topic Re: IpSec VPN Phase1 negotiation problem in General Topics

IpSec VPN Phase1 negotiation problem

Lacrymae — Wed, 10 Feb 2021 08:05:04 GMT

Hi All,

I have two 4G router and two ipsec vpn tunnel. Routers are exactly same.

VPN configs are exactly same (except Ips) one tunnel up and running but other one failed at Phase1

It gives me "IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.225.100 (type ipaddr) does not match a configured IKE gateway." error.

I global search on Palo Alto for 192.168.225 nothing return. So i have not any 192.168.225.xxx ip configuration in palo alto.

So this ip coming from 4G router? But not possible i think. Becase i configure it and router LAN is 192.168.30.0/24 so connected machine ip is 192.168.30.100

I am realy stuck at this point. Any help is appreciated.

Thanks.

Re: IpSec VPN Phase1 negotiation problem

kiwi — Wed, 10 Feb 2021 10:40:55 GMT

Hi @Lacrymae ,

The log is saying that the peer device is sending 192.168.225.100 as it's Local ID. This ID doesn't match the IKE Gateway's Peer Identification you have configured on the PA.

I'd check the peer's local ID configuration.

Cheers,

-Kiwi.

Re: IpSec VPN Phase1 negotiation problem

Lacrymae — Wed, 10 Feb 2021 14:02:54 GMT

Hi @kiwi

I use Archer MR200 for ipsec VPN setup. Double check and device LAN setting details are;

Ip Address: 192.168.30.1

Subnet:255.255.255.0

DHCP: Enable

Ip Address Pool: 192.168.30.100 - 192.168.30.199

Default Gateway: 192.168.30.1

Primary DNS: 192.168.30.1

Secondary DNS: 8.8.8.8

How it could be?

Thanks.

Re: IpSec VPN Phase1 negotiation problem

kiwi — Wed, 10 Feb 2021 15:01:48 GMT

Hi @Lacrymae ,

I'm unfamiliar with Archer MR200 but I doubt that you'll find the local ID in your device LAN settings.

Try finding the VPN setting and search for IKE policy or IKE configuration which is where I would expect your local ID and remote/peer ID should be configured.

Hope it helps !

-Kiwi.

Re: IpSec VPN Phase1 negotiation problem

Lacrymae — Thu, 11 Feb 2021 05:05:31 GMT

Hi @kiwi

I check the VPN Router side and it s ok. Let me share the details;

Remote IPSec Gateway: Palo Alto WAN Ip

Tunnel Access from Local IP address: Subnet Address

IP Address for VPN: 192.168.30.0

Subnet Mask: 255.255.255.0

Tunnel access from remote IP addresses: Subnet Address

IP Address for VPN: 20.1.0.0

Subnet Mask: 255.255.255.0

Phase 1 Configs

Mode: Main

Local Identifier Type: Local WAN IP

Remote Identifier Type: Remote WAN IP

Everythings look fine. I don't understand where came this 192.168.225.100 ip from 😞

Re: IpSec VPN Phase1 negotiation problem

A.Purohit — Tue, 03 Jun 2025 05:46:29 GMT

The solution to this is on the Palo end IKE Gateways > Remote Peer Identification: add the IP 192.168.225.100.

This is common on home scale routers and even Meraki FWs do that.

This is not an issue rather an added functionality.

Mark resolved if works for you.

Work for me.

Thanks,

Abs