Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IKE Phase 1 VPN status messages

1

0

Article ID: KB30548 KB Last Updated: 29 Apr 2021Version: 4.0
Summary:
 

This article describes SRX VPN IKE daemon messages related to IKE Phase 1 tunnel establishment.

 

Symptoms:
 
  • IKE Phase 1 is not UP.

  • The output of the show security ike security-associations command reports that the state is DOWN for the remote VPN address.

  • The remote VPN address is not listed in the output of the show security ike security-associations command.

 

Solution:
 

Run the show log kmd-logs command and locate the IKE establishment error messages. Refer to the list of IKE Phase 1 Status Messages given below to determine the next course of action.

Important: The VPN messages described below are shown in the syslog files. To configure syslog to display VPN status messages, see KB10097 - [Includes video] How to configure syslog to display VPN status messages. Remember to bring the VPN tunnel up again, so that the VPN status messages are logged to the syslog file, kmd-logs.

 

IKE Phase 1 Status Messages


Gateway Configuration Lookup Failed

Message

Mar 20 09:12:15  kmd[2008]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause

The received IKE packet cannot be matched to a configured VPN tunnel.

Action

  • On the responder, confirm that the following IKE gateway configuration settings are correct:

    • The remote-identity (if configured) matches the peers that are sending ike-identity.

    • The external interface is correct.

    • The IP address specified for the (remote) gateway is correct.

    • If using dynamic peer entry (inet, inet6, hostname, user-at-home), confirm that the value listed is the correct ike-identity to be sent by the peer.

 

Phase 1 Proposals Conflict

Message

Mar 24 13:37:25  kmd[2079]: IKE negotiation failed with error: Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Note: There is a similar error message for Phase 2 proposal mismatch. For phase 2 error details, refer to KB30547 - [SRX] IKE Phase 2 VPN status messages.

Cause

The peer supplied IKE proposals do not match with the configured proposals.

Action

  • Make sure that the proposal parameters for the IKE gateway Phase 1 proposals on both the responder and the initiator match:
    • Authentication Method

    • Diffie-Hellman Group Number

    • Encryption Algorithm

    • Hash Algorithm

 

Phase 1 Pre-Shared Keys Mismatch

Message

Sep 7 09:23:26 kmd[1393]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Cause

The peer configured pre-shared keys are not identical.

Action

On both the initiator and the responder, re-enter the pre-shared key in the IKE gateway configuration.

 

Main / Aggressive Mode Mismatch

Message

Mar 24 14:40:25  kmd[2079]: IKE negotiation failed with error: Peer proposed phase1 negotiation mode (main/aggressive) does not match with configuration. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote:192.168.2.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause

The peer configured modes are not identical.

Action

Make sure that the mode (Aggressive / Main) setting on both the responder and the initiator matches.

 

IKE Version Mismatch

Message

Mar 24 14:47:25  kmd[2079]: IKE negotiation failed with error: IKE version mismatch detected. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote:192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause

The peers are configured to use different versions.

Action

Make sure that the IKE version (V1 /V2) settings on both the responder and the initiator matches.

 

IKE-ID Validation Failed

Message

Mar 25 14:43:28  kmd[2079]: IKE negotiation failed with error: Peer's IKE-ID validation failed during negotiation. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause

The IKE-ID received from the peer does not match that of the configured "remote-identity" or the expected IKE-ID. For site-to-site tunnels, the expected default IKE-ID of the peer is the peer IP address.

Action

  • Adjust the "remote-identity" of the SRX device to match the IKE-ID being sent by the peer.

  • Request the peer to adjust the IKE-ID being sent.

 

IKE-ID Validation Failed for Peer Certificate

Message

Mar 24 16:08:27  kmd[2079]: KMD_PEER_CERT_VERIFY_FAILED: Failed peer certificate verification for Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: 192.168.1.2, VR id: 0

Mar 24 16:08:27  kmd[2079]: IKE negotiation failed with error: Proposed peer's IKE-ID does not match with peer's certificate. Negotiation failed. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Cause

The IKE-ID received from the peer is not in the subjectAltName (SAN) field in the received peer certificate.

Action

  • Request the peer to adjust the IKE-ID to that of a field in the certificate SAN.

Example setting of a peer SRX device

set security ike gateway <> local-identity <inet 192.168.1.1>

Adjusting SRX "remote-identity" to use "distinguished-name"

set security ike gateway <> remote-identity distinguished-name

Note: The peer will need to adjust IKE-ID to use the distinguished-name (DN) of the certificate.

  • Request the peer to re-issue the certificate with updated subjectAltName (SAN) values.
 

Successful IKE Establishment Message

Mar 24 14:50:25  kmd[2079]: IKE negotiation successfully completed. IKE Version: 1, VPN: VPN1 Gateway: GATE1, Local: 30.30.30.1/500, Remote: 30.30.30.2/500, Local IKE-ID: 30.30.30.1, Remote IKE-ID: 30.30.30.2, VR-ID: 0, Role: Responder
 

Successful VPN Establishment Message

Mar 24 14:50:25  kmd[2079]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.1.1, Remote gateway: 192.168.1.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x3afb085e, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:  FC Name:

Mar 24 14:50:25  kmd[2079]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.1.1, Remote gateway: 192.168.1.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x249bd982, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:  FC Name:

Mar 24 14:50:25  kmd[2079]: KMD_VPN_UP_ALARM_USER: VPN VPN1 from 192.168.1.2is up. Local-ip: 192.168.1.1, gateway name: GATE1, vpn name: VPN1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 192.168.1.1, Remote IKE-ID: 192.168.1.2, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
 

NOTE: For phase 2 error messages, refer to KB30547 - [SRX] Meaning of IKE Phase 2 VPN status messages.

 

Modification History:
 
  • 2021-04-29: Refreshed article; minor, non-technical edits; updated "IKE-ID Validation Failed for Peer Certificate" section

  • 2020-03-26: Updated message outputs based on current Junos OS

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search