IKE Identity Failure
(2015-03-26)
...after the message identifying that Phase 1 is up.
Or you can define the ike-ID properly. See 
this Juniper page for details.
Problem
Phase 1 connects then drops seconds later.In the trace options, you see the message:iked_pm_id_validate id NOT matched.
Solution
The remote side is using IPs as peer-IDs (note: different from phase-2 proxy-IDs) and you probably don't have any peer-IDs defined.If you have Junos 11.4R5 or later, the correct option to add is:set security ike gateway $GATEWAY general-ikeid
this Juniper page for details.
Commentary
Observed while trying to move a VPN that was remote peered with a Cisco running ASA v8.0 from a ScreenOS firewall to a JunOS 12.firewall. The ScreenOS firewall dealt with this without issue, but the JunOS firewall needs the knob turned.
no comments |
post comment
Virtual Dave Megaplex:
- Home Page
- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.