VPN comes up even if there is a proxy-identity mismatch

This article discusses the scenario in which a VPN comes up even when there is a proxy-id mismatch (one of the proxy-ids is a subset of the other). This is expected behavior.

Two SRX devices are directly connected. Configuration on the devices is as follows:



If ipsec-key-management is restarted on Device-1, the VPN will remain down. IKE traceoptions will display the error “No proposal chosen”:

This behavior is as per design. The behavior depends on which side is the initiator/responder in Phase-2. Since Device-2’s proxy-identity is subset of Device-1’s proxy-identity when Device-2 sends the proxy-identity first the VPN comes up.
In the above case please see the proxy-identities in Phase-2 security association detailed output:




About the author


Leave a Comment