Overview
The VPN tunnel between two devices fails with error "Unknown ikev2 peer," even if all the crypto profiles, pre-shared-keys and proxy IDs match. This article features the details of the cause of this error message
Issue
Generally, this error is seen when building the tunnel with Microsoft Azure. However, it is not limited to just Microsoft Azure and could be with any VPN peer device. Shown beliw is how the error messages are seen on the Palo Alto Networks firewall:
"Unknown ikev2 peer" means that there is an IKE version mismatch between the VPN peers. One of the peer is using IKEv1, and another peer is using IKEv2. This could be verified through the packet captures as shown below.
Note: Microsoft Azure by default, uses IKEv2 version unless specified, and is the common cause of this error.
One peer sending IKEv2 message:
Another peer sending IKEv1 message:
Resolution
To fix this problem, IKE versions should be matched on both peers.
Note: Prior to version 7.0, the Palo Alto Networks firewall does not support IKEv2 version hence, you need to change IKE version on the VPN peer to v1. Starting from PAN-OS 7.0, you can control the IKE version from the Palo Alto Networks firewall itself.
For more information on how to change the IKE version on Palo Alto Networks firewall, please click here