Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to troubleshoot IKE Phase 2 VPN connection issues

0

0

Article ID: KB10099 KB Last Updated: 25 Feb 2021Version: 11.0
Summary:
 

This article shows you how to review VPN status messages related to IKE Phase 2 not establishing.

 

Symptoms:
 

 

Solution:
 

Troubleshooting IKE Phase 2 problems is best handled by reviewing VPN status messages on the responder firewall.

  1. Configure a new syslog file, kmd-logs, to capture relevant VPN status logs on the responder firewall.

# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit

Note: The filename is kmd-logs; it is important that you do not name the file kmd, as the IKE debugs are written to the file kmd.

The match text "KMD" should be in uppercase. The file kmd-logs is written to the /var/log directory. For more information, see KB10097 - [Includes video] How to configure syslog to display VPN status messages.

  1. Attempt to bring the VPN tunnel up again, so that the VPN status messages are logged to the syslog file, kmd-logs.

  2. Run the command show log kmd-logs, and look for Phase 2 errors such as the following:

No proposal chosen

Messages:

Sep 7 09:26:57 kmd[1393]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn1 Gateway: ike-gw, Local: 10.10.10.1/500, Remote: 10.10.10.2/500, Local IKE-ID: 10.10.10.1, Remote IKE-ID: 10.10.10.2, VR-ID: 0 

Note: If Local and Remote IKE-ID are displayed as "Not-Available," it is a Phase 1 failure message. Refer to KB30548 - IKE Phase 1 VPN status messages for more information.

Action:

Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:
  • Authentication algorithm

  • Encryption algorithm

  • Lifetime kilobytes

  • Lifetime seconds

  • Protocol

  • Perfect Forward Secrecy

Either change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.

Traffic-selector mismatch

Messages:

Nov  4 12:24:09   kmd[2531]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN-1, Peer Proposed traffic-selector local-ip: ipv4(tcp:80,192.168.3.0-192.168.3.255),  Peer Proposed traffic-selector remote-ip: ipv4(tcp,192.168.2.0-192.168.2.255)
Nov  4 12:24:09   kmd[2531]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 1, VPN: VPN-1 Gateway: Gateway, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: 192.168.1.1, Remote IKE-ID: 192.168.1.2, VR-ID: 0

Action:

The proxy-id must be an exact "reverse" match of the peer's configured proxy-id; see KB10124 - [SRX] How to fix the Phase 2 Proxy ID/Traffic-selector mismatch error.

If you are unable to locate any Phase 2 messages, continue to Step 4.

  1. Review the Phase 2 proposals using show security ipsec, and confirm that the configuration matches the Phase 2 proposals configured by the peer.

root@srx210# show security ipsec
proposal ipsec-phase2-proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals ipsec-phase2-proposal;
}
vpn ike-vpn-srx1 {
    vpn-monitor;
    ike {
        gateway gw-srx1;
        ipsec-policy ipsec-phase2-policy;
    }
}
  1. Enable "per tunnel debug" detailed logging (traceoptions), and analyze the output.

See: KB19943 - How to enable VPN (IKE/IPsec) traceoptions for specific SAs (Security Associations)

  1. If the issue is still not resolved, collect logs and open a case with your technical support representative

See: KB21781 - [SRX] Data Collection Checklist - Logs/Data to Collect for Troubleshooting

 

Modification History:
 

2021-02-25: Changes made in the solution to step 1; syslog commands added; additional reference links added

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search