IPsec VPN Tunnel Phase 1 negotiation fails due to a mismatch in the IKE version

• Tunnel not coming up and getting error in the ikemgr.log showing the following message:

  2023-11-02 14:53:07.007 -0700  [PWRN]: 10.46.36.137[500] - 10.46.36.240[500]:0x5592efa62240 unknown ikev2 peer

• IPsec tunnel

1. Ensure that the IKE Gateway IKE version is configured to match on both side of the IPsec tunnel.
   1. Look under the UI:
      1. For standalone firewall: Navigate to NETWORK > Network Profiles > IKE Gateways.
      2. For Panorama managed firewall: Navigate to Templates > NETWORK, select the right Template then look under Network Profiles > IKE Gateways.
      3. For Strata Cloud Manager managed firewalls: Navigate to Manage > Configuration > NGFW and Prisma Access, select the right Configuration Scope then look under Device Settings > IPsec tunnel.
   2. Check the IKE Gateway configuration of the tunnel which is down due to IKE gateway peer identification mismatch:
   3. If you select IKEv2 preferred mode, the two peers will use IKEv2 if the remote peer supports it; otherwise they’ll use IKEv1.

For more details refer to VPN Failing with Error 'Unknown ikev2 peer'.
Other useful article: How to check Status, Clear, Restore, and Monitor an IPSec VPN Tunnel.
If needing to restart the tunnel after committing the configuration change refer to Enable, Disable, Refresh, or Restart an IKE Gateway or IPSec Tunnel