An update to this....
We updated the IOS on the ISR4431 as we are using WR41 units for a different project using an ASR1000 and those work fine using IKEv1.
I also have in my office in Singapore a 1921 running 15.4 IOS and we've had all sorts of Digis connected to it for year (over 10, since IOS 12.4) and they work perfectly.
Since upgrading the IOS to Cisco IOS XE Software, Version 16.12.04 the behavior has changed:
1. We get only duplicate SAs if they are IKEv1, the IKEv2 SAs are only duplicated for a minute or two before they are due to expire and the the old one disappears....as the RFC says it should,
2. The circular tunnel negotiation has changed to the following:
A. The Cisco receives the initial IKEv2 request and accepts the proposals and sends back the message to the Digi to start the authentication......
B. The next message from the Digi is another init message.... meaning, it did not receive the reply from the Cisco to start authentication. This behavior goes round and round with the initial request timing out on the Cisco as the Digi never replies.
So far, the only solution is to reboot the Digi via SMS which usually fixes it. If the behavior continues after the reboot we reboot again unit it comes up works. This happens at certain sites more than others. It "appears" to be something odd with the NAT the telco is doing on their GPRS cloud.
I need a function whereby after the router is up for 60-90 seconds I can ping the internal GW of the Cisco which can only happen if IPSec is up. If I fail with that for 1-2 minutes, reboot the unit.
Unfortunately it looks like I'll have to write something in python to do this as its slightly too complex for the built in functions in the router.
Short of writing the python script, does anyone have any ideas?