Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How do I ensure that the AutoKey IKE Advanced Settings are correct?

0

0

Article ID: KB9476 KB Last Updated: 02 Aug 2010Version: 3.0
Summary:

Route-Based VPN message "Phase 2 Error – Mismatched Proxy/Peer IDs" can be caused by settings on the Advanced page of the AutoKey IKE page.  These instructions will step you through correcting them.

Symptoms:

Environment:

  • VPN has successfully passed Phase 1, but Phase 2 fails.

Symptoms & Errors

  • Data is not passing through the VPN.
  • Incoming policy defined to allow Dial Up VPN to access internal network
  • NetScreen Remote Client does not have a gold key in taskbar window
  • Phase 2: No policy exists for the proxy ID received: local ID  (<ip_address> / <subnet_mask>,<0>, <0>) remote ID (<ip_address> / <subnet_mask>, <0>,  <0>).
Solution:

If Phase 1 passes, and Phase 2 fails with a message in the event log as indicated above, it could indicate that the incoming policy does not match the settings the client is sending over, or vice versa.

  1. In the WebUI, select VPNs > AutokeyIKE. Then edit the appropriate VPN.
  2. Next, click on the Advanced button at the bottom of the screen.   This will take you to the Advanced settings screen.
  3. Ensure that the Proxy-ID field is enabled.

    proxy id chk
  4. The Local IP is the address range of the local network that the remote user is establishing the VPN tunnel. The Local IP address and the Netmask must match what is configured on the NSR client under Remote Party Identity and Addressing.  The Remote IP address represents the address of the client and it needs to be 255.255.255.255/32.
  5. The Destination address in the policy, the Local IP and Netmask in the Autokey IKE, and the Remote Party Identity and Addressing in the Remote Client Security Policy Editor must match.  See the image below. 


    To verify that Address Book Entry in the policy is correct, see KB9501 - How to Confirm the Address Book entry is Correct.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search