Symptom
The Crypto Engine denies the uses of IKEv2 deprecated ciphers, the following logs can be seen:
%CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied.
The IKEv2 negotiation fails if the agreed cipher is denied by the Crypto Engine, causing the IPsec tunnel not to establish.
Conditions
Used of Deprecated Ciphers:
Diffie-Hellman (DH) groups 1, 2 or 5.
Encryption algorithm DES or 3DES.
Integrity Algorithm: MD5 or SHA1.
Kindly note that this defect only applies to IKEv2/
Workaround
Use a recommended cipher for next-generation cryptography:
https://tools.cisco.com/security/center/resources/next_generation_cryptography
Further Problem Description
-Please note that Integrity Algorithm MD5 or SHA1 will work on versions which include fix for CSCwa80474
-When using deprecated ciphers for IPSec profile, the tunnel will fail during the rekey
