Komunikaty przy połączeniu Site-to-Site

IKE V1 - Site to site

Phase Initiator Responder Possible cause(s)
1 none none

Check the initiating traffic endpoints.

Check that there is a connection attempt (authorized by the filtering policy) through the tunnel or that the keepalive is enabled.

Check that the tunnel is not in response only mode on the initiator.

Invalid major version X Invalid major version X The two VPN endpoints do not use the same IKE version
Negotiation failed due to timeout none 

Check the IP filter of the responder and intermediaries.

Check the initiator's tunnel endpoints.

Negotiation failed due to timeout Not acceptable mode Check the mode (i.e., main vs aggressive) on the initiator and the responder.
Negotiation failed due to timeout Could not get a valid proposal Check the compatibility of proposals, e.g., DH groups, encryption, SA lifetime, initiator and responder. Also make sure you are not using PSK on one side and certificate on the other.
Negotiation failed due to timeout No PSK found for X The pre-shared key is not defined on the responder.
Negotiation failed due to timeout Negotiation failed Check the value of the pre-shared key on the initiator and the responder.
Negotiation failed due to timeout Certificate with serial X from issuer X: unable to get local issuer certificate The certificate from the initiator is not considered worthy of the responder's trust. Check that the certificate of the corresponding CA has been installed and is trustworthy.
No PSK found for X Negotiation failed due to timeout The pre-shared key is not defined on the initiator.
Certificate with serial X from issuer X: unable to get local issuer certificate Phase established The certificate from the initiator or the responder is not considered worthy of the initiator'strust. Check that the certificate of the corresponding CA has been installed and is trustworthy.
Negotiation failed due to send error none Check connectivity between your two devices (routing ... )
2 None Negotiation failed Check the traffic endpoints on the initiator and responder.
Negotiation failed due to timeout Could not get a valid proposal Check the compatibility of phase 2 proposals on the initiator and responder.

IKE V2 - Site to site 

Phase Initiator Responder Possible cause(s)
1 none none

Check the initiating traffic endpoints.

Check that there is a connection attempt (authorized by the filtering policy) through the tunnel or that the keepalive is enabled.

Check that the tunnel is not in response only mode on the initiator.

Invalid major version X Invalid major version X The two VPN endpoints do not use the same IKE version.
Remote seems to be dead  

none

Check the IP filter of the responder and intermediaries.

Check the initiator's tunnel endpoints.

Check connectivity between your two devices (routing ... ).

The received proposals did not match:X The received proposals did not match:X Check the compatibility of proposals, e.g., DH groups, encryption on the initiator and responder.
Peer rejected local authentication  Peer PSK mismatched Check the value of the pre-shared key on the initiator and the responder.
Peer rejected local authentication X not found for peer certificate The certificate from the initiator is not considered worthy of the responder's trust. Check that the certificate of the corresponding CA has been installed and is trustworthy
X not found for peer certificate  IKE SA established + IPSEC SA established + Negotiation failed The certificate from the responder is not considered worthy of the initiator's trust. Check that the certificate of the corresponding CA has been installed and is trustworthy.
none  No matching peer config found  

The initiator is sending an identifier that is not known by the responder

(May be caused by NAT operation on the link)

2 IPSEC SA establishment failed: received TS_UNACCEPTABLE notify error The received traffic selectors did not match: X Check the traffic endpoints on the initiator and responder.
IPSEC SA establishment failed: received NO_PROPOSAL_CHOSEN notify error No acceptable proposal found

Check the compatibility of phase 2 proposals on the initiator and responder.

This situation might occur during the phase 2 renewal only in the event of a different PFS DH group on both peers

 

Szczegóły artykułu

Identyfikator artykułu:
102
Kategoria:
Data dodania:
08-02-2023 10:12:49
Wyświetleń:
499

Zależne artykuły

Web Analytics Treści zawarte na tej stronie są własnością SerwiTECH i nie mogą być kopiowane bez pisemnej zgody SerwiTECH.