.9(1a), 17.9(2a) or 17.10(1a).
- Router and/or peer must be behind NAT/PAT device.
- IPSec is configured in transport mode.
- IKEv2 tunnel.
Workaround
- Downgrade to any 17.8 or lower version of code.
- Use IKEv1.
