Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

IKE Phase 1 successful, Phase 2 fails due to proxy-id mismatch (KB ID: KB5049)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB5049

Synopsis

The Proxy ID on the local and remote VPN device must match for phase 2 to complete the VPN negotiations.  The information below explains the log error  "No policy exist for the Proxy ID" in greater detail.

Problem

Environment:

• IPsec
• proxy id
• Route-based VPN
• Proxy-ID configured manually
• Address book entries configured
• Phase 1 successful

Symptoms & Errors:

• Phase 2 failing with a Proxy ID mismatch
• No policy exist for the Proxy ID
• Get address shows

192.168.168.0/24  192.168.168.0          255.255.255.0     00 
Any               0.0.0.0                0.0.0.0           02  All Addr
Dial-Up VPN       255.255.255.255        255.255.255.255   02  Dial-Up VPN Addr
Homenet           192.168.0.0            255.255.255.0     00 
SBC Net           64.161.25.0            255.255.255.0     00

Solution

The Local ID is the encryption domain the remote client is trying to connect to.

The Remote ID is the internal address of the remote client that is trying to connect.

<0>,<0> = Indicates the Protocol and Port Number .

Verify that the address book entry is correct and make sure the Proxy ID's match from one gateway to the other (i.e. local proxy id matches with peer's remote proxy id, and vice versa).  See the image.

To check the Proxy ID of each policy-based vpn using the CLI, type the following command:

get policy id <number>

Example:

spingineer-> get policy id 3
name:"none" (id 12), zone Untrust -> Trust,action Tunnel, status "enabled"
src "Dial-Up VPN", dst "10.2.2.0/24", serv "ANY"
Policies on this vpn tunnel: 1
  [255.255.255.255/32, 10.2.2.0/24, 0-65535, 0-65535, 0]
nat off, url filtering : disabled
vpn remote-vpn, nsp tunnel 40000012, sa index 2, sa tunnel id 12
policy flag 00010000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:
  local 10.2.2.0/255.255.255.0, remote 255.255.255.255/255.255.255.255, proto 0, port 0
No Authentication
No User, User Group or Group expression set
spingineer->

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Product » Software » VPN Clients
By Network Technology » IP Protocols » Tunneling Protocols » IPSec

Purpose

Troubleshooting

Related Articles

Related Links

• KB9444 - What is causing the Phase 2 error: Mismatched Proxy ID or Peer ID when connecting through my client VPN?

Related Files