IPsec Error Code Reference and Troubleshooting Guide

This article explains how to troubleshoot IPsec tunnel issues and interpret related error codes for effective diagnosis and resolution.

Start by reviewing the View IPsec Logs article to locate IPsec logs within the Timus Manager.

Here are the IPsec error codes for both Initiators and Responders, along with their corresponding fixes.

 

Failure Type Error (Initiator) Error (Responder) Fix
IPsec connection issue Peer not responding Peer not responding Ensure UDP ports 4500 and 500, as well as the ESP protocol (50), are allowed on both Timus and MSP's on-prem firewalls.
Phase 1 DH mismatch NO_PROPOSAL_CHOSEN MODP mismatch Match MODP/DH group
Phase 1 identifier mismatch AUTHENTICATION_FAILED no peer config found Match IKE IDs
Phase 1 mode mismatch AUTHENTICATION_FAILED Aggressive Mode PSK disabled Use same mode (Main or Aggressive)
Phase 1 encryption mismatch NO_PROPOSAL_CHOSEN AES 128 vs AES 256 mismatch Match IKE encryption
Phase 1 hash mismatch NO_PROPOSAL_CHOSEN missing HMAC in initiator proposal Match hash (HMAC) algorithms
Phase 1 PSK mismatch invalid HASH_V1 and could not decrypt payloads invalid ID_V1 and could not decrypt payloads Use matching pre-shared keys
Phase 2 encryption mismatch NO_PROPOSAL_CHOSEN ESP AES mismatch (128 vs 256) Match Phase 2 encryption (ESP proposals)
Phase 2 network mismatch INVALID_ID_INFORMATION no matching CHILD_SA config found Match Phase 2 local/remote subnet definitions
Phase 2 PFS mismatch NO_PROPOSAL_CHOSEN no acceptable DIFFIE_HELLMAN_GROUP found Match PFS settings (enable/disable or same group)
Phase 1 and Phase 2 are online on Timus, but subnets are not communicating

No errors will be visible in the Connector Logs, as this issue originates from the firewall configuration rather than the IPsec service itself.

No errors will be visible in the Connector Logs, as this issue originates from the firewall configuration rather than the IPsec service itself.

Timus
• Check if 'Create firewall rules automatically' is enabled during Phase 1 and 2 setup. 
• Ensure no firewall rules are blocking IPsec Phase 2 subnets or overwriting auto-created IPsec rules in Timus Manager.”


On-Prem Firewall:
• Ensure that static routings are configured correctly.
• Ensure proper firewall rules for IPsec Phase 2 subnets and correct interface selection. 
Phase 1 Local IDs and Remote IDs mismatch (this happens once the IPsec on the on-prem devices run behind the main router remote host is behind NAT and IDir '1.1.1.1' does not match to '2.2.2.2' remote host is behind NAT and IDir '1.1.1.1' does not match to '2.2.2.2' The log shows Remote ID (1.1.1.1) mismatches with the expected internal IP (2.2.2.2); ensure NAT-T is enabled, configure NAT for IKE/ESP, and set Remote IP to public (e.g., 1.1.1.1) and Remote ID to internal (e.g., 2.2.2.2).


 

Updated

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.