All Products
Search

This Product

    VPN Gateway:Troubleshoot IPsec-VPN connection issues

    Document Center

    VPN Gateway:Troubleshoot IPsec-VPN connection issues

    Last Updated:Mar 26, 2026

    To troubleshoot an IPsec-VPN connection, use the error codes from the VPN Gateway console and the IPsec connection logs.

    Background

    This topic lists common IPsec-VPN connection errors and their troubleshooting methods. Use the error codes from the VPN Gateway console and the IPsec connection logs to find the corresponding solution in the summary table below and resolve the issue.

    View error codes

    Note

    • You cannot view error codes for an IPsec-VPN connection if it is associated with a VPN gateway created before March 21, 2019, unless the VPN gateway has been upgraded. For more information, see Upgrade a VPN gateway.

    • Error codes are available only in Chinese and English.

    • The VPN Gateway console displays health check results for an IPsec-VPN connection from the last 3 minutes. Before you view the error codes, you can reset the IPsec-VPN connection on both ends to trigger a new IPsec negotiation. Then, refresh the page to view the latest error codes.

      In Alibaba Cloud, you can change the value of Effective Immediately for the IPsec connection, save the change, and then change Effective Immediately back to its original value to trigger the IPsec protocol to restart negotiation.

    Single-tunnel mode IPsec-VPN connection

    If your IPsec-VPN connection is in single-tunnel mode, follow these steps to view its error code.

    1. Log on to the VPN gateway console.

    2. In the left navigation pane, choose Interconnections > VPN > IPsec Connections.

    3. In the top navigation bar, select the region where the IPsec connection is deployed.

    4. On the IPsec-VPN connection page, find the target IPsec connection and view the error code in the Connection Status column.

      查看错误码

      You can click View Details next to the error code to view the detailed error message and solution in the Error Details panel. The solution provided in the Error Details panel is the same as the solution in the summary table of this topic.

    Dual-tunnel mode IPsec-VPN connection

    If your IPsec-VPN connection is in dual-tunnel mode, follow these steps to view the error codes for each tunnel.

    1. Log on to the VPN gateway console.

    2. In the left navigation pane, choose Interconnections > VPN > IPsec Connections.

    3. In the top navigation bar, select the region where the IPsec connection is deployed.

    4. On the IPsec-VPN connection page, find the target IPsec connection and click its ID.

    5. On the Tunnel tab, view the error code of the active or standby tunnel in the Connection Status column.查看隧道错误码.png

      You can click View Details next to the error code to view the detailed error message and solution in the Error Details panel. The solution provided in the Error Details panel is the same as the solution in the summary table of this topic.

    Common errors and troubleshooting

    After obtaining the error code and log information, find the corresponding troubleshooting method in the table below by matching the error code or a log keyword.

    Note

    If you have diagnosed the IPsec-VPN connection by calling the DiagnoseVpnConnections API operation, refer to the API-based error code column in the table below.

    Console error code

    API-based

    error code

    Error message

    Log keyword

    Troubleshooting

    Peer mismatch

    PeerMismatch

    The received protocol packet does not match the customer gateway information.

    received UNSUPPORTED_CRITICAL_PAYLOAD error

    1. Ensure the customer gateway IP address in the IPsec connection configuration matches the peer gateway device's IP address.

    2. If the peer gateway device is configured with multiple IP addresses, ensure that the IP address configured for the customer gateway is the one currently in use by the peer gateway device.

    Algorithm mismatch

    AlgorithmMismatch

    A mismatch occurred in the encryption algorithm, authentication algorithm, or DH group parameter.

    • HASH mismatched

    • parsed INFORMATIONAL_V1 request

    • packet lacks expected payload

    • authentication failure

    1. Verify that the Encryption Algorithm, Authentication Algorithm, and DH Group (Perfect Forward Secrecy) are configured identically for the IPsec connection and the peer gateway device in both the IKE Configurations and IPsec Configurations phases. If they are not identical, modify the settings to match.

    2. If the peer gateway device is configured with multiple options for the Encryption Algorithm, Authentication Algorithm, or DH Group (Perfect Forward Secrecy) in the IKE Configurations and IPsec Configurations phases, we recommend configuring the peer gateway to use the same single value for the Encryption Algorithm, Authentication Algorithm, and DH Group (Perfect Forward Secrecy) as the IPsec connection.

      Note

      On the Alibaba Cloud side, you can specify only one value for the Encryption Algorithm, Authentication Algorithm, and DH Group (Perfect Forward Secrecy) during the IKE Configurations and IPsec Configurations phases.

    Encryption algorithm mismatch

    EncryptionAlgorithmMismatch

    The IPsec encryption algorithm does not match.

    • invalid encryption algorithm

    • trns_id mismatched

    • rejected enctype

    • authentication failure

    1. Verify that the Encryption Algorithm configured in the IPsec Configurations phase is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

    2. If, in the IPsec Configurations phase, the peer gateway device is configured with multiple Encryption Algorithm, we recommend that you modify the configuration of the peer gateway device so that its Encryption Algorithm is the same as the Encryption Algorithm of the IPsec connection.

    Authentication algorithm mismatch

    AuthenticationAlgorithmMismatch

    The IKE authentication algorithm does not match.

    • authtype mismatched

    • rejected hashtype

    • authentication failure

    1. Verify that the Authentication Algorithm configured in the IKE Configurations phase is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

    2. If the peer gateway device is configured with multiple Authentication Algorithm in the IKE Configurations phase, we recommend that you modify the configuration of the peer gateway device so that the Authentication Algorithm of the peer gateway device is the same as the Authentication Algorithm of the IPsec connection.

    DH group mismatch

    DhGroupMismatch

    The IKE Phase 1 DH group parameter does not match.

    • received KE type 14,expected 2

    • failed to compute dh value

    • rejected dh_group

    • proposal mismatch, transform type:4

    1. Verify that the DH Group (Perfect Forward Secrecy) configured in the IKE Configurations phase is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

    2. If the peer gateway device is configured with multiple DH Group (Perfect Forward Secrecy) options in the IKE Configurations phase, we recommend that you modify the configuration of the peer gateway device to ensure that its DH Group (Perfect Forward Secrecy) is the same as the DH Group (Perfect Forward Secrecy) of the IPsec connection.

    3. If you have multiple IPsec connections associated with the same customer gateway, ensure that all IPsec connections use identical settings in the IKE Configurations phase, including Version, Negotiation Mode, Encryption Algorithm, Authentication Algorithm, DH Group (Perfect Forward Secrecy), and SA Life Cycle (seconds).

      Additionally, the IPsec connection's LocalId must match the peer's RemoteId, and its RemoteId must match the peer's LocalId.

    Pre-shared key mismatch

    PskMismatch

    The pre-shared key parameter does not match.

    • Decryption failed! mismatch of preshared secrets

    • mismatch of preshared secrets

    • invalid HASH_V1 payload length, decryption failed

    • could not decrypt payloads

    • authentication failure

    1. Verify that the Pre-Shared Key is identical for the IPsec connection and the peer gateway device. If not, modify them to match.

      You can also modify the Pre-Shared Key for the IPsec connection and its peer gateway device at the same time. This action triggers IPsec protocol renegotiation, and the system then checks again if the Pre-Shared Key on both ends match.

    2. Even if the Pre-Shared Key is identical, ensure that the Encryption Algorithm, Authentication Algorithm, and DH Group (Perfect Forward Secrecy) are also identical in both the IKE Configurations and IPsec Configurations phases.

    3. If the peer gateway device is configured with multiple Encryption Algorithm, Authentication Algorithm, or DH Group (Perfect Forward Secrecy) during the IKE Configurations and IPsec Configurations phases, we recommend that you modify the configuration of the peer gateway device. This ensures that the settings for the Encryption Algorithm, Authentication Algorithm, and DH Group (Perfect Forward Secrecy) on the peer gateway device are the same as the settings of the IPsec connection.

    Peer ID mismatch

    PeerIdMismatch

    The LocalId or RemoteId does not match or is incompatible.

    • does not match peers id

    • message lacks IDr payload

    • Expecting IP address type in main mode,but FQDN

    • Unknow peer id

    • Parse PEERID failed

    • received ID_I(xxx) does not match peers id

    • invalid-id-information

    • received INVALID_ID_INFORMATION error notify

    1. Verify that the LocalId of the IPsec connection matches the RemoteId of the peer gateway device, and the RemoteId of the IPsec connection matches the LocalId of the peer gateway device. If not, modify the settings.

      • When an IPsec connection is associated with a VPN gateway, Alibaba Cloud VPN Gateway defaults to using the VPN gateway's IP address as the LocalId and the customer gateway's IP address as the RemoteId.

      • When an IPsec connection is associated with a transit router, Alibaba Cloud VPN Gateway defaults to using the IPsec connection's gateway IP address as the LocalId and the customer gateway's IP address as the RemoteId.

    2. If the IPsec connection uses ikev1 and the Negotiation Mode is main mode, the LocalId and RemoteId must be in IP address format. Ensure that the formats of the LocalId and RemoteId are correct.

    3. Verify that the Negotiation Mode is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

      We recommend that you set both sides to main mode. In main mode, we recommend using the IP address format for LocalId and RemoteId.

    4. If the IPsec connection uses ikev2 and you have confirmed that the above settings are correct, also verify that the Encryption Algorithm, Authentication Algorithm, and DH Group (Perfect Forward Secrecy) are identical on both ends during the IKE Configurations and IPsec Configurations phases. If not, modify the settings to match.

    DPD payload order incompatibility

    DpdHashNotifyCompatibility

    DPD payload order is incompatible.

    ignore information because the message has no hash payload

    When the Dead Peer Detection (DPD) feature is enabled for the IPsec connection, the default DPD payload order is hash-notify. Verify that the peer gateway device's DPD payload order is also hash-notify. If it is not, change it to hash-notify.

    DPD timeout

    DpdTimeout

    DPD message timed out.

    DPD: remote seems to be dead

    1. Verify that the Dead Peer Detection (DPD) feature is enabled on both the IPsec connection and the peer gateway device. Ensure that the DPD status is the same on both sides.

      Note

      A DPD message timeout will cause the IPsec protocol to renegotiate.

    2. Check the network quality and route settings to ensure the IPsec connection and the peer gateway device are reachable.

    IKE version mismatch

    IkeVersionMismatch

    The IKE version or negotiation mode does not match.

    unknown ikev2 peer

    1. Verify that the IKE version is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

      • If the peer gateway device supports automatic IKE version selection or supports both IKEv1 and IKEv2, we recommend that you explicitly specify an IKE version on the peer gateway device that matches the IKE version of the IPsec connection.

      • We recommend using IKEv2 on both ends.

    2. Verify that the Negotiation Mode is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

    Negotiation mode mismatch

    NegotiationModeMismatch

    The negotiation mode does not match.

    • in Identity not acceptable Aggressive mode

    • not acceptable Identity Protection mode

    1. Verify that the Negotiation Mode is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

      We recommend using main mode on both ends.

    2. In some rare cases, the IPsec negotiation may still fail even when both ends are in main mode. If this occurs, try changing the negotiation mode on both ends to aggressive mode.

    NAT-T mismatch

    NatTMismatch

    NAT Traversal does not match.

    ignore the packet, received unexpecting payload type 130

    Verify that the NAT Traversal feature has the same status (enabled or disabled) on both the IPsec connection and the peer gateway device. If not, modify the settings to match.

    If the peer gateway device is behind a NAT gateway, we recommend that you enable the NAT Traversal feature on both the IPsec connection and the peer gateway device.

    SA lifecycle mismatch

    LifetimeMismatch

    The Lifetime parameter does not match.

    long lifetime proposed

    Verify that the SA Life Cycle (seconds) configured in the IKE Configurations and IPsec Configurations phases is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

    The SA Life Cycle (seconds) values are not required to be identical. However, to ensure connection stability across different gateway vendors, we recommend that you configure the same SA Life Cycle (seconds) on both ends.

    Security protocol mismatch

    SecurityProtocolMismatch

    The security protocol parameter does not match.

    proto_id mismatched

    Verify that the peer gateway device uses Encapsulating Security Payload (ESP) as the security protocol. If not, change the protocol to ESP.

    Alibaba Cloud VPN Gateway supports only ESP for IPsec-VPN connections. Authentication Header (AH) is not supported.

    Encapsulation mode mismatch

    EncapsulationModeMismatch

    The encapsulation mode does not match.

    encmode mismatched

    Verify that the peer gateway device uses tunnel mode as the encapsulation mode. If not, change the mode to tunnel mode.

    Alibaba Cloud VPN Gateway supports only tunnel mode for IPsec-VPN connections. transport mode is not supported.

    Algorithm incompatibility

    AlgorithmCompatibility

    The algorithm is incompatible.

    None

    The Authentication Algorithm configured for the IPsec connection and the peer gateway device in the IKE Configurations and IPsec Configurations phases is incompatible. We recommend that you use a different Authentication Algorithm on both ends, such as md5.

    Traffic selector mismatch

    TrafficSelectorMismatch

    The traffic selector CIDR block parameter does not match.

    • traffic selector mismatch

    • traffic selector unacceptable

    • can't find matching selector

    • received Notify type TS_UNACCEPTABLE

    1. Check the traffic selector CIDR block configuration based on the IKE version used by the IPsec connection and ensure that it meets the following requirements:

      • If the IPsec connection uses ikev1, the traffic selector supports only a single CIDR block.

      • If the IPsec connection uses ikev2, the traffic selector supports multiple CIDR blocks.

        Note

        When multiple CIDR blocks are configured for an IPsec connection, differences in the IPsec negotiation mechanisms between the IPsec connection and the peer gateway device may cause some CIDR blocks to have normal connectivity while others fail. For a solution, see FAQ.

    2. Verify that the traffic selectors for the IPsec connection and the peer gateway device are configured symmetrically. Ensure that:

      • The IPsec connection's local CIDR block matches the peer's remote CIDR block.

      • The IPsec connection's remote CIDR block matches the peer's local CIDR block.

    PFS mismatch

    PfsMismatch

    The IPsec Phase 2 DH group parameter does not match.

    • pfs group mismatched

    • message lacks KE payload

    Verify that the status of the Perfect Forward Secrecy (PFS) feature in the IPsec Configurations phase is the same for the IPsec connection and the peer gateway device. If not, modify the settings to match.

    • If the DH Group (Perfect Forward Secrecy) in the IPsec Configurations phase of the IPsec connection is set to disabled, it means the PFS feature is disabled. You must also disable the PFS feature on the peer gateway device.

    • If the DH Group (Perfect Forward Secrecy) in the IPsec Configurations phase of the IPsec connection is set to a value other than disabled, it means the PFS feature is enabled. You must also enable the PFS feature on the peer gateway device.

    We recommend enabling the PFS feature on both the IPsec connection and the peer gateway device.

    Commit bit mismatch

    CommitMismatch

    The commit bit does not match.

    None

    Check if the commit bit is enabled on the peer gateway device. If it is, disable it.

    The commit bit is used to ensure that the IPsec protocol negotiation is complete before protected data is sent. Alibaba Cloud VPN Gateway does not support the commit bit configuration.

    Proposal mismatch

    ProposalMismatch

    The proposal does not match.

    • no proposal chosen

    • received NO_PROPOSAL_CHOSEN

    • no suitable proposal found

    • failed to get valid proposal

    • none of my proposal matched

    • no matching proposal found, sending NO_PROPOSAL_CHOSEN

    • proposal mismatch

    • couldn't find configuaration

    • ignore the packet,expecting the packet encrypted

    1. Verify that the IKE version is identical for the IPsec connection and the peer gateway device. If not, modify the settings to match.

      We recommend using IKEv2 on both ends.

    2. Verify that all settings in the IKE Configurations phase are consistent between the IPsec connection and the peer gateway device. If not, modify the settings to meet the following requirements:

      • The Version, Negotiation Mode, Encryption Algorithm, Authentication Algorithm, DH Group (Perfect Forward Secrecy), and SA Life Cycle (seconds) parameters must be identical on both ends.

      • The LocalId of the IPsec connection must match the RemoteId of the peer gateway device, and the RemoteId of the IPsec connection must match the LocalId of the peer gateway device.

    3. Verify that all settings in the IPsec Configurations phase are identical for the IPsec connection and the peer gateway device, including Encryption Algorithm, Authentication Algorithm, DH Group (Perfect Forward Secrecy), SA Life Cycle (seconds), and NAT Traversal. If not, modify the settings to match.

      Also, ensure that the traffic selectors are configured symmetrically:

      • The local CIDR block of the IPsec connection must match the remote CIDR block of the peer gateway device.

      • The remote CIDR block of the IPsec connection must match the local CIDR block of the peer gateway device.

    4. If you have multiple IPsec connections associated with the same customer gateway, ensure that all IPsec connections use identical settings in the IKE Configurations phase, including Version, Negotiation Mode, Encryption Algorithm, Authentication Algorithm, DH Group (Perfect Forward Secrecy), and SA Life Cycle (seconds).

      Additionally, the LocalId of each IPsec connection must match the RemoteId of its corresponding peer gateway device, and the RemoteId must match the LocalId of its peer.

    5. Try resetting the IPsec-VPN connection to trigger a new IPsec negotiation.

    Negotiation failed

    NegotiationFailed

    Protocol negotiation failed.

    phase2 negotiation failed due to time up waiting for phase1

    Reset the IPsec-VPN connection to trigger a new IPsec negotiation. The system will perform the check again.

    Phase 1 negotiation timeout

    Phase1NegotiationTimeout

    Negotiation failed due to a timeout while waiting for Phase 1 protocol packets.

    • phase1 negotiation failed due to time up

    • ignore information because ISAKMP-SA has not been established

    1. Verify that the peer gateway device can send and receive IPsec protocol packets.

    2. Verify that the IP address of the customer gateway associated with the IPsec connection is identical to the IP address of the peer gateway device. If not, modify the IP addresses to ensure they are identical.

    3. Check the peer gateway device for any issues, such as unexpected reboots.

    4. Verify that the peer gateway device and the IPsec connection can reach each other.

      On the peer gateway device, use commands such as ping, mtr, or traceroute to access the VPN gateway IP address or the IPsec connection's gateway IP address to confirm connectivity.

    5. VPN Gateway does not support cross-border IPsec-VPN connections. If you need to establish a cross-border connection, use Cloud Enterprise Network (CEN). For more information, see What is Cloud Enterprise Network (CEN)?

    6. Try resetting the IPsec-VPN connection to trigger a new IPsec negotiation.

    Phase 2 negotiation timeout

    Phase2NegotiationTimeout

    Negotiation failed due to a timeout while waiting for Phase 2 packets.

    None

    1. Verify that the parameters in the IPsec Configurations phase are identical for the IPsec connection and the peer gateway device, including Encryption Algorithm, Authentication Algorithm, DH Group (Perfect Forward Secrecy), and SA Life Cycle (seconds). If not, modify the IPsec Configurations phase parameters on both ends to match.

    2. Verify that the NAT Traversal feature has the same status on the IPsec connection and the peer gateway device. Ensure that the NAT Traversal feature is either enabled on both ends or disabled on both ends.

    3. Try changing the IKE version on both the IPsec connection and the peer gateway device to either IKEv1 or IKEv2.

    Cannot receive response packets from the peer

    NoResponse

    The peer gateway does not respond.

    • sending retransmit 1 of request message ID 0, seq 1

    • retransmission count exceeded the limit

    1. Verify that the peer gateway device can send and receive IPsec protocol packets.

    2. Verify that the IP address of the customer gateway associated with the IPsec connection is identical to the IP address of the peer gateway device. If not, modify the IP addresses to ensure they are identical.

    3. Check the peer gateway device for any issues, such as unexpected reboots.

    4. Verify that the peer gateway device and the IPsec connection can reach each other.

      On the peer gateway device, use commands such as ping, mtr, or traceroute to access the VPN gateway IP address or the IPsec connection's gateway IP address to confirm connectivity.

    5. Check the access control policies applied to the peer gateway device and confirm they meet the following conditions:

      • UDP ports 500 and 4500 are allowed.

      • Traffic from the IP address of the VPN gateway or the IPsec connection gateway is allowed.

    6. Try resetting the IPsec-VPN connection to trigger a new IPsec negotiation.

    Received delete message from peer

    ReceiveDeleteNotify

    A delete message was received from the peer.

    received DELETE IKE_SA

    The IPsec connection received a delete notify message from the peer gateway device. Check the peer gateway device to identify the cause.

    Negotiation exception cause not diagnosed

    NoExceptionFound

    The cause of the negotiation exception was not diagnosed.

    None

    This result may occur if the IPsec-VPN connection has not started negotiation. Reset the IPsec-VPN connection on either the Alibaba Cloud side or the peer network device.

    On the Alibaba Cloud side, you can modify the value of Effective Immediately for the IPsec connection, save the change, and then change the value of Effective Immediately back to its original setting to trigger an IPsec protocol negotiation. Then, refresh the current page to view the result.

    Related operations

    The following documents describe operations that may be useful when you troubleshoot IPsec-VPN connection issues:

    Note

    For help modifying the peer gateway device configuration, consult the device vendor.

    References

    DiagnoseVpnConnections: Diagnose IPsec-VPN connections.