Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to check the Proxy or Peer IDs for a Route-Based Site-to-Site VPN that fails due to Phase 2 Proxy-ID or Peer ID mismatch

0

0

Article ID: KB9518 KB Last Updated: 26 Aug 2014Version: 7.0
Summary:

A Route-Based Site-to-Site VPN is failing with a Phase 2 message stating Proxy-ID or Peer ID mismatch. This article describes how to verify that the AutoKey IKE (Phase 2) Advanced settings are correct. There are two procedures given, one for versions prior to 6.3 and one for version 6.3 and later.

Symptoms:
A Route-Based Site-to-Site VPN has been configured, but the tunnel is not coming up.  There are Phase 2 error messages stating No policy exists for the Proxy-ID or Peer ID mismatch.
Cause:

Solution:

The Firewall's Event Log Message lists the Local IP, Remote IP, Protocol Number, and Port Number. 

Sample event log:

IKE <ip_addr> Phase 2: No policy exists for the proxy ID received: local ID (<ip_addr>/<mask>, <protocol>, <port_num>) remote ID (<ip_addr>/<mask>, <protocol>, <port_num>).

  • The Local ID is the IP address of the encryption domain the remote firewall is trying to connect.
  • The Remote ID is the internal IP address of the remote firewall that is trying to connect.
  • <0>, <0> = indicates the Protocol and Port Number the remote firewall is sending for both the Local IP and the Remote IP. 

In a Route-Based VPN, the Local IP and Remote IP fields are in the Proxy-ID Field under the AutoKey IKE Advanced settings.  To view them through the WebUI, in versions prior to 6.3:

  1. Select VPN > AutoKey IKE
  2. Select the AutoKey IKE that is for the VPN that is failing and click Edit.
  3. Then click on the Advanced button at the bottom.  This will display the Advanced settings.
  4. Go to the Proxy-ID section to view the Local IP and Remote IP.


To view the proxy id in 6.3 through WebGUI:
 

  1. Select VPN > AutoKey IKE.
  2. Select the AutoKey IKE that is for the VPN that is failing.
  3. Click on proxy id to view local and remote IPs.

The Local IP of one unit must match the Remote IP of the other unit and vice versa.  See the image below. 

Note: Make sure the Proxy-ID checkbox is selected.  The Proxy-ID must be enabled on both firewalls for the tunnel to work.

 

Proxy ID Field in the Advanced Page of the AutoKey IKE.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search