Customer did an update and all the old IKEv1 and old cipher VPNs were not working due to security settings and SW update. I didn't have time to figure out which ciphers worked so switched VPNs to IKEv2
Enable IKEv2 on outside interface
crypto ikev2 enable OUTSIDE
Group policy for VPN peer (IKEv2 selected, always on settings)
You may have other settings you need to config here
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol ikev2
IKEv2 P1 policy
*NOTE* Saw an issue where a policy was selected even though the lifetimes didn't match (other settings did). The VPN came up but was having issues rekeying. Not coming back up on its own. Check the lifetimes match under "sh crypto isakmp sa" on both sides of the VPN. In my case the HQ already had an ikev2 pol with 86400 lifetime and other VPNs using that.
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 21
prf sha256
lifetime seconds 86400
IKEv2 P2 proposal
crypto ipsec ikev2 ipsec-proposal IKEV2_AES_256_SHA_256
protocol esp encryption aes-256
protocol esp integrity sha-256
Crypto MAP
crypto map MYMAP 10 match address CUST_VPN
crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set ikev2 ipsec-proposal IKEV2_AES_256_SHA_256
crypto map MYMAP 10 set security-association lifetime seconds 3600
Encryption domain
access-list CUST_VPN extended permit ip object-group LOCAL-NETS object-group REMOTE-NETS
object-group network LOCAL-NETS
network-object 192.168.10.0 255.255.255.0
object-group network REMOTE-NETS
network-object 172.30.10.0 255.255.255.0
NoNat
nat (INSIDE,OUTSIDE) source static LOCAL-NETS LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS no-proxy-arp route-lookup
Tunnel group
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key StrongPassWordHere
ikev2 local-authentication pre-shared-key StrongPassWordHere