This article explains how to troubleshoot IPsec tunnel issues and interpret related error codes for effective diagnosis and resolution.
Start by reviewing the View IPsec Logs article to locate IPsec logs within the Timus Manager.
Here are the IPsec error codes for both Initiators and Responders, along with their corresponding fixes.
| Failure Type | Error (Initiator) | Error (Responder) | Fix |
| IPsec connection issue | Peer not responding |
Peer not responding |
Ensure UDP ports 4500 and 500, as well as the ESP protocol (50), are allowed on both Timus and MSP's on-prem firewalls. |
| Phase 1 DH mismatch | NO_PROPOSAL_CHOSEN |
MODP mismatch |
Match MODP/DH group |
| Phase 1 identifier mismatch | AUTHENTICATION_FAILED |
no peer config found |
Match IKE IDs |
| Phase 1 mode mismatch | AUTHENTICATION_FAILED |
Aggressive Mode PSK disabled |
Use same mode (Main or Aggressive) |
| Phase 1 encryption mismatch | NO_PROPOSAL_CHOSEN |
AES 128 vs AES 256 mismatch |
Match IKE encryption |
| Phase 1 hash mismatch | NO_PROPOSAL_CHOSEN |
missing HMAC in initiator proposal |
Match hash (HMAC) algorithms |
| Phase 1 PSK mismatch |
invalid HASH_V1 and could not decrypt payloads
|
invalid ID_V1 and could not decrypt payloads
|
Use matching pre-shared keys |
| Phase 2 encryption mismatch | NO_PROPOSAL_CHOSEN |
ESP AES mismatch (128 vs 256) |
Match Phase 2 encryption (ESP proposals) |
| Phase 2 network mismatch | INVALID_ID_INFORMATION |
no matching CHILD_SA config found |
Match Phase 2 local/remote subnet definitions |
| Phase 2 PFS mismatch | NO_PROPOSAL_CHOSEN |
no acceptable DIFFIE_HELLMAN_GROUP found |
Match PFS settings (enable/disable or same group) |
| Phase 1 and Phase 2 are online on Timus, but subnets are not communicating | No errors will be visible in the Connector Logs, as this issue originates from the firewall configuration rather than the IPsec service itself. |
No errors will be visible in the Connector Logs, as this issue originates from the firewall configuration rather than the IPsec service itself. |
Timus: • Check if 'Create firewall rules automatically' is enabled during Phase 1 and 2 setup. • Ensure no firewall rules are blocking IPsec Phase 2 subnets or overwriting auto-created IPsec rules in Timus Manager.” On-Prem Firewall: • Ensure that static routings are configured correctly. • Ensure proper firewall rules for IPsec Phase 2 subnets and correct interface selection. |
| Phase 1 Local IDs and Remote IDs mismatch (this happens once the IPsec on the on-prem devices run behind the main router |
remote host is behind NAT and IDir '1.1.1.1' does not match to '2.2.2.2'
|
remote host is behind NAT and IDir '1.1.1.1' does not match to '2.2.2.2'
|
The log shows Remote ID (1.1.1.1) mismatches with the expected internal IP (2.2.2.2); ensure NAT-T is enabled, configure NAT for IKE/ESP, and set Remote IP to public (e.g., 1.1.1.1) and Remote ID to internal (e.g., 2.2.2.2). |
0 comments
Please sign in to leave a comment.