Ipsec with VPP 25.10

[hilamithai]

Hi everyone,
I’m currently working with VPP version 25.10 and trying to establish an IKEv2/IPsec tunnel between two VPP instances (initiator ↔ responder), but the connection never comes up.

The plugins load correctly, interfaces are configured and up, and we can see entries under show ikev2 sa, but there’s no actual data exchange or established tunnel.

We couldn’t find any complete, working IKEv2 documentation or examples for recent VPP releases — most references online don’t fully work with the new CLI syntax.

Here’s the configuration we’re using:

Responder

set interface state GigabitEthernet6/0/0 up
set interface ip address GigabitEthernet6/0/0 172.17.233.220/24
set interface state TenGigabitEthernet10/0/0 up
set interface ip address TenGigabitEthernet10/0/0 192.168.3.1/24

ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id remote fqdn vpp.home
ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0

Initiator

set interface state GigabitEthernet2/0/0 up
set interface ip address GigabitEthernet2/0/0 192.168.5.1/24
set interface state GigabitEthernet3/0/0 up
set interface ip address GigabitEthernet3/0/0 172.17.233.35/24

ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0

ikev2 profile set pr1 responder GigabitEthernet3/0/0 172.17.233.220
ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0

ikev2 initiate sa-init pr1

Despite following the syntax and confirming both peers can reach each other (172.17.233.35 ↔ 172.17.233.220), the SA negotiation never completes.
show ikev2 sa displays half-open SAs, but nothing transitions to the “established” state.

Has anyone successfully brought up an IKEv2 tunnel between two VPP 25.10 instances?
If so, could you please share a working configuration or any hints about plugin dependencies, crypto settings, or CLI changes that might affect the negotiation?

Any help or insights would be greatly appreciated 🙏

[yousouf-Tasfin]

I have establish ikev2 with mikrotik