VPN comes up even if there is a proxy-identity mismatch

This article discusses the scenario in which a VPN comes up even when there is a proxy-id mismatch (one of the proxy-ids is a subset of the other). This is expected behavior.

Two SRX devices are directly connected. Configuration on the devices is as follows:

Device-1:

Device-2:

If ipsec-key-management is restarted on Device-1, the VPN will remain down. IKE traceoptions will display the error “No proposal chosen”:

This behavior is as per design. The behavior depends on which side is the initiator/responder in Phase-2. Since Device-2’s proxy-identity is subset of Device-1’s proxy-identity when Device-2 sends the proxy-identity first the VPN comes up.
In the above case please see the proxy-identities in Phase-2 security association detailed output:

Initiator:

Responder:

 

About the author

Prasanna

Leave a Comment