cisco ikev2 error address type not supported

All but the headers of all the messages that follow are encrypted and authenticated. I followed the guide and created the IPSEC interface on the service side instead of VPN0, unfortunately I'm getting a IKEv2 failure: IKEv2:% Getting preshared key from profile keyring if-ipsec1-ikev2-keyringIKEv2:% Matched peer block 'if-ipsec1-ikev2-keyring-peer'IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 0, local address X.X.X.XIKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'policy1-global'IKEv2-ERROR:Address type 1622425149 not supported. Working output: #show crypto ikev2 profile IKEv2 profile: default Ref Count: 4 Match criteria: Fvrf: global Local address/interface: none Identities: none Certificate maps: mymap Local identity: none <----- Remote identity: none Conditions: FlexVPN No local identity configured, relaying on global default. description Cisco AnyConnect IKEv2 ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile staff Take a break, you have now completed the main config on the router, and its time to move onto configuration relating to the client. These debug commands are used in this document: *Nov 11 20:28:34.003: IKEv2:Got a packet from dispatcher *Nov 11 20:28:34.003: IKEv2: Processing an item off the pak queue *Nov 11 19:30:34.811: IKEv2:% Getting preshared key by address 10.0.0.2 *Nov 11 19:30:34.811: IKEv2:Adding Proposal PHASE1-prop to toolkit policyle *Nov 11 19:30:34.811: IKEv2:(1): Choosing IKE profile IKEV2-SETUP *Nov 11 19:30:34.811: IKEv2:New ikev2 sa request admitted *Nov 11 19:30:34.811: IKEv2:Incrementing outgoing negotiating sa count by one. The address range specifies that all traffic to and from that range is tunneled. tanyatamir53355. You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. #address 10.0.0.2. Initiates SA creation, *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA. The mode determines the type and number of message exchanges that occur in this phase. The first CHILD_SA is created for the proxy_ID pair that matches the trigger packet. crypto ikev2 authorization policy FlexVPN, encryption 3des aes-cbc-128 aes-cbc-192 aes-cbc-256, crypto ipsec transform-set ESP-GCM esp-gcm, crypto ipsec transform-set AES-CBC esp-aes 256 esp-sha256-hmac, crypto ipsec transform-set AES-CBC1 esp-aes esp-sha-hmac, crypto ipsec transform-set AES-CBC2 esp-3des esp-sha-hmac, set transform-set AES-CBC AES-CBC1 AES-CBC2 ESP-GCM, ip local pool FlexVPN 10.7.1.231 10.7.1.239. I'll log a TAC case next. Let me ask you something - what format do you enter user/domain information in the client? All rights reserved. All of the devices used in this document started with a cleared (default) configuration. Remote Access IKEv2 Auth exchange failed - Cisco Components Used The information in this document is based on these software and hardware versions: Internet Key Exchange Version 2 (IKEv2) Help would really be appreciated. IKEv2-ERROR:Address type 1622425149 not supported My assumption is that although the IPSEC is created on the service side, by sourcing the tunnel from the interface with a public IP address in VPN0, the cEdge would VRF jump to VPN0. How to configure a Cisco IOS router for IKEv2 and AnyConnect with - IFM Hi, can you please post the config that solved your problem. encryption failure: Ike version: ikev2 not support - Check Point 01:52 PM Consult your VPN device vendor specifications to verify that . No action taken. Router1 verifies and processes the response: (1) The initiator DH secret key is computed, and (2) the initiator skeyid is also generated. This section lists the configurations used in this document. Components Used The information in this document is based on these software and hardware versions: Internet Key Exchange Version 2 (IKEv2) Cisco IOS 15.1 (1)T or later Relevant Configuration:crypto ipsec transform-set TS esp-3des esp-sha-hmac crypto ipsec profile phse2-prof set transform-set TS set ikev2-profile IKEV2-SETUP, *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event:EV_GEN_AUTH *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH *Nov 11 19:30:34.831: IKEv2:Construct Vendor Specific Payload: CISCO-GRANITE *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: INITIAL_CONTACT *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: SET_WINDOW_SIZE *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: ESP_TFC_NO_SUPPORT *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: NON_FIRST_FRAGS Payload contents: VID Next payload: IDi, reserved: 0x0, length: 20 IDiNext payload: AUTH, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 AUTHNext payload: CFG, reserved: 0x0, length: 28 Auth method PSK, reserved: 0x0, reserved 0x0 CFGNext payload: SA, reserved: 0x0, length: 309 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0, *Nov 11 19:30:34.831: SA Next payload:TSi, reserved: 0x0, length: 40 last proposal: 0x0, reserved: 0x0, length: 36 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSiNext payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 TSrNext payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255, NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS *Nov 11 19:30:34.832: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type:IKE_AUTH, flags:INITIATORMessage id: 1, length: 556 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 528 *Nov 11 19:30:34.833: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000001CurState: I_WAIT_AUTHEvent: EV_NO_EVENT, *Nov 11 19:30:34.832: IKEv2:Got a packet from dispatcher *Nov 11 19:30:34.832: IKEv2:Processing an item off the pak queue *Nov 11 19:30:34.832: IKEv2:(SA ID = 1):Request has mess_id 1; expected 1 through 1 *Nov 11 19:30:34.832:IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type:IKE_AUTH, flags:INITIATORMessage id: 1, length: 556 Payload contents: *Nov 11 19:30:34.832: IKEv2:Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDi, reserved: 0x0, length: 20 IDiNext payload: AUTH, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 AUTH Next payload: CFG, reserved: 0x0, length: 28 Auth method PSK, reserved: 0x0, reserved 0x0 CFG Next payload: SA, reserved: 0x0, length: 309 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0 *Nov 11 19:30:34.832: attrib type: internal IP4 DNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 DNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 NBNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 NBNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 subnet, length: 0 *Nov 11 19:30:34.832: attrib type: application version, length: 257 attrib type: Unknown - 28675, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28672, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28692, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28681, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28674, length: 0 *Nov 11 19:30:34.832:SANext payload: TSi, reserved: 0x0, length: 40 last proposal: 0x0, reserved: 0x0, length: 36 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSiNext payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 TSr Next payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255. Find answers to your questions by entering keywords or phrases in the Search bar above. As far as I'm aware that feature is not supported on cEdge platforms, you can only use IPsec tunnels on the Service Side VPN. Local Type = 0. "You can create the IPsec tunnel in the transport VPN (VPN 0) and in any service VPN (VPN 1 through 65530, except for 512). If this CREATE_CHILD_SA exchange is not rekeying an existing SA, the N payload must be omitted. Hi, made some more tests and my problem is the following, IPSec tunnel can be established if remote end is configured without any specific encryption domains for the communication and with a transport network within the tunnel (for routing purpose - like in GRE Tunnel). This does present a bit of a problem for inteligent traffic steering. Router 2 builds the responder message for IKE_SA_INIT exchange, which is received by ASA1. I also had to mention the same ACL in the local policy for this to work. This module describes the Internet Key Exchange Version 2 (IKEv2) protocol. Tunnel is up on the Initiator and the status shows. This is the CREATE_CHILD_SA request. They contain the source and destination address of the initiator and responder respectively for forwarding/receiving encrypted traffic. Select the " Show Advanced Settings " option on the top left and make sure the enable box is checked. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Nonce Ni (optional): If the CHILD_SA is created as part of the initial exchange, a second KE payload and nonce must not be sent), KEi (Key-optional): The CREATE_CHILD_SA request might optionally contain a KE payload for an additional DH exchange to enable stronger guarantees of forward secrecy for the CHILD_SA. Local Address = 0.0.0.0. ASA IKEv2 Debugs for Remote Access VPN Troubleshooting - Cisco Cisco ASA5516 9.8 (2) IKEv2 negotiation aborted due unsupported Communication over the IPSec Tunnel should be done via VPN1. Customers Also Viewed These Support Documents, Branch router, ISR4451-X, version 16.12.1b. The keys used for the encryption and integrity protection are derived from SKEYID and are known as: SK_e (encryption), SK_a (authentication), SK_d is derived and used for derivation of further keying material for CHILD_SAs, and a separate SK_e and SK_a is computed for each direction. The connection uses a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option, as described in this article.. At the moment,you can use service side ipsec in cedge. First pair of messages is the IKE_SA_INIT exchange. 03-12-2019 I think i have the problem with the Source Interface (i receive"IKEv2-ERROR:Address type not supported" in log). I had the same Firebox and RADIUS server working for IPSec MUVPN, but not for IKEv2. Responder verifies and processes the IKE_INIT message: (1) Chooses crypto suite from those offered by the initiator, (2) computes its own DH secret key, and (3) it computes a skeyid value, from which all keys can be derived for this IKE_SA. The vulnerability is due to incorrect handling of crafted IKEv2 SA-Init packets. Doesn't work for me. The Notify Payload, is used to transmit informational data, such as error conditions and state transitions, to an IKE peer. 189067: *Aug 8 14:01:22.433 Chicago: IKEv2:Config data recieved: 189068: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Config-type: Config-request, 189069: *Aug 8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req, 189070: *Aug 8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req, 189071: *Aug 8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req, 189072: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Error in settig received config mode data, 189073: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Auth exchange failed, 189074: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):: Auth exchange failed, 189075: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Abort exchange, 189076: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Deleting SA, 189077: *Aug 8 14:01:25.429 Chicago: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI, 189078: *Aug 8 14:01:25.429 Chicago: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:4500/VRF i0:f0], 189079: *Aug 8 14:01:25.429 Chicago: IKEv2:: A supplied parameter is incorrect, 189080: *Aug 8 14:01:28.429 Chicago: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI, 189081: *Aug 8 14:01:28.429 Chicago: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:4500/VRF i0:f0], 189082: *Aug 8 14:01:28.429 Chicago: IKEv2:: A supplied parameter is incorrect, 189083: *Aug 8 14:01:31.433 Chicago: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI, 189084: *Aug 8 14:01:31.433 Chicago: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:4500/VRF i0:f0], 189085: *Aug 8 14:01:31.433 Chicago: IKEv2:: A supplied parameter is incorrect. Accepted Solutions. Looks like its working after I added the ACL to the outside interface. Find answers to your questions by entering keywords or phrases in the Search bar above. My assumption is that although the IPSEC is created on the service side, by sourcing the tunnel from the interface with a public IP address in VPN0, the cEdge would VRF jump to VPN0. Any luck getting this to work? Failed to remove peer correlation entry from cikePeerCorrTable. Click the Add button to insert a new VPN rule. It's in roadmap. If this CREATE_CHILD_SA exchange is not rekeying an existing SA, the N payload MUST be omitted. IKEv2 Problems WatchGuard Community In addition, this document provides information on how to translate certain debug lines in a configuration. If the SA offers include different DH groups, KEi must be an element of the group the initiator expects the responder to accept. Router 2 receives and verifies the authentication data received from Router 1. : crypto ikev2 profile default . Cisco recommends that you have knowledge of the packet exchange for IKEv2. Initiator receives response from Responder. The link you shared is for a vEdge setup, the one I've found is for cEdge 16.12.x. Cisco Community Technology and Support Security VPN Remote Access IKEv2 Auth exchange failed 33016 5 2 Remote Access IKEv2 Auth exchange failed Go to solution mustafa.chapal Beginner 08-08-2018 01:52 PM - edited 03-12-2019 05:29 AM Hi, I'd be interested to hear if you have the same issue? This exchange consists of a single request/response pair and was referred to as a phase 2 exchange in IKEv1. Router 1 initiates the CHILD_SA exchange. if my config was wrong then tunnel shouldn't come up when Cisco ASA sending traffic. ", https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Security/Security-Book/security-book_chapter_01.html?bookSearch=true#c_Configuring_IKE_Enabled_IPsec_Tunnels_12216.xml. IKEv2 is the supporting protocol for IP Security Protocol (IPsec) and is used for performing mutual authentication and establishing and maintaining security associations (SAs). Options. N(Notify payload-optional). Cisco recommends that you have knowledge of the packet exchange for IKEv2. Solved: IKEv2-ERROR:: Packet is a retransmission - Cisco This is not a bug, even though the behavior is described in Cisco bug IDCSCug67056. Create an ACL in Policies > Local Policy > Access Control ListsPermit port 500I also have the Default Action as Accept in my POC.Copy the ACL name (CTRL C) youll need it for the next step. This is reposted from the Networking Academy area since there were no replies. The CLI based workaround for it (on cEdge). 189035: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14, 189036: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s), 189037: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-653483565', 189038: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints, 189039: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED, 189040: *Aug 8 14:01:22.161 Chicago: IKEv2:Failed to retrieve Certificate Issuer list, 189041: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Sending Packet [To 2.2.2.2:500/From 1.1.1.1:500/VRF i0:f0], Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 0, SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP), 189042: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Completed SA init exchange, 189043: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Starting timer (30 sec) to wait for auth message, 189044: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:500/VRF i0:f0], Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 1, IDi NOTIFY(INITIAL_CONTACT) NOTIFY(Unknown - 16396) IDr AUTH CFG NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) SA TSi TSr, 189045: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Stopping timer to wait for auth message, 189046: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Checking NAT discovery, 189047: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):NAT OUTSIDE found, 189048: *Aug 8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):NAT detected float to init port 4500, resp port 4500, 189049: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Searching policy based on peer's identity '10.5.1.70' of type 'IPv4 address', 189050: *Aug 8 14:01:22.433 Chicago: IKEv2:found matching IKEv2 profile 'FlexVPN', 189051: *Aug 8 14:01:22.433 Chicago: IKEv2:% Getting preshared key from profile keyring keys, 189052: *Aug 8 14:01:22.433 Chicago: IKEv2:% Matched peer block 'DYNAMIC', 189053: *Aug 8 14:01:22.433 Chicago: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1, 189054: *Aug 8 14:01:22.433 Chicago: IKEv2:Found Policy 'ikev2policy', 189055: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify peer's policy, 189056: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Peer's policy verified, 189057: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Get peer's authentication method, 189058: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Peer's authentication method is 'PSK', 189059: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Get peer's preshared key for 10.5.1.70, 189060: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify peer's authentication data, 189061: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Use preshared key for id 10.5.1.70, key len 7, 189062: *Aug 8 14:01:22.433 Chicago: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data, 189063: *Aug 8 14:01:22.433 Chicago: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED, 189064: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verification of peer's authenctication data PASSED, 189065: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Processing INITIAL_CONTACT, 189066: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Received valid config mode data. The IKE_AUTH packet contains: ISAKMP Header(SPI/ version/flags), IDi(initiator's identity), AUTH payload, SAi2(initiates the SA-similar to the phase 2 transform set exchange in IKEv1), and TSi and TSr (Initiator and Responder Traffic selectors): They contain the source and destination address of the initiator and responder respectively for forwarding/receiving encrypted traffic. Update: This was a version error, using wrong version of anyconnect, this has now been resolved.