IPsec VPN Tunnel Phase 1 Negotiation fails due to mismatch in Peer identification

IPsec VPN Tunnel Phase 1 Negotiation fails due to mismatch in Peer identification

9356
Created On 05/03/24 15:53 PM - Last Modified 03/06/25 21:52 PM


Symptom


  • For IKEv2: the system log of the IPsec tunnel IKE responder* will show the following message:
2023/02/13 10:10:46 info     vpn            ike-gen 0  received ID_I (type ipaddr [172.16.1.1]) does not match peers id
  • For IKEv1: the system log of the IPsec tunnel of one of the peers will show the following message:
2023/11/03 09:24:03 critical vpn     Gatewa ike-neg 0  IKE phase-1 negotiation is failed. Peer's ID payload 172.16.36.240 (type ipaddr) does not match a configured IKE gateway.

imageimageimage*IKE responder: The IKE Initiator is the device initiating the IKE VPN tunnel negotiation request and the IKE Responder is the device receiving the request to establish an IKE VPN tunnel.

Environment


  • IPsec tunnel

Cause


A mismatch in the configuration of the IKE gateway peer identification.

Resolution


  1. Ensure that the IKE Gateway peer identification is properly configured on both side of the IPsec tunnel.
    1. Look under the UI:
      1. For standalone firewall: Navigate to NETWORK > Network Profiles > IKE Gateways.
      2. For Panorama managed firewall: Navigate to Templates > NETWORK, select the right Template then look under Network Profiles > IKE Gateways.
      3. For Strata Cloud Manager managed firewalls: Navigate to Manage > Configuration > NGFW and Prisma Access, select the right Configuration Scope then look under Device Settings > IPsec tunnel.
    2. Check the IKE Gateway configuration of the tunnel which is down due to IKE gateway peer identification mismatch:
Peer-ID
  1. Ensure that the type and value of the Local Identification of one Peer matches the Peer Identification type and value of the other Peer.

Additional Information


Peer Identification: This is a unique identifier that is used to authenticate the remote device during the IPSec negotiation process. The peer identification can be an IP address, a domain name, or a fully qualified domain name (FQDN). It is used to ensure that the remote device is authorized to communicate with the local device and to prevent unauthorized access.

Refer to Peer Address vs Peer Identification in IPSec IKE Site to Site VPN with VM Firewall in Azure to check how to properly configure the peer identification when a NAT is being applied to the IP address of one of the peers, endpoint of the tunnel.

Refer to IPSec VPN Tunnel with Peer Having Dynamic IP Address to check how to properly configure the peer identification when the Peer IP address is dynamic.

If you are unsure which IKE Gateway configuration to check first check which IKE Gateway is configured for the affected tunnel ( the tunnel that is detected to be down due to IKE gateway peer identification mismatch) by going under the IPsec config of the tunnel found under the UI:.

  1. For standalone firewall: Navigate to NETWORK > IPsec Tunnel search for the right tunnel and check which IKE Gateway is used by clicking the name of the tunnel to view its configuration or by clicking on the IKE info hyperlink.
  2. For Panorama managed firewall: Navigate to Templates > NETWORK, select the right Template then look under the IPsec Tunnel, search for the right tunnel and check which IKE Gateway is used by clicking the name of the tunnel to view its configuration.

If the peer device is from a different vendor, refer to its documentation. For example, some vendors may implicitly use the IKE gateway IP as the peer ID if not explicitly configured.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HD6XCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language