Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IKE Phase 1 VPN status messages

1

0

Article ID: KB30548 KB Last Updated: 26 Mar 2020Version: 3.0
Summary:

This article describes SRX VPN IKE daemon messages related to IKE Phase 1 tunnel establishment.

Symptoms:
  • IKE Phase 1 is not UP. 
  • The output of the show security ike security-associations command reports that the state is DOWN for the remote address of the VPN.
  • The remote address of the VPN is not listed in the output of the show security ike security-associations command.
Solution:

The VPN messages described in this article are shown in the syslog files. To configure the syslog to display VPN status messages, see KB10097 - How to configure syslog to display VPN status messages.

Run the 'show log kmd-logs' command and locate IKE establishment error messages:
 

Gateway configuration lookup failed

Message:

Mar 20 09:12:15  kmd[2008]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause:
         Received IKE packet can not be matched to a configured VPN tunnel

Action:

  • On the responder, confirm that the following IKE gateway configuration settings are correct:
  • The remote-identity (if configured) matches the peers sending ike-identity
  • The external-interface is correct
  • The IP address specified for the (remote) gateway is correct
  • If using dynamic peer entry (inet, inet6, hostname, user-at-home) confirm the value listed is the correct ike-identity to be sent by peer
     

Phase 1 proposals conflict

Message:

Mar 24 13:37:25  kmd[2079]: IKE negotiation failed with error: Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Note: There is a similar error message for Phase2 proposal mismatch. For phase 2 error details, refer to KB30547 - [SRX] IKE Phase 2 VPN status messages

Cause:

Peer's supplied IKE proposals do not match with the configured proposals

Action:

Make sure the proposal parameters for the IKE gateway Phase 1 proposals on both the responder and the initiator match:
  • Authentication Method
  • Diffie-Hellman Group Number
  • Encryption Algorithm
  • Hash Algorithm
     

Phase 1 pre-shared keys mismatch

Message:

Sep 7 09:23:26 kmd[1393]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Cause:

Peers configured pre-shared keys are not identical

Action:

On both the initiator and responder, re-enter the pre-shared key in the IKE gateway configuration.
 

Main / Aggressive mode mismatch

Message:

Mar 24 14:40:25  kmd[2079]: IKE negotiation failed with error: Peer proposed phase1 negotiation mode (main/aggressive) does not match with configuration. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote:192.168.2.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause:

Peers configured mode's are not identical

Action:

Make sure the mode (Aggressive / Main) setting on both the responder and the initiator match
 

IKE version mismatch

Message:

Mar 24 14:47:25  kmd[2079]: IKE negotiation failed with error: IKE version mismatch detected. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote:192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause:

Peers are configured to use different versions


Action:

Make sure the IKE version (V1 /V2) settings on both the responder and the initiator match
 

IKE-ID validation failed

Message:

Mar 25 14:43:28  kmd[2079]: IKE negotiation failed with error: Peer's IKE-ID validation failed during negotiation. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
 
Cause
Received IKE-ID from peer does not match that of configured 'remote-identity' or expected IKE-ID.   For site-to-site tunnels expected default IKE-ID of peer is the peer IP address.

Action:

Adjust SRX 'remote-identity' to that IKE-ID being sent by peer
Request peer to adjust IKE-ID being sent
 

IKE-ID validation failed for peer certificate

Message:

Mar 24 16:08:27  kmd[2079]: KMD_PEER_CERT_VERIFY_FAILED: Failed peer certificate verification for Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: 192.168.1.2, VR id: 0

Mar 24 16:08:27  kmd[2079]: IKE negotiation failed with error: Proposed peer's IKE-ID does not match with peer's certificate. Negotiation failed. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

 
Cause
Received IKE-ID from peer is not in subjectAltName (SAN) field in received peer certificate

Action:

Request peer to adjust IKE-ID to that of a field in SAN of certificate
            'set security ike gateway <> remote-identity <>'
        
Adjust SRX to use 'remote-identity' to use 'distinguished-name'
            Note: Peer will need to adjust IKE use distinguished-name (DN) of certificate

Request peer re-issue certificate with updated subjectAltName (SAN) values

 

Successful IKE establishment message

Mar 24 14:50:25  kmd[2079]: IKE negotiation successfully completed. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 30.30.30.1/500, Remote: 30.30.30.2/500, Local IKE-ID: 30.30.30.1, Remote IKE-ID: 30.30.30.2, VR-ID: 0, Role: Responder
 
 

Successful VPN establishment message

Mar 24 14:50:25  kmd[2079]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.1.1, Remote gateway: 192.168.1.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x3afb085e, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:  FC Name:

Mar 24 14:50:25  kmd[2079]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.1.1, Remote gateway: 192.168.1.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x249bd982, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:  FC Name:

Mar 24 14:50:25  kmd[2079]: KMD_VPN_UP_ALARM_USER: VPN VPN1 from 192.168.1.2is up. Local-ip: 192.168.1.1, gateway name: GATE1, vpn name: VPN1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 192.168.1.1, Remote IKE-ID: 192.168.1.2, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
 

NOTE: For phase 2 error messages  refer to KB30547 - [SRX] IKE Phase 2 VPN status messages

 

Modification History:
2020-03-26: Updated message outputs based on current Junos OS.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search