How to Analyze IKE Phase 2 VPN Status Messages
Problem
Description
Review and analyze VPN status messages related to issues caused by an inactive IKE Phase 2.
Symptoms
IKE Phase 2 is not active.
The show security ipsec security-associations command output does not list the remote address of the VPN.
Solution
The best way to troubleshoot the IKE Phase 2 issues is by reviewing the VPN status messages of the responder firewall.
The responder firewall is the receiver side of the VPN that receives the tunnel setup requests. The initiator firewall is the initiator side of the VPN that sends the initial tunnel setup requests.
Using the CLI, configure a syslog file, kmd-logs, for VPN status logs on the responder firewall.
See KB10097-How to configure syslog to display VPN status messages. As you bring up the VPN tunnel, the messages are captured in ldm-logs.
Using the CLI, check for Phase 2 error messages: show log kmd-logs
Sample output messages:
Message: Jul 10 16:14:30 210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.10.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=10.10.10.0/24)] for local ip: 2.2.2.1, remote peer ip:2.2.2.2
Meaning—The proxy identity of the peer device does not match the local proxy identity.
Action—The proxy ID must be an exact reverse of the peer's configured proxy ID. See KB10124 - How to fix the Phase 2 error: Failed to match the peer proxy IDs.
Message: Jul 16 21:14:20 kmd[1456]: IKE Phase-2 Failure: Quick mode - no proposal chosen [spi=cf0f6152, src_ip=4.4.4.4, dst_ip=3.3.3.2] Jul 16 21:14:20 kmd[1456]: KMD_VPN_PV_PHASE2: IKE Phase-2 Failure: Quick mode - no proposal chosen [spi=cf0f6152, src_ip=4.4.4.4, dst_ip=3.3.3.2] Jul 16 21:14:20 kmd[1456]: IKE Phase-2: Negotiations failed. Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2
Meaning—The device running Junos OS did not accept any of the IKE Phase 2 proposals that the specified IKE peer sent.
Action—Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:
Authentication algorithm
Encryption algorithm
Lifetime kilobytes
Lifetime seconds
Protocol
Perfect forward secrecy
You can change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s administrator and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.
Sample output messages:
IPsec proposal mismatch
Message: Sep 7 09:26:57 kmd[1393]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn1 Gateway: ike-gw, Local: 10.10.10.1/500, Remote: 10.10.10.2/500, Local IKE-ID: 10.10.10.1, Remote IKE-ID: 10.10.10.2, VR-ID: 0
Note:If
Local IKE-IDandRemote IKE-IDare displayed asNot-Available, then it is a Phase 1 failure message. See KB30548 - IKE Phase 1 VPN status messages in 12.1X44 and later releases.Action—Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:
Authentication algorithm
Encryption algorithm
Lifetime kilobytes
Lifetime seconds
Protocol
Perfect forward secrecy
Proxy-ID mismatch
Sample output messages:
Sep 7 09:23:05 kmd[1334]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.1.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.3.0/24)] for local ip: 10.10.10.2, remote peer ip:10.10.10.1
Sep 7 09:23:05 kmd[1334]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.1.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.3.0/24)] for local ip: 10.10.10.2, remote peer ip:10.10.10.1
Action—The proxy ID must be an exact reverse match of the peer's configured proxy ID. See KB10124 - How to fix the Phase 2 error: Failed to match the peer proxy IDs.
If the VPN connection is established successfully, you can see the following messages in the syslog:
Sep 10 08:35:03 kmd[1334]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.2, Remote gateway: 10.10.10.1, Local ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Direction: inbound, SPI: 0x4b23e914, AUX-SPI: 0, Mode: Tunnel, Type: dynamic Sep 10 08:35:03 kmd[1334]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.2, Remote gateway: 10.10.10.1, Local ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Direction: outbound, SPI: 0xa90982b3, AUX-SPI: 0, Mode: Tunnel, Type: dynamic Sep 10 08:35:03 kmd[1334]: KMD_VPN_UP_ALARM_USER: VPN test_vpn from 10.10.10.1 is up. Local-ip: 10.10.10.2, gateway name: ike-gw, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 10.10.10.2, Remote IKE-ID: 10.10.10.1, XAUTH username: Not-Applicable, VR id: 0
Sep 9 06:57:34 kmd[1393]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.1, Remote gateway: 10.10.10.2, Local ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Direction: inbound, SPI: 0xa90982b3, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: Sep 9 06:57:34 kmd[1393]: KMD_PM_SA_ESTABLISHED: Local gateway: 10.10.10.1, Remote gateway: 10.10.10.2, Local ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24), Direction: outbound, SPI: 0x4b23e914, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: Sep 9 06:57:34 kmd[1393]: KMD_VPN_UP_ALARM_USER: VPN test_vpn from 10.10.10.2 is up. Local-ip: 10.10.10.1, gateway name: ike-gw, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 10.10.10.1, Remote IKE-ID: 10.10.10.2, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=192.168.1.0/24), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)ze: 12px;">IPsec Proposal mismatch
If you could not locate any Phase 2 messages, proceed to Step 4.
Using the CLI, review the Phase 2 proposals and confirm that the configuration matches the Phase 2 proposals configured by the peer: show security ipsec
show security ipsec proposal ipsec-phase2-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; } policy ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-phase2-proposal; } vpn ike-vpn-srx1 { vpn-monitor; ike { gateway gw-srx1; ipsec-policy ipsec-phase2-policy; } }If the issue persists, to open a JTAC case with the Juniper Networks support team, see Data Collection for Customer Support for the data you should collect to assist in troubleshooting before opening a JTAC case.