Proxy ID mismatch between Juniper SSG and PFSense



  • Hi
          We are trying to establish an IPSEC tunnel between Juniper SSG 350 and PFSense 2.2.4. We could that phase 1 is getting established between the peers.But in Phase 2 we are getting an error in Juniper SSG stating "Negotiations have failed. Rejected an IKE packet on ethernet0/0 because the peer sent a proxy ID that did not match the one in the SA config".

    Have checked the phase 2 configurations and it looks similar on both the sides.Also encryption domain seem to be same on both the ends.

    Not sure what would be the configuration change required in pfsense to match the proxy id in juniper ssg.

    Any help is much appreciated.


  • Rebel Alliance Developer Netgate

    IIRC that does mean it's a Phase 2 network mismatch.

    Set your logs as described here:

    https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

    Then initiate from the Juniper side. pfSense will log much better detail about what is failing to match.

    Make sure the Juniper is set for policy-based IPsec and NOT route-based IPsec, too.



  • had this some times with SSGs if i allow them to choose between multiple proposes. it worked for me after i set up only one Proposal on both sites so the don't need to negotiate for this.