Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IKE Phase 2 VPN status messages in 12.1X44 and later releases

0

0

Article ID: KB30547 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:

This article describes VPN status messages related to IKE Phase 2 in 12.1X44 and later releases. The messages are confirmed based on 12.1X46-D35 and 12.1X44-D35.

Symptoms:
  • IKE Phase 2 is not active.
  • The remote address of the VPN is not listed in the output of the show security ipsec security-associations command.
Solution:

The VPN messages described in this article are shown in the syslog. To configure the syslog to display VPN status messages, see KB10097 - How to configure syslog to display VPN status messages.

Run the show log kmd-log command and find the error message.

IPsec proposal mismatch

Messages:

  • 12.1X44

    No message
  • 12.1X46

    Sep 7 09:26:57 kmd[1393]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn1 Gateway: ike-gw, Local: 10.10.10.1/500, Remote: 10.10.10.2/500, Local IKE-ID: 10.10.10.1, Remote IKE-ID: 10.10.10.2, VR-ID: 0 

    Note: If Local and Remote IKE-ID are displayed as "Not-Available," it is a Phase1 failure message. Refer to KB30548 - IKE Phase 1 VPN status messages in 12.1X44 and later releases for more information.

Action:

Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:
  • Authentication algorithm
  • Encryption algorithm
  • Lifetime kilobytes
  • Lifetime seconds
  • Protocol
  • Perfect Forward Secrecy

Proxy-ID mismatch

Messages:

  • 12.1X44

    Sep 7 09:23:05 kmd[1334]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.1.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.3.0/24)] for local ip: 10.10.10.2, remote peer ip:10.10.10.1
  • 12.1X46

    Sep 7 09:33:07 kmd[1393]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn1, Peer Proposed traffic-selector local-ip: ipv4(192.168.5.0-192.168.5.255), Peer Proposed traffic-selector remote-ip: ipv4(192.168.3.0-192.168.3.255)
    Sep 7 09:33:07 kmd[1393]: IKE negotiation failed with error: TS unacceptable. IKE Version: 1, VPN: test_vpn Gateway: ike-gw, Local: 10.10.10.1/500, Remote: 10.10.10.2/500, Local IKE-ID: 10.10.10.1, Remote IKE-ID: 10.10.10.2, VR-ID: 0

Action:

The proxy-id must be an exact "reverse" match of the peer's configured proxy-id; see KB10124 - How to fix the Phase 2 error: Failed to match the peer proxy IDs.

Note: If the VPN established successfully, the following messages are shown in the syslog:

  • 12.1X44

Sep 10 08:35:03 kmd[1334]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.2, Remote gateway: 10.10.10.1, Local ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Direction: inbound, SPI: 0x4b23e914, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Sep 10 08:35:03 kmd[1334]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.2, Remote gateway: 10.10.10.1, Local ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Direction: outbound, SPI: 0xa90982b3, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Sep 10 08:35:03 kmd[1334]: KMD_VPN_UP_ALARM_USER: VPN test_vpn from 10.10.10.1 is up. Local-ip: 10.10.10.2, gateway name: ike-gw, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 10.10.10.2, Remote IKE-ID: 10.10.10.1, XAUTH username: Not-Applicable, VR id: 0
  • 12.1X46

Sep 9 06:57:34 kmd[1393]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.1, Remote gateway: 10.10.10.2, Local ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Direction: inbound, SPI: 0xa90982b3, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Sep 9 06:57:34 kmd[1393]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.1, Remote gateway: 10.10.10.2, Local ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Direction: outbound, SPI: 0x4b23e914, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Sep 9 06:57:34 kmd[1393]: KMD_VPN_UP_ALARM_USER: VPN test_vpn from 10.10.10.2 is up. Local-ip: 10.10.10.1, gateway name: ike-gw, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 10.10.10.1, Remote IKE-ID: 10.10.10.2, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)ze: 12px;">IPsec Proposal mismatch

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search