Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX/J-series] Site-Site Main mode VPN failure after upgrade to Junos OS 11.4 or later with 'validate id NOT matched' error message

0

0

Article ID: KB25462 KB Last Updated: 16 Jan 2014Version: 9.0
Summary:
After upgrading to Junos OS 11.4 or later, when attempting to establish a site-to-site VPN, the VPN will no longer be established. The following error message is generated in the output of the command traceoption:
Jun 11 11:20:34 [IKED 2] iked_pm_id_validate id NOT matched.
Symptoms:

In certain network setups, the received IKE-ID from VPN peer, which can be in the IPV4, FQDN, EMAIL, DN, or IPV6 format, does not match the configuration of SRX. This leads to IKE-ID validation failure. By default, SRX and J-Series devices will validate the received IKE-ID to the IP-address, which is configured as the gateway peer.

Example 1:

SRX IKE gateway configuration:

gateway To_Peer {
   ike-policy ike_pol;
   address 20.20.0.2;
   external-interface ge-0/0/0.0;
}

In this example, the peer (behind NAT Device) is sending the 192.168.1.1 IKE-ID, which is its normal egress interface IP.  However, the SRX is configured to reach the peer via the 20.20.0.2 IP address; which causes the mismatch of received IKE-ID and leads to Phase 1 validation failure.


Example 2:



SRX IKE gateway configuration
:
gateway To_Peer {
   ike-policy ike_pol;
   address 20.20.0.2;
   external-interface ge-0/0/0.0;
}

In this example, the peer is sending the router.juniper.net IKE-ID, due to the manual configuration of local-identity on the device.  However, the SRX is configured to reach the peer via the 20.20.0.2 IP address; which causes the mismatch of received IKE-ID and leads to Phase 1 validation failure.

Cause:

As of Junos OS 11.4, support has been added for Site-Site Main mode VPNs that traverse NAT devices. As part of this support, validation checks were put into place to validate the IKE-ID, which is received from the peer device and sent to the configuration on SRX.

Note: Site-to-site VPN support for NAT-T was not officially added until Junos OS 11.4. For more information, refer to the  Release Notes.



Solution:

Adjust the configuration of the SRX or peer device for the IKE-ID that is in use.

  1. Edit the SRX configuration to use Remote-Identity to match the IKE-ID that is received from the peer:

    root@SRX-210# set security ike gateway From_Peer remote-identity ?
        Possible completions:
        > distinguished-name Use a distinguished name:
        > hostname Use a fully-qualified domain name
        > inet Use an IPv4 address
        > inet6 Use an IPv6 address
        > user-at-hostname Use an e-mail address
  2. Update the peer device to adjust the creation of the IKE-ID to be the same as referred on the SRX configuration for the peer gateway's IP address (on SRX and J-Series devices, this can be done by using local-identity):

    root@Peer# set security ike gateway To_SRX local-identity ?
            Possible completions:
            >distinguished-name Use a distinguished name specified in local certificate
            > hostname Use a fully-qualified domain name
            > inet Use an IPv4 address
            > inet6 Use an IPv6 address
            > user-at-hostname Use an e-mail address
    
    
  3. From Junos OS 11.4R5 onward,s if general-ikeid is set, SRX will bypass IKE-ID validation with received ID Payload.

    root@SRX-210# set security ike gateway From_Peer general-ikeid 	
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search