Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IKE Phase 2 VPN status messages

0

0

Article ID: KB30547 KB Last Updated: 17 Feb 2021Version: 3.0
Summary:
 

This article describes VPN status messages related to IKE Phase 2.

 

Symptoms:
 
  • IKE Phase 2 is not active.

  • The remote address of the VPN is not listed in the output of the show security ipsec security-associations command.

 

Solution:
 

The VPN messages described in this article are shown in the syslog. To configure the syslog to display VPN status messages, see KB10097 - [Includes video] How to configure syslog to display VPN status messages.

Run the show log kmd-log command and find the error message.

 
 

IPsec Proposal Mismatch

Messages

Dec 26 04:27:26  vsrx1 kmd[19648]: IPSec negotiation failed with error: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed. IKE Version: 1, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: 2.2.2.1/500, Remote: 2.2.2.2/500, Local IKE-ID: 2.2.2.1, Remote IKE-ID: 2.2.2.2, VR-ID: 

Note: If Local and Remote IKE-ID are displayed as "Not-Available," it is a Phase1 failure message. Refer to KB30548 - [SRX] IKE Phase 1 VPN status messages for more information.

Action

Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:

  • Authentication algorithm

  • Encryption algorithm

  • Lifetime kilobytes

  • Lifetime seconds

  • Protocol

  • Perfect Forward Secrecy

 
 

Proxy-ID Mismatch

Messages

Dec 26 04:31:43  vsrx1 kmd[19648]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: ipv4(10.10.10.0-10.10.10.255),  Peer Proposed traffic-selector remote-ip: ipv4(192.167.0.0-192.167.0.255)
Dec 26 04:31:43  vsrx1 kmd[19648]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 1, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: 2.2.2.1/500, Remote: 2.2.2.2/500, Local IKE-ID: 2.2.2.1, Remote IKE-ID: 2.2.2.2, VR-ID: 0

Action

The proxy-id must be an exact "reverse" match of the peer's configured proxy-id; see KB10124- [SRX] How to fix the Phase 2 proxy ID/Traffic-selector mismatch error.

Note: If the VPN established successfully, the following messages are shown in the syslog:

Dec 26 04:34:18  vsrx1 kmd[19648]: KMD_PM_SA_ESTABLISHED: Local gateway: 2.2.2.1, Remote gateway: 2.2.2.2, Local ID: ipv4_subnet(any:0,[0..7]=10.10.10.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Direction: outbound, SPI: 0x770a22e2, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:  FC Name:
Dec 26 04:34:18  vsrx1 kmd[19648]: KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from 2.2.2.2 is up. Local-ip: 2.2.2.1, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131073, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: 2.2.2.1, Remote IKE-ID: 2.2.2.2, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=10.10.10.0/24), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), SA Type: Static


 

 

Modification History:
 

2021-02-17: Removed references to firmware since log message is generic; updated log message to be accurate

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search