I’ve gotten IKEV2 running between a WR21 and a Cisco using asymmetric pre-shared-keys but the Digi event log is filling up with this kind of stuff:
19:23:23, 09 Oct 2020,(508) IKEv2 Negotiation completed pe,Responder
19:23:23, 09 Oct 2020,(508) New IKEv2 Negotiation peer A.B.C.D,Responder (Info)
19:22:23, 09 Oct 2020,(508) IKEv2 Negotiation completed pe,Responder
19:22:23, 09 Oct 2020,(508) New IKEv2 Negotiation peer A.B.C.D,Responder (Info)
19:21:23, 09 Oct 2020,(508) IKEv2 Negotiation completed pe,Responder
19:21:23, 09 Oct 2020,(508) New IKEv2 Negotiation peer A.B.C.D,Responder (Info)
19:21:23, 09 Oct 2020,Event delay,Logger busy
19:20:23, 09 Oct 2020,(508) IKEv2 Negotiation completed pe,Responder
19:20:23, 09 Oct 2020,(508) New IKEv2 Negotiation peer A.B.C.D,Responder (Info)
19:19:23, 09 Oct 2020,(508) IKEv2 Negotiation completed pe,Responder
19:19:23, 09 Oct 2020,(508) New IKEv2 Negotiation peer A.B.C.D,Responder (Info)
19:18:22, 09 Oct 2020,(508) IKEv2 Negotiation completed pe,Responder
19:18:22, 09 Oct 2020,(508) New IKEv2 Negotiation peer A.B.C.D,Responder (Info)
In order to analyze this behavior we would need to check the router configuration and possibly also the Cisco as it seems the WR is responder in this case.
The best would be if you can send us an email at tech.support@digi.com with all details (IMEI, debug file) so we can create a case to further investigate.
Please also check Digi Support Level options: https://www.digi.com/support. VPN troubleshooting requires an Expert Support contract in place (we can do just an initial sanity check on the configuration under Base level).
We’re going to update the IOS on the Cisco before we pursue this at the tech-support level.
Its worth noting that that I saw exactly the same behavior using IKEV1 as I’m seeing with IKEv2, the debugs were of course slightly different but the behavior was the same, a refusal for the actual tunnels to come up.
The odd thing is that I have Digis that have been running for DECADES on IKEV1 to Cisco on IOS 15.4 on 1841, ASR1000s, 1900 etc…and they just work. This is the first time I’ve working on a ISR4431 on IOS 16.8.1 so I’m suspicious of that.
I will come back to you on this after we update.
Also, we see this ONLY using GPRS, not using the local ADSL lines. It never screws up the negotiation on ADSL, only on GPRS…about 10% of the time.