Hello everyone,
IPSec tunnel on the customer's site is not coming up and finding remote SA.
So an IPSec debug was done and it reflected no information coming out at all.
So the first step is verifying connectivity, once we noticed that it was working fine, then the next step is to verify the IPsec proposal information to find out if everything is matching ad compatible.
On one peer, the customer had:
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group 14
#
However, in the other peer, it was
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group 2
#
So, a DH group is indeed in use, nevertheless, by default, it is set to 2, therefore, the solution for this was to make them match, by just modifying the first peer to dh group 2 (since it was a hub, so all of the other spokes needed to match to dh2).
The main point in this is that the first point to verify after testing connectivity is to look for everything to match in the IPSec proposal.
That is all I want to share with you!
