The IPSec Crypto profile is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to generate keys automatically for the IKE SAs.

Regardless of whether your VPN peer is from the same vendor or not, the VPN peers must have the same IPSec parameters configured in order to perform a successful IPSec negotiation.

IPSec negotiation will be successful when the following parameters match between the VPN peers:

For example, if you've configured VPN peer 1 with

ESP

for IPSec protocol,

group20

for DH group,

sha384

for authentication, and

aes-256-gcm

for encryption. Then, VPN peer 2 with which you want to establish the IPSec tunnel also should be configured exactly with the same values.

By default, perfect forward secrecy (PFS) is enabled on IPSec tunnels to generate a more randomized key. PFS does this by performing an additional key exchange during IPSec SA negotiation to generate a new shared secret and combines it into the new IPSec SA keys. When configuring PFS, ensure that both the VPN peers have the same PFS configuration. Any failure in IPSec SA negotiation will result in failure to establish the IPSec tunnel.