What is causing the Phase 2 error: Mismatched Proxy ID or Peer ID when connecting through my client VPN?

  [KB9444] Show Article Properties

Receiving the Phase2 error “Mismatched Proxy ID or Peer ID” when trying to connect to the office using NetScreen Remote VPN Client.  The error is typically caused by a mismatched configuration between the Client and the Firewall.  The steps listed below will assist in troubleshooting the issue.
The NetScreen Remote VPN Client is not coming up, it is failing in Phase 2 with error messages regarding a Mismatched Proxy ID or Peer ID.

To view the flowchart for the steps listed below, select this link:  KB9444 Flowchart

The following steps will assist in troubleshooting the Mismatched Proxy ID or Peer ID error. 

Step 1.  Is this a Policy-Based VPN?  For further assistance, see KB4124 - Policy-Based VPN vs. Route-Based VPN. Which one do I have configured?

  • Yes - Skip to Step 3
  • No   - Continue with Step 2

Step 2.  Do the Proxy ID settings in the AutoKey IKE Advanced page on the Firewall match the Remote Party Identity settings of the NetScreen Remote?

Step 3.  What is the policy ID number of the policy that is being used for the VPN.  For assistance, see KB9478 - How to Obtain the Policy ID Number for the VPN's Policy

  • Record Policy ID information for use in a later step. Continue with Step 4.

Step 4.  Does the remote ID, local ID, and server ID in the error message match what is in the Firewall's policy and the NetScreen Remote Client's configuration? 

Step 5.  Does the Address book object entry in the Firewall's policy match the values defined in the Address book? 

Step 6.  Is the "Proxy ID" option, in the AutoKey IKE's Advanced page, deselected? 

Step 7. Collect the logs from the Firewall and the NetScreen Remote Client and open a new case with the Juniper Technical Assistance Group.  For assistance, see KB9395 - What Information Should Be Collected for a Dial-Up VPN That Won't Come Up ?

Related Links: