Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Dial Up Virtual Private Network (VPN) Fails due to Policy-Checking Disabled

0

0

Article ID: KB3900 KB Last Updated: 04 Jun 2010Version: 3.0
Summary:
Dial Up Virtual Private Network (VPN) Fails due to Policy-Checking Disabled
Symptoms:
NetScreen-Remote 7.1 NetScreen-204 Policy-checking was disabled (unset ike policy-checking) There are two Dial-Up VPN policies Dial-Up VPN is not working Warning: Policy checking is disabled and only one policy can be set per Gateway On the debug ike detail output: IKE <x.x.x.x>  Phase 2: did not check a policy because id-mode is set to IP or policy-checking is disabled. On the debug ike detail output: IKE <xxxxxxx> Phase 2 fails. Policy-checking is disabled but multiple VPN policies to the peer exist. dUse policy checking when multiple tunnels are supported between two peer gateways. Otherwise, the IKE session fails. For backwards compatibility with ScreenOS 2.0 and earlier, disable policy checking when only one policy is configured between two peers.
Solution:

This solution applies to ScreenOS 2.5 and higher:

If policy checking is disabled, only one policy per Virtual Private Network (VPN) tunnel may pass at any one time.  Phase 2 proxy id will not be checked when negotiating for a VPN tunnel. 

Enable ike policy-checking to resolve this issue.  From the command line interface (CLI):

set ike policy-checking [Enter]

This will check if the access policies of the two VPN participants match before completing phase 2 IKE negotiations.

Here is the problem or goal:

  • Dial-Up VPN is not working
  • Warning: Policy checking is disabled and only one policy can be set per Gateway
  • On the debug ike detail output: IKE  Phase 2: did not check a policy because id-mode is set to IP or policy-checking is disabled.
  • On the debug ike detail output: IKE Phase 2 fails. Policy-checking is disabled but multiple VPN policies to the peer exist.
  • Dial Up Virtual Private Network (VPN) Fails due to Policy-Checking Disabled

Problem Environment:

  • NetScreen-Remote 7.1
  • NetScreen-204
  • Policy-checking was disabled (unset ike policy-checking)
  • There are two Dial-Up VPN policies

Causes of this problem:

  • With policy-checking disabled, if more than one policy is desired per gateway, policy checking must first be enabled by executing the set ike policy-checking command

Additional Information:

Use policy checking when multiple tunnels are supported between two peer gateways. Otherwise, the IKE session fails. For backwards compatibility with ScreenOS 2.0 and earlier, disable policy checking when only one policy is configured between two peers.

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000
  • NetScreen-5200
  • NetScreen-Remote

Applicable ScreenOS:

  • 2.50
  • 2.6.0
  • 2.6.1
  • 2.7.1
  • 2.8.0
  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 3.1.0
  • 4.0.0

Applicable Software Versions:

  • 5.1.3
  • 7.0
  • 7.1
  • 8.0
  • 8.1


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search