Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How Do I Resolve an IKE Tunnel Negotiation Failure due to Phase 2 Proxy IDs not Matching?

0

0

Article ID: KB5517 KB Last Updated: 22 Jul 2010Version: 4.0
Summary:
How Do I Resolve an IKE Tunnel Negotiation Failure due to Phase 2 Proxy IDs not Matching?
Symptoms:

Environment:

  • Policy based NAT enabled
  • Running NAT mode
  • Phase 1 IKE Negotiations successful

Symptoms & Errors:

  • remote address NOT matched.
  • local address NOT matched.
  • Local & Remote P2 Proxy id did not match
  • Debug IKE Message: local address NOT matched
  • Ike VPN tunnel will not come up - Ike negotiations P2 ID failed.
  • VPN not working

Solution:

This negotiation failure is caused when policy-based NAT is enabled in the VPN policy. The local proxy ID is translated to the untrust interface, while the peer gateway is expecting a proxy ID of the trust network address. To resolve this, disable policy-based NAT in the VPN policy on both the local and remote Juniper Networks NetScreen devices.

To disable policy-based NAT in a VPN policy, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.

 

From the NetScreen options menu, click Policies.

Image of step two

Locate the VPN policy, and click Edit.

Image of step three

Click Advanced.

Image of step four

Click to clear Source Translation.

Image of step five

Click OK.

Image of step six

 

 

Debug Ike detail message:

Rcv'd P2 ID: type<4> local addr<192.168.1.0> mask<255.255.255.0> prot<0> port<0>.
Rcv'd P2 ID: type<4> remote addr<66.125.225.142> mask<0.0.0.0> prot<0> port<0>.
[0] aa b c
Multiple SA for multiple policy mode, skipping base sa 1 when searching for sa.
[1] aa b c d>e>protocol matched expected<0>.
port matched expect<0>.
config'd local addr<192.168.1.0> local mask<255.255.255.0>.
config'd remote addr<192.168.0.0> remote mask<255.255.255.0>.
local address matched.
remote address NOT matched.
[2] aa b c d>e>protocol matched expected<0>.
port matched expect<0>.
config'd local addr<67.113.252.234> local mask<255.255.255.248>.
config'd remote addr<192.168.0.0> remote mask<255.255.255.0>.
local address NOT matched.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search