Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How to check the Proxy or Peer IDs for a Route-Based Site-to-Site VPN that fails due to Phase 2 Proxy-ID or Peer ID mismatch (KB ID: KB9518)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9518

Synopsis

How to verify if the AutoKey IKE (Phase 2) Advanced settings are correct for a Route-Based Site-to-Site VPN that is failing with a Phase 2 message stating Proxy-ID or Peer ID mismatch.

Problem

A Route-Based Site-to-Site VPN has been configured, but the tunnel is not coming up.  There are Phase 2 error messages stating No policy exists for the Proxy-ID or Peer ID mismatch.

Solution

The Firewall's Event Log Message lists the Local IP, Remote IP, Protocol Number, and Port Number.  See sample below.

• The Local ID is the IP address of the encryption domain the remote firewall is trying to connect.
• The Remote ID is the internal IP address of the remote firewall that is trying to connect.
• <0>, <0> = indicates the Protocol and Port Number the remote firewall is sending for both the Local IP and the Remote IP. 

In a Route-Based VPN, the Local IP and Remote IP fields are in the Proxy-ID Field under the AutoKey IKE Advanced settings.  To view them through the WebUI, select VPN > AutoKey IKE.  Select the AutoKey IKE that is for the VPN that is failing and click Edit.  Then click on the Advanced button at the bottom.  This will display the Advanced settings.  Go to the Proxy-ID section to view the Local IP and Remote IP. 

The Local IP of one unit must match the Remote IP of the other unit and vice versa.  See the image below. 

 Make sure the Proxy-ID checkbox is selected.  The Proxy-ID must be enabled on both firewalls for the tunnel to work.

 

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Related Articles

Related Links

• KB9517 - What is causing the Phase 2 error: Mismatched Proxy ID or Peer ID when connecting through my Site-to-Site VPN?

Related Files