IPsec SA negotiation failed because no matching IPsec transform sets were found

Symptom

The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA is in EST status. The display ipsec sa command shows that the expected IPsec SAs have not been negotiated yet.

Analysis

Certain IPsec policy settings are incorrect.

Solution

  1. Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets.

  2. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets.