VPN Failing with Error 'Unknown ikev2 peer'

VPN Failing with Error 'Unknown ikev2 peer'

57882
Created On 09/25/18 19:48 PM - Last Modified 06/06/23 02:52 AM


Resolution


Overview

The VPN tunnel between two devices fails with error "Unknown ikev2 peer," even if all the crypto profiles, pre-shared-keys and proxy IDs match. This article features the details of the cause of this error message

 

Issue

Generally, this error is seen when building the tunnel with Microsoft Azure. However, it is not limited to just Microsoft Azure and could be with any VPN peer device. Shown beliw is how the error messages are seen on the Palo Alto Networks firewall:

 

Screen Shot 2016-09-07 at 7.11.26 PM.png

 

"Unknown ikev2 peer" means that there is an IKE version mismatch between the VPN peers. One of the peer is using IKEv1, and another peer is using IKEv2. This could be verified through the packet captures as shown below.

 

Note: Microsoft Azure by default, uses IKEv2 version unless specified, and is the common cause of this error.

 

One peer sending IKEv2 message:

 

Screen Shot 2016-09-07 at 7.13.21 PM.png

 

 

Another peer sending IKEv1 message:

 

Screen Shot 2016-09-07 at 7.25.23 PM.png

 

Resolution

To fix this problem, IKE versions should be matched on both peers.

 

Note: Prior to version 7.0, the Palo Alto Networks firewall does not support IKEv2 version hence, you need to change IKE version on the VPN peer to v1. Starting from PAN-OS 7.0, you can control the IKE version from the Palo Alto Networks firewall itself.

 

For more information on how to change the IKE version on Palo Alto Networks firewall, please click here

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle5CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language