VPN Phase 1 Connects Then Drops
(2015-03-26)
Problem
Phase 1 connects then drops seconds later.
In the trace options, you see the message:
iked_pm_id_validate id NOT matched.
...after the message identifying that Phase 1 is up.
Solution
The remote side is using IPs as peer-IDs (note: different from phase-2 proxy-IDs) and you probably don't have any peer-IDs defined.
If you have Junos 11.4R5 or later, the correct option to add is:
set security ike gateway $GATEWAY general-ikeid
Or you can define the ike-ID properly.
Commentary
Observed while trying to move a VPN that was remote peered with a Cisco running ASA v8.0 from a ScreenOS firewall to a JunOS 12.firewall. The ScreenOS firewall dealt with this without issue, but the JunOS firewall needs the knob turned.