Sorry, burried in a project. Basics are below. Some erased for bevity and privacy. Cisco seems to have better debugs for phase 1 which helps to match up policy. Will say "expected" and "received". Adjust as needed.
The basics are:
Phase 1 or Policy
Aruba
crypto isakmp policy 1
version v2
encryption aes256
hash sha2-384-192
group 20
authentication ecdsa-384
prf prf-hmac-sha384
lifetime 86400
Cisco
crypto ikev2 policy 1
encryption aes-256
integrity sha384
group 20
prf sha384
lifetime seconds 86400
Certs:
Aruba
crypto-local isakmp server-certificate "aruba_ec"
crypto-local isakmp ca-certificate "cacert_ec"
crypto-local ipsec-map Site-to-Site-Hub 100
version v2
set ikev2-policy 1
peer-ip 0.0.0.0
peer-cert-dn "/C=US/ST=New Jersey/L=Oseola/O=IAS/OU=COMP/CN=asa5525.sas.ipnet.com/E=cinp@aosec.com"
peer-fqdn any-fqdn
vlan 54
src-net *(Erased for privacy)
dst-net *(Erased for privacy)
set transform-set "default-gcm256" "default-1st-ikev2-transform" "default-3rd-ikev2-transform"
set security-association lifetime seconds 86400
set pfs group20
pre-connect disable
trusted enable
force-natt disable
set ca-certificate cacert_ec
set server-certificate aruba_ec
tunneled-node-address 0.0.0.0
Cisco
access-list outside_cryptomap_1 extended permit ip *(Erased for privacy) 255.255.255.0 *(Erased for privacy) 255.255.255.0
crypto dynamic-map ss_dynamic 2 match address outside_cryptomap_1
crypto dynamic-map ss_dynamic 2 set pfs group20
crypto dynamic-map ss_dynamic 2 set ikev2 ipsec-proposal aruba
crypto dynamic-map ss_dynamic 2 set reverse-route
crypto dynamic-map ss_dynamic 65535 set ikev2 ipsec-proposal aruba
crypto dynamic-map ss_dynamic 65535 set reverse-route
crypto map outside_map5 2 ipsec-isakmp dynamic ss_dynamic
crypto map outside_map5 interface Gray
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn asa5525.sas.ipnet.com
subject-name CN=* (Erased for privacy)
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
subject-name CN=*(Erased for privacy)
keypair aruba
crl configure
crypto ca trustpool policy
tunnel-group ss_dynamic ipsec-attributes
peer-id-validate cert
ikev2 remote-authentication certificate
ikev2 local-authentication certificate ASDM_TrustPoint3
Phase 2 (ipsec)
Aruba
crypto ipsec transform-set cisco esp-aes256-gcm esp-null-hmac
Cisco
crypto ipsec ikev2 ipsec-proposal strong
protocol esp encryption aes-gcm-256
protocol esp integrity null
Where I am weak is moving the certs from one Aruba to another. Cisco has the export feature for it's certs and keys. I did perform flashbackup and copied it from one to another and that seemed to work. I also had issues with the CSR on one of the Aruba's. It didn't seem to want to overwrite the old. Is there a way to delete this information? How would one clear this out when you wanted to remove a device from service? Wouldn't want told certs, keys, or even a CSR left behind?
Also if you are making configuring a CA. Make the state two letters instead of spelled out. You will save yourself a big headache. GUI only allows two letters. Command line lets you spell out. Tunnels are dynamic and not static so they match subject information in the cert. Has to be exact. Note that the 0.0.0.0 addresses above are straight out of the configs and trunicated. All certs generated with OpenSSL.