Hi Guys,
We have some trouble here wiht an IPSec tunnel that doesn't work.
In IKE logs we can see the following, that claims for a CA-CFG negotiation error, but not indicated which is the specific one:
[Sep 24 12:04:51 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1242800 from freelist
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 124f800 from freelist
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_decode_packet: [124f800/11e1c00] Setting ed pkt ctx from VR id 65535 to VR id 0)
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_decode_packet: [124f800/11e1c00] Received packet: HDR, SA, KE, Nonce, Vid
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 124f400 from freelist
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ssh_policy_get_certificate_authority_recv_ipc context <011f46c0>.
[Sep 24 12:04:52 PIC 1/8/0 KMD1]got cert authority 1 callback<00a39934>.
[Sep 24 12:04:52 PIC 1/8/0 KMD1]got cert authority 1 callback<00a39934>.
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1252000 from freelist
[Sep 24 12:04:52 PIC 1/8/0 KMD1]Received Unauthenticated notification payload Initial contact from local:10.28.97.44 remote:10.0.3.10 IKEv2 for P1 SA 2155594065
[Sep 24 12:04:52 PIC 1/8/0 KMD1]Received Unauthenticated notification payload Set window size from local:10.28.97.44 remote:10.0.3.10 IKEv2 for P1 SA 2155594065
[Sep 24 12:04:52 PIC 1/8/0 KMD1]Received Unauthenticated notification payload ESP TFC padding not supported from local:10.28.97.44 remote:10.0.3.10 IKEv2 for P1 SA 2155594065
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_decode_packet: [1252000/11e1c00] Received packet: HDR, N(INITIAL_CONTACT), N(SET_WINDOW_SIZE), N(ESP_TFC_PADDING_NOT_SUPPORTED), IDi, IDr, CERT, CERT, CERT, CERTREQ, AUTH, SA, TSi, TSr
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ssh_policy_find_public_key_recv_ipc found 0, len<902> 1st<30> last<8e>.
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ssh_cm_cert_set_ber: Set certificate in ber.
[Sep 24 12:04:52 PIC 1/8/0 KMD1]Added (spi=0x854c56f8, protocol=0) entry to the spi table
[Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1247800 from freelist
[Sep 24 12:04:53 PIC 1/8/0 KMD1]ikev2_reply_cb_get_certs: [1247800/11e1c00] Error: Get certs failed: 65539
[Sep 24 12:04:53 PIC 1/8/0 KMD1]ikev2_state_error: [1247800/11e1c00] Negotiation failed because of error Crypto operation failed (65539)
[Sep 24 12:04:53 PIC 1/8/0 KMD1]IKE negotiation fail for local:10.28.97.44, remote:10.0.3.10 IKEv2 with status: Crypto operation failed
[Sep 24 12:04:53 PIC 1/8/0 KMD1]IPSec negotiation failed for SA-CFG hua_PY26T for local:10.28.97.44, remote:10.0.3.10 IKEv2. status: Crypto operation failed
[Sep 24 12:04:53 PIC 1/8/0 KMD1] P2 ed info: flags 0x0, P2 error: Error ok
[Sep 24 12:04:53 PIC 1/8/0 KMD1]IKE SA delete called for p1 sa 2155594065 (ref cnt 1) local:10.28.97.44, remote:10.0.3.10, IKEv2
[Sep 24 12:04:53 PIC 1/8/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 2155594065 (ref cnt 0), waiting_for_del 0x0
[Sep 24 11:30:07 PIC 2/8/0 KMD1]Failed to find P1-SA for cookie SPI-I 161acfa5 a05b49e9 SPI-R 00000000 00000000 while processing phase 1 delete HA blob
[Sep 24 12:04:57 PIC 1/2/0 KMD1]Skip DPD probe for remote peer 10.0.4.6. Still waiting for reply
[Sep 24 12:04:57 PIC 1/1/1 KMD1]Skip DPD probe for remote peer 10.0.3.7. Still waiting for reply
[Sep 24 12:04:55 PIC 1/8/0 KMD1]Skip DPD probe for remote peer 10.0.3.10. Still waiting for reply
[Sep 24 12:04:59 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1246800 from freelist
any idea??
Thanks
Cristian