For When You Can't Have The Real Thing
[ start | index | login ]
start > Juniper > SRX240 > IKE Identity Failure

IKE Identity Failure

Created by dave. Last edited by dave, 3 years and 334 days ago. Viewed 2,315 times. #1
[edit] [rdf]


Phase 1 connects then drops seconds later.

In the trace options, you see the message:

iked_pm_id_validate id NOT matched.

...after the message identifying that Phase 1 is up.


The remote side is using IPs as peer-IDs (note: different from phase-2 proxy-IDs) and you probably don't have any peer-IDs defined.

If you have Junos 11.4R5 or later, the correct option to add is:

set security ike gateway $GATEWAY general-ikeid

Or you can define the ike-ID properly. See >>this Juniper page for details.


Observed while trying to move a VPN that was remote peered with a Cisco running ASA v8.0 from a ScreenOS firewall to a JunOS 12.firewall. The ScreenOS firewall dealt with this without issue, but the JunOS firewall needs the knob turned.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt