Cisco VRF aware dynamic VTI based IPSEC VPN

im struggeling on a Cisco IPSEC Konfiguration.

My aim is to terminate spoke sites behind CGN gateways into a MPLS L3VPN Network via IPSEC tunnels.

The router at hub site is a ASR1k running IOS XE 3.16
Spoke site routers are random, im currently testing with a C819 4G model.

Here is my hub site configuration:


!
crypto keyring KEYRING
pre-shared-key hostname router1-xxx key somekey
!
crypto isakmp policy 103
encr aes 256
authentication pre-share
group 5
lifetime 7200
!
crypto isakmp profile IKEPROFILE
keyring WISY-TURIN-KEYRING
match identity user-fqdn router1-xxx
virtual-template 103
!
!
crypto ipsec transform-set AES_256-SHA ah-sha-hmac esp-aes 256
mode tunnel
!
crypto ipsec profile IPSECPROFILE
description some description
set security-association lifetime seconds 7200
set transform-set AES_256-SHA
set pfs group5
responder-only
!
!
interface Virtual-Template103 type tunnel
description some description
vrf forwarding CUSTOMER
ip address 10.1.1.1 255.255.255.252
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE
!


Here the spoke configuration

crypto isakmp policy 103
encr aes 256
authentication pre-share
group 5
lifetime 7200
crypto isakmp keepalive 10
!
crypto isakmp peer address 212.218.X.X
set aggressive-mode password somekey
set aggressive-mode client-endpoint user-fqdn router1-xxx
!
!
crypto ipsec transform-set AES_256-SHA ah-sha-hmac esp-aes 256
mode tunnel
!
crypto ipsec profile WIPSECPROFILE
description Wirth Systems Standort Turin
set security-association lifetime seconds 7200
set transform-set AES_256-SHA
set pfs group5
!
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
tunnel source Cellular0
tunnel mode ipsec ipv4
tunnel destination 212.218.x.x
tunnel protection ipsec profile IPSECPROFILE


Phase1 is coming UP OK, but i have issues bringing Phase2 up.

Here is the output of

show crypto ipsec sa

at the hub router:


interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 212.218.X.X

 local crypto endpt.: 212.218.154.5, remote crypto endpt.: 5.90.10.185
 path mtu 1576, ip mtu 1576, ip mtu idb GigabitEthernet0/0/0
 current outbound spi: 0x0(0)
 PFS (Y/N): N, DH group: none

 inbound esp sas:

 inbound ah sas:

 inbound pcp sas:

 outbound esp sas:

 outbound ah sas:

 outbound pcp sas:

So no SA is created. I'm also confused about the fact that this output says

PFS (Y/N): N, DH group: none

although PFS is configured.

debug crypto ipsec

brings following output:


*Jun 30 18:42:05.074: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 212.218.X.X:0, remote= 5.90.X.X:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= AH, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 30 18:42:05.075: IPSEC(validate_proposal_request): proposal part #2
*Jun 30 18:42:05.075: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 212.218.X.X:0, remote= 5.90.X.X:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 30 18:42:05.075: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
*Jun 30 18:42:05.081: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 30 18:42:05.081: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 256
src port : 0
dst port : 0
*Jun 30 18:42:05.081: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Virtual-Access2-head-0
*Jun 30 18:42:05.082: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0xC30; opcode 0x60; param 0x1F79; error 0x5; retry cnt 0
*Jun 30 18:42:05.082: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0xC32; opcode 0x60; param 0x1F7A; error 0x5; retry cnt 0


Any idea how to solve this issue?

Thanks in advance for all replys.