How to ensure the Proxy-ID is Disabled in the Phase 2 Advanced VPN Settings. (KB ID: KB9477)
| Article ID: | KB9477 |
|---|---|
| Former Article ID: | |
| Published: | Jan 23, 2007 |
| Last Modified: | Jan 23, 2007 |
| Visible By: | Employee, PTAC, Partner, Customer, Public |
Back to Previous Page | Knowledge Base Home
Article URL
Synopsis
Policy-Based VPN message "Phase 2 Error – Mismatched Proxy/Peer IDs" can be caused by incorrectly enabling the Proxy-ID field in the Advanced settings of the AutoKey IKE (Phase 2) on the firewall. If the Proxy-ID field is selected, the specified Local IP and Remote IP could be over-riding the policy settings.
Problem
Environment:
A VPN has successfully passed Phase 1, but Phase 2 fails.
Symptoms & Errors
- Data is not passing through the VPN
- Incoming policy is defined to allow the Dial-Up VPN to access the internal network
- Netscreen Remote Client does not have a gold key in taskbar window
- Phase 2: No policy exists for the proxy ID received: local ID (<ip_address> / <subnet_mask>,<0>, <0>) remote ID (<ip_address> / <subnet_mask>, <0>, <0>).
Solution
If Phase 1 passes and Phase 2 fails with message in the event log (as indicated above) it could indicate that the incoming policy does not match the settings the client is sending over, or vice versa.
- In the WebUI, select VPNs > AutokeyIKE. Then edit the appropriate VPN.
- Click on the Advanced button at the bottom of the page.
- On the Advanced screen, check the Proxy-ID field to ensure that it is not selected.
Category Description
By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Product » Software » VPN Clients
Purpose