One of the most misleading states in IPSec troubleshooting:
IKE (Phase 1) is UP
But IPSec (Phase 2) never comes up.
Many engineers get stuck here and keep restarting the tunnel.
But the issue is rarely “random”.
The real reasons Phase 2 fails
1️⃣ Crypto mismatch
Phase 1 and Phase 2 use different proposals.
AES256/SHA256 on Phase 1 doesn’t mean Phase 2 matches.
2️⃣ PFS mismatch
One side uses PFS (group14), the other doesn’t → Phase 2 dies silently.
3️⃣ Proxy-ID mismatch
Local/Remote subnets must match exactly on both ends.
4️⃣ Lifetime mismatch
If SA lifetime differs too much, peers reject Phase 2.
5️⃣ Wrong tunnel interface binding
Tunnel exists, but not mapped to correct VR or zone.
Engineer vs Architect thinking
Engineer:
“Let me restart the tunnel.”
Architect:
“Let me compare proposals, PFS, Proxy-ID, lifetime, routing, and policy.”
Phase 1 only proves authentication works.
Phase 2 proves real encrypted traffic can flow.
Pro tip (real life saver)
Always run:
less mp-log ikemgr.log
less mp-log vpn.log
Dashboard is for monitoring.
Logs are for real troubleshooting.
No comments:
Post a Comment