Hello!

I've set up a simple lab to check if VyOS is ok with IKEv2 to Cisco devices and unfortunately it's not.

Configs below are both for the IKEv1 and IKEv2. To change between IKEv1 and IKEv2 I've done following:

1. IOS-XE: interface Tunnel0 tunnel protection ipsec profile {VYOS_V1-IPSEC-PROF|VYOS_V2-IPSEC-PROF}
2. VyOS: set vpn ipsec ike-group IKEV2-CSR key-exchange {'ikev1'|ikev2'}

Actual configs are:

1. Cisco IOS-XE (CSR1000V):

//hostname cr1
!
no crypto ikev2 authorization policy default
!
crypto ikev2 proposal AES-CBC_GR24_V2-PROP
encryption aes-cbc-128
integrity sha256
group 24
no crypto ikev2 proposal default
!
crypto ikev2 policy Gi1_V2-POLICY
match address local 10.0.0.1
proposal AES-CBC_GR24_V2-PROP
no crypto ikev2 policy default
!
crypto ikev2 keyring VYOS_V2-KEYRING
peer cr3

description vyos-cr3
address 10.0.0.3
pre-shared-key TSTCISCOVYOSPSK

!
!
crypto ikev2 profile VYOS-IKEv2-PROF
match identity remote address 10.0.0.3 255.255.255.255
identity local address 10.0.0.1
authentication local pre-share
authentication remote pre-share
keyring local VYOS_V2-KEYRING
lifetime 1800
!
crypto ikev2 nat keepalive 5
crypto ikev2 dpd 50 15 periodic
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 24
lifetime 900
crypto isakmp key TSTCISCOVYOSPSK address 10.0.0.3
!
crypto ipsec transform-set AES128_SHA256-TRSET esp-aes esp-sha256-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile VYOS_V1-IPSEC-PROF
set transform-set AES128_SHA256-TRSET
set pfs group16
!
crypto ipsec profile VYOS_V2-IPSEC-PROF
set transform-set AES128_SHA256-TRSET
set ikev2-profile VYOS-IKEv2-PROF
!
interface Loopback0
ip address 192.168.101.101 255.255.255.255
!
interface Tunnel0
ip address 192.168.101.1 255.255.255.252
tunnel source 10.0.0.1
tunnel mode ipsec ipv4
tunnel destination 10.0.0.3
tunnel protection ipsec profile VYOS_V1-IPSEC-PROF
!
interface GigabitEthernet1
ip address 10.0.0.1 255.255.255.0
negotiation auto
!
ip route 192.168.101.103 255.255.255.255 192.168.101.2//

2. VyOS:

set interfaces ethernet eth0 address '10.0.0.3/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:0e:09:29'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback lo address '192.168.101.103/32'
set interfaces vti vti0 address '192.168.101.2/30'
set protocols static route 192.168.101.101/32 next-hop '192.168.101.1'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'cr3'
set system login user vyos authentication encrypted-password '$1$81PTTnkN$rJyPsPT6GUKSPKnDqI9aR1'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community password ''
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
set vpn ipsec esp-group ESP-CSR compression 'disable'
set vpn ipsec esp-group ESP-CSR lifetime '3600'
set vpn ipsec esp-group ESP-CSR mode 'tunnel'
set vpn ipsec esp-group ESP-CSR pfs 'dh-group16'
set vpn ipsec esp-group ESP-CSR proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-CSR proposal 1 hash 'sha256'
set vpn ipsec ike-group IKEV2-CSR dead-peer-detection action 'clear'
set vpn ipsec ike-group IKEV2-CSR dead-peer-detection interval '15'
set vpn ipsec ike-group IKEV2-CSR dead-peer-detection timeout '50'
set vpn ipsec ike-group IKEV2-CSR ikev2-reauth 'no'
set vpn ipsec ike-group IKEV2-CSR key-exchange 'ikev1'
set vpn ipsec ike-group IKEV2-CSR lifetime '1800'
set vpn ipsec ike-group IKEV2-CSR proposal 1 dh-group '24'
set vpn ipsec ike-group IKEV2-CSR proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKEV2-CSR proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'all'
set vpn ipsec site-to-site peer 10.0.0.1 authentication id '10.0.0.3'
set vpn ipsec site-to-site peer 10.0.0.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.1 authentication pre-shared-secret 'TSTCISCOVYOSPSK'
set vpn ipsec site-to-site peer 10.0.0.1 authentication remote-id '10.0.0.1'
set vpn ipsec site-to-site peer 10.0.0.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.1 default-esp-group 'ESP-CSR'
set vpn ipsec site-to-site peer 10.0.0.1 ike-group 'IKEV2-CSR'
set vpn ipsec site-to-site peer 10.0.0.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.0.0.1 local-address '10.0.0.3'
set vpn ipsec site-to-site peer 10.0.0.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.1 vti esp-group 'ESP-CSR'

With IKEv1 all works like a charm, reachability over Tunnel0/vti0 is ok (between 192.168.101.101 and 192.168.101.103). When I switch to the IKEv2 (with 'restart vpn' on the VyOS) IKEv2 completes, IOS-XE sees Tunnel0 up/up, but no encaps/decaps packets are in the 'show crypto ipsec sa' and ICMP from 192.168.101.1 to 192.168.101.2 times out{F22942}.

Debug on the VyOS side is in the attachment. Interestingly, the debug does show IKEv2 disabled on the VyOS side and some other IKE errors. I've noticed VyOS uses StrongSwan for IPSec and around 6-7 month ago I've managed to successfully implement IKEv2 between IOS-XE and StrongSwan on Debian, seems, VyOS should be capable of doing that too.