I dont really want to drill down too much into the details of each protocol.
This post is more around the components needed and steps/tips to trouble shoot.
And before you blame the other guy for not sending you the right transform set, make damn sure that you are right.
So I think a few hints and tips could make a lot of difference.
As you might imagine, failing to receive three keepalives in a row will make the hold-down timer reach 180 seconds what will mean the neighbor is considered down and routes from this neighbor are flushed.
To verify current timers negotiated to a neighbor, issue the “show ip bgp neighbor” command, example below. X timers keepalive holddown [minimum holddown]” Example below sets the keepalive to 20 seconds and holddown to 60 seconds on R1.
So if you were to Wireshark capture Tunneled traffic, you would not see a TCP port, but an ESP header containing an SPI (security Perimeter Index), a sequence number, followed by an encrypted payload.
If your firewall/router has multiple site to site IPSEC VPNs, you will have a multitude of SPI.
Of course, when will you be most likely to set up a site to site VPN?
Correct, when talking into some 3rd party systems, or when some 3rd party needs to talk into some of your systems.
Once the peering between two peers is UP, router starts a hold-down timer counting from 0 second up.
Every keepalive message it reachieved from the neighbor peer resets this timer back to 0 seconds.