I am trying to setup an IPsec VPN tunnel between a XR60 and Cisco ASA. I have this same setup working between AirLink MP70 routers and the same ASA. I am able to establish the VPN connection, but not all networks will connect. When I enable “Multiple SA’s for IKEv2” the VPN will connect and shows connected on router (with a single Child network) and the ASA shows the VPN is connected. The router VPN Tunnel has the Status “Partially Connected. Some Child SA’s failed”. The Cisco ASA log has an error “IKEv2 Negotiation aborted due to ERROR: The peer’s KE payload contained the wrong DH group” for the networks that fail to connect. The DH is set to dh14 on the router and ASA.
The XR60 has these entries in the log:
Jan 12 19:08:33 info charon: 09[IKE] peer didn’t accept DH group MODP_2048, it requested KE_NONE
Jan 12 19:08:33 info charon: 16[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jan 12 19:08:33 info charon: 16[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 12 19:08:33 info charon: 16[IKE] no acceptable proposal found
Jan 12 19:08:33 info charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA