Experiencing issues with VPN (Virtual Private Network) connections on their Juniper SRX firewall. Users were unable to establish VPN tunnels, and the logs showed error messages related to the IKE (Internet Key Exchange) phase of the VPN setup. Specifically, the error message in the logs was:
Feb 25 10:22:19 srx-firewall charon[12345]: 01[IKE] <con1|0> IKE authentication failed
Feb 25 10:22:19 srx-firewall charon[12345]: 01[NET] <con1|0> sending packet: from 192.168.1.1[500] to 192.168.2.1[500] (30 bytes)
Feb 25 10:22:19 srx-firewall charon[12345]: 01[NET] <con1|0> sending packet: from 192.168.1.1[500] to 192.168.2.1[500] (30 bytes)
Feb 25 10:22:19 srx-firewall charon[12345]: 01[NET] <con1|0> sending packet: from 192.168.1.1[500] to 192.168.2.1[500] (30 bytes)
Feb 25 10:22:19 srx-firewall charon[12345]: 01[IKED] <con1|0> IKE authentication failed: invalid ID
This message indicated that the IKE authentication failed due to an invalid ID. The root cause seemed to be a mismatch in the configuration of the Identity parameter between the two VPN peers.
Solution and Commands Suggested
Issue was related to the IKE peer configuration, specifically the Identity mismatch between the two VPN endpoints. They suggested correcting the local identity or peer identity to resolve the issue.
1. Verify Current VPN Configuration:
First, the support team recommended checking the VPN settings using the following command:
show security ike security-associations
This would display the current status of the IKE security associations and help verify the tunnel status.
2.Correct the Identity Configuration:
The mismatch was in the local identity (ID) being incorrectly set, causing the IKE authentication to fail. The support team suggested modifying the IKE policy and ensuring the identities match between the two peers.
To correct the local identity setting for IKE, the following commands were suggested:
Edit the IKE gateway configuration:
set local-identity <local-identity-type> <local-identity-value>
Set the correct local identity:
If the peer is using an IP address as the identity, you would update the local identity to match the peer’s identity. The command would be:
set local-identity <local-identity-type> <local-identity-value>
Example:
3. Verify the IKE Configuration:
After making the changes, Juniper support recommended verifying the configuration and the VPN connection status using the following command:
show security ike gateway <vpn-gateway-name>
This would confirm that the local identity matches the peer’s identity, and the IKE negotiation could succeed.
4. Monitor VPN Logs:
To ensure the changes had resolved the issue, the support team suggested monitoring the logs for any new errors and confirming that the tunnel was successfully established:
show log ike
5. Test the VPN Tunnel:
Finally, after making the configuration changes, the VPN tunnel was tested, and the issue was resolved, as the error message “IKE authentication failed: invalid ID” no longer appeared, and the VPN tunnel was established successfully.