Knowledge Search


×
 

[SRX/J-series] Site-Site Main mode VPN failure after upgrade to Junos OS 11.4 or later with 'validate id NOT matched' error message

  [KB25462] Show Article Properties


Summary:
After upgrading to Junos OS 11.4 or later, when attempting to establish a site-to-site VPN, the VPN will no longer be established. The following error message is generated in the output of the command traceoption:
Jun 11 11:20:34 [IKED 2] iked_pm_id_validate id NOT matched.
Symptoms:

In certain network setups, the received IKE-ID from VPN peer, which can be in the IPV4, FQDN, EMAIL, DN, or IPV6 format, does not match the configuration of SRX. This leads to IKE-ID validation failure. By default, SRX and J-Series devices will validate the received IKE-ID to the IP-address, which is configured as the gateway peer.

Example 1:

SRX IKE gateway configuration:

gateway To_Peer {
   ike-policy ike_pol;
   address 20.20.0.2;
   external-interface ge-0/0/0.0;
}

In this example, the peer (behind NAT Device) is sending the 192.168.1.1 IKE-ID, which is its normal egress interface IP.  However, the SRX is configured to reach the peer via the 20.20.0.2 IP address; which causes the mismatch of received IKE-ID and leads to Phase 1 validation failure.


Example 2:



SRX IKE gateway configuration
:
gateway To_Peer {
   ike-policy ike_pol;
   address 20.20.0.2;
   external-interface ge-0/0/0.0;
}

In this example, the peer is sending the router.juniper.net IKE-ID, due to the manual configuration of local-identity on the device.  However, the SRX is configured to reach the peer via the 20.20.0.2 IP address; which causes the mismatch of received IKE-ID and leads to Phase 1 validation failure.

Cause:

As of Junos OS 11.4, support has been added for Site-Site Main mode VPNs that traverse NAT devices. As part of this support, validation checks were put into place to validate the IKE-ID, which is received from the peer device and sent to the configuration on SRX.

Note: Site-to-site VPN support for NAT-T was not officially added until Junos OS 11.4. For more information, refer to the  Release Notes.



Solution:

Adjust the configuration of the SRX or peer device for the IKE-ID that is in use.

  1. Edit the SRX configuration to use Remote-Identity to match the IKE-ID that is received from the peer:

    root@SRX-210# set security ike gateway From_Peer remote-identity ?
        Possible completions:
        > distinguished-name Use a distinguished name:
        > hostname Use a fully-qualified domain name
        > inet Use an IPv4 address
        > inet6 Use an IPv6 address
        > user-at-hostname Use an e-mail address
  2. Update the peer device to adjust the creation of the IKE-ID to be the same as referred on the SRX configuration for the peer gateway's IP address (on SRX and J-Series devices, this can be done by using local-identity):

    root@Peer# set security ike gateway To_SRX local-identity ?
            Possible completions:
            >distinguished-name Use a distinguished name specified in local certificate
            > hostname Use a fully-qualified domain name
            > inet Use an IPv4 address
            > inet6 Use an IPv6 address
            > user-at-hostname Use an e-mail address
    
    
  3. From Junos OS 11.4R5 onward,s if general-ikeid is set, SRX will bypass IKE-ID validation with received ID Payload.

    root@SRX-210# set security ike gateway From_Peer general-ikeid 	
Related Links: