This article shows you how to review VPN connection issues related to IKE Phase 1 not establishing and verify settings if no IKE Phase 1 messages are seen.
Troubleshooting IKE Phase 1 problems is best handled by reviewing VPN status messages on the responder firewall. The responder is the "receiver" side of the VPN that is receiving the tunnel setup requests. The initiator is the side of the VPN that sends the initial tunnel setup requests.
- Configure a new syslog file,
kmd-logs, to capture relevant VPN status logs on the responder firewall.
See: KB10097 - How to configure syslog to display VPN status messages
Don't forget to attempt to bring the VPN tunnel up again, so that the messages are captured in kmd-logs.
- Run the command
show log kmd-logs, and look for Phase 1 errors:
Note: Refer to for a listing of common IKE connection errors KB30548:IKE Phase 1 VPN status messages
- If you are unable to locate any Phase 1 messages, continue to Step 3.
-
If the VPN is a route-based VPN, verify that a st0.x interface is bound to the VPN with the command:
root@CORPORATE# show security ipsec
policy ipsec_pol {
proposal-set compatible;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway ike-vpn-srx1;
ipsec-policy ipsec_pol;
}
}
Is there a st0 interface bound to the VPN?
- Yes - Continue with Step 4.
- No, I am using a policy-based VPN - Continue with Step 4.
- No - Bind the st0 interface to the VPN:
set security ipsec vpn "vpn_name" bind-interface st0.X
To do this using J-Web:
- Go to Configuration > IPSec VPN > Auto Tunnel> Phase II.
- Select the VPN tunnel in question and click Edit.
- Click on the pull-down list for Bind to tunnel interface.
- Select the st0 interface.
- Click OK.
-
Is the VPN Gateway configured to use the correct outgoing interface? For further assistance, see KB10121 - How to determine if the IPsec IKE Gateway is configured for the correct outgoing interface?.
- Yes - Continue with Step 5.
- No - Adjust the IKE Gateway's outgoing interface to the correct outgoing interface.
-
Is the SRX configured to allow IKE for host-inbound-traffic if SRX is to be responder device?
- Locate the VPN external interface:
root@CORPORATE# show security ike
policy ike_pol {
mode main;
proposal-set compatible;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway gw_srx1 {
ike-policy ike_pol;
address 2.2.2.2;
external-interface ge-0/0/8;
}
- Locate the security zone associated with the external-interface:
root@CORPORATE# show security zones | display set | match ge-0/0/8
set security zones security-zone untrust interfaces ge-0/0/8.0
- Verify that interface or zone allows host-bound IKE traffic:
root@CORPORATE# show security zones security-zone untrust
interfaces {
ge-0/0/8.0 {
host-inbound-traffic {
system-services {
ike;
}
}
}
}
NOTE: If the VPN is to be used for Dynamic Endpoint connections from NCP clients using NCP Pathfinder, include the option of system-services 'tcp-encap'
-
Enable 'per tunnel debug' detailed logging (traceoptions), and analyze the output.
Read: KB19943 - How to enable VPN (IKE/IPsec) traceoptions for only specific SAs (Security Associations)
- If still not resolved, collect logs and open a case with your technical support representative.
Read: KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting
See the Related Links section for more configuration and troubleshooting resources.
2020-03-26: Removed message log examples related to old version of Junos.
Included reference to use of tcp-encap system service.
2020-02-25: Minor, non-technical edits.