This article shows you how to review VPN status messages related to IKE Phase 2 not establishing.
Troubleshooting IKE Phase 2 problems is best handled by reviewing VPN status messages on the responder firewall.
-
Configure a new syslog file, kmd-logs, to capture relevant VPN status logs on the responder firewall.
# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit
Note: The filename is kmd-logs; it is important that you do not name the file kmd, as the IKE debugs are written to the file kmd.
The match text "KMD" should be in uppercase. The file kmd-logs is written to the /var/log directory. For more information, see KB10097 - [Includes video] How to configure syslog to display VPN status messages.
-
Attempt to bring the VPN tunnel up again, so that the VPN status messages are logged to the syslog file, kmd-logs.
-
Run the command show log kmd-logs, and look for Phase 2 errors such as the following:
No proposal chosen
Messages:
Sep 7 09:26:57 kmd[1393]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn1 Gateway: ike-gw, Local: 10.10.10.1/500, Remote: 10.10.10.2/500, Local IKE-ID: 10.10.10.1, Remote IKE-ID: 10.10.10.2, VR-ID: 0
Note: If Local and Remote IKE-ID are displayed as "Not-Available," it is a Phase 1 failure message. Refer to KB30548 - IKE Phase 1 VPN status messages for more information.
Action:
Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:
-
Authentication algorithm
-
Encryption algorithm
-
Lifetime kilobytes
-
Lifetime seconds
-
Protocol
-
Perfect Forward Secrecy
Either change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.
Traffic-selector mismatch
Messages:
Nov 4 12:24:09 kmd[2531]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN-1, Peer Proposed traffic-selector local-ip: ipv4(tcp:80,192.168.3.0-192.168.3.255), Peer Proposed traffic-selector remote-ip: ipv4(tcp,192.168.2.0-192.168.2.255)
Nov 4 12:24:09 kmd[2531]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 1, VPN: VPN-1 Gateway: Gateway, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: 192.168.1.1, Remote IKE-ID: 192.168.1.2, VR-ID: 0
Action:
The proxy-id must be an exact "reverse" match of the peer's configured proxy-id; see KB10124 - [SRX] How to fix the Phase 2 Proxy ID/Traffic-selector mismatch error.
If you are unable to locate any Phase 2 messages, continue to Step 4.
-
Review the Phase 2 proposals using show security ipsec, and confirm that the configuration matches the Phase 2 proposals configured by the peer.
root@srx210# show security ipsec
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-srx1 {
vpn-monitor;
ike {
gateway gw-srx1;
ipsec-policy ipsec-phase2-policy;
}
}
-
Enable "per tunnel debug" detailed logging (traceoptions), and analyze the output.
See: KB19943 - How to enable VPN (IKE/IPsec) traceoptions for specific SAs (Security Associations)
-
If the issue is still not resolved, collect logs and open a case with your technical support representative.
See: KB21781 - [SRX] Data Collection Checklist - Logs/Data to Collect for Troubleshooting
2021-02-25: Changes made in the solution to step 1; syslog commands added; additional reference links added