> show log kmd-logs | match x.x.x.x
where x.x.x.x is the remote ike gateway IP address
kmd[1624]: IKE negotiation failed with error: No proposal chosen.
Problem or Goal:
Phase 2 of my IPsec tunnel was "DOWN", Phase 1 was "UP", tunnel interface was admin "UP" but protocol "DOWN"
Cause (Meaning):
The Junos device did not accept any of the IKE Phase 2 proposals that the specified IKE peer sent.
Solution (Action):
Verify the local Phase 2 VPN configuration elements.
The Phase 2 proposal elements include the following:
- Authentication algorithm
- Encryption algorithm
- Lifetime kilobytes
- Lifetime seconds
- Protocol
- Perfect Forward Secrecy
Either change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.
References:
Problem Solved?
No comments:
Post a Comment