Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Proxy ID mismatch between Juniper SSG and PFSense

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sai ravi
      last edited by

      Hi
            We are trying to establish an IPSEC tunnel between Juniper SSG 350 and PFSense 2.2.4. We could that phase 1 is getting established between the peers.But in Phase 2 we are getting an error in Juniper SSG stating "Negotiations have failed. Rejected an IKE packet on ethernet0/0 because the peer sent a proxy ID that did not match the one in the SA config".

      Have checked the phase 2 configurations and it looks similar on both the sides.Also encryption domain seem to be same on both the ends.

      Not sure what would be the configuration change required in pfsense to match the proxy id in juniper ssg.

      Any help is much appreciated.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        IIRC that does mean it's a Phase 2 network mismatch.

        Set your logs as described here:

        https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

        Then initiate from the Juniper side. pfSense will log much better detail about what is failing to match.

        Make sure the Juniper is set for policy-based IPsec and NOT route-based IPsec, too.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J Offline
          janstockem
          last edited by

          had this some times with SSGs if i allow them to choose between multiple proposes. it worked for me after i set up only one Proposal on both sites so the don't need to negotiate for this.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.