Komunikaty przy połączeniu Site-to-Site
IKE V1 - Site to site
| Phase | Initiator | Responder | Possible cause(s) |
| 1 | none | none |
Check the initiating traffic endpoints. Check that there is a connection attempt (authorized by the filtering policy) through the tunnel or that the keepalive is enabled. Check that the tunnel is not in response only mode on the initiator. |
| Invalid major version X | Invalid major version X | The two VPN endpoints do not use the same IKE version | |
| Negotiation failed due to timeout | none |
Check the IP filter of the responder and intermediaries. Check the initiator's tunnel endpoints. |
|
| Negotiation failed due to timeout | Not acceptable mode | Check the mode (i.e., main vs aggressive) on the initiator and the responder. | |
| Negotiation failed due to timeout | Could not get a valid proposal | Check the compatibility of proposals, e.g., DH groups, encryption, SA lifetime, initiator and responder. Also make sure you are not using PSK on one side and certificate on the other. | |
| Negotiation failed due to timeout | No PSK found for X | The pre-shared key is not defined on the responder. | |
| Negotiation failed due to timeout | Negotiation failed | Check the value of the pre-shared key on the initiator and the responder. | |
| Negotiation failed due to timeout | Certificate with serial X from issuer X: unable to get local issuer certificate | The certificate from the initiator is not considered worthy of the responder's trust. Check that the certificate of the corresponding CA has been installed and is trustworthy. | |
| No PSK found for X | Negotiation failed due to timeout | The pre-shared key is not defined on the initiator. | |
| Certificate with serial X from issuer X: unable to get local issuer certificate | Phase established | The certificate from the initiator or the responder is not considered worthy of the initiator'strust. Check that the certificate of the corresponding CA has been installed and is trustworthy. | |
| Negotiation failed due to send error | none | Check connectivity between your two devices (routing ... ) | |
| 2 | None | Negotiation failed | Check the traffic endpoints on the initiator and responder. |
| Negotiation failed due to timeout | Could not get a valid proposal | Check the compatibility of phase 2 proposals on the initiator and responder. |
IKE V2 - Site to site
| Phase | Initiator | Responder | Possible cause(s) |
| 1 | none | none |
Check the initiating traffic endpoints. Check that there is a connection attempt (authorized by the filtering policy) through the tunnel or that the keepalive is enabled. Check that the tunnel is not in response only mode on the initiator. |
| Invalid major version X | Invalid major version X | The two VPN endpoints do not use the same IKE version. | |
| Remote seems to be dead |
none |
Check the IP filter of the responder and intermediaries. Check the initiator's tunnel endpoints. Check connectivity between your two devices (routing ... ). |
|
| The received proposals did not match:X | The received proposals did not match:X | Check the compatibility of proposals, e.g., DH groups, encryption on the initiator and responder. | |
| Peer rejected local authentication | Peer PSK mismatched | Check the value of the pre-shared key on the initiator and the responder. | |
| Peer rejected local authentication | X not found for peer certificate | The certificate from the initiator is not considered worthy of the responder's trust. Check that the certificate of the corresponding CA has been installed and is trustworthy | |
| X not found for peer certificate | IKE SA established + IPSEC SA established + Negotiation failed | The certificate from the responder is not considered worthy of the initiator's trust. Check that the certificate of the corresponding CA has been installed and is trustworthy. | |
| none | No matching peer config found |
The initiator is sending an identifier that is not known by the responder (May be caused by NAT operation on the link) |
|
| 2 | IPSEC SA establishment failed: received TS_UNACCEPTABLE notify error | The received traffic selectors did not match: X | Check the traffic endpoints on the initiator and responder. |
| IPSEC SA establishment failed: received NO_PROPOSAL_CHOSEN notify error | No acceptable proposal found |
Check the compatibility of phase 2 proposals on the initiator and responder. This situation might occur during the phase 2 renewal only in the event of a different PFS DH group on both peers
|
