All Products
Search

This Product

    VPN Gateway:Troubleshoot IPsec-VPN connection issues

    Document Center

    VPN Gateway:Troubleshoot IPsec-VPN connection issues

    Last Updated:Oct 09, 2023

    You can troubleshoot an IPsec-VPN connection issue based on the error code and log data of the IPsec-VPN connection displayed in the VPN Gateway console.

    Background information

    This topic describes common IPsec-VPN issues and how to troubleshoot these issues. The VPN Gateway console displays the error codes and log data of IPsec-VPN connections. You can look up the same error codes or log data in the Common IPsec-VPN connection issues and solutions section of this topic to find the corresponding solutions.

    View error codes

    Note

    • If your IPsec-VPN connection is associated with a VPN gateway that was created before March 21, 2019, you cannot view the error codes of the IPsec-VPN connection. To view the error codes, you must update the VPN gateway to the latest version. For more information, see Upgrade a VPN gateway.

    • You can view only Chinese and English error codes. Other languages are not supported.

    • The VPC Gateway console displays the error codes of IPsec-VPN connection issues that are identified within the last 3 minutes. To view the error code of the most recent IPsec-VPN connection issue, you can reset the IPsec-VPN connection on an IPsec peer to trigger an IPsec negotiation and then refresh the page.

      On the Alibaba Cloud side, you can change the value of the Effective Immediately parameter for the IPsec-VPN connection, save the change, and then set the Effective Immediately parameter to the original value to trigger an IPsec negotiation.

    IPsec-VPN connections in single-tunnel mode

    If the IPsec-VPN connections use the single-tunnel mode, refer to the following steps to view error codes.

    1. Log on to the VPN gateway console.

    2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    3. In the top navigation bar, select the region where the IPsec-VPN connection is created.

    4. On the IPsec-VPN connection page, find the IPsec-VPN connection that you want to manage and view the error code in the Connection Status column.

      查看错误码

      You can click View Details to the right of the error code and then check the error message and solution displayed in the Error details panel. The solution displayed in the Error details panel is the same as that described in the Common IPsec-VPN connection issues and solutions section of this topic.

    IPsec-VPN connections in dual-tunnel mode

    If the IPsec-VPN connections use the dual-tunnel mode, refer to the following steps to view error codes.

    1. Log on to the VPN gateway console.

    2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    3. In the top navigation bar, select the region where the IPsec-VPN connection is created.

    4. On the IPsec-VPN connection page, find the IPsec-VPN connection and click its ID.

    5. In the Connection Status column of the Tunnel tab, view the error codes of the active tunnel or standby tunnel.查看隧道错误码.png

      You can click View Details to the right of the error code and then check the error message and solution displayed in the Error details panel. The solution displayed in the Error details panel is the same as that described in the Common IPsec-VPN connection issues and solutions section of this topic.

    Common IPsec-VPN connection issues and solutions

    After you obtain the error code and log data of an IPsec-VPN connection, you can look up the same error code or the keyword of the log entry in the following table to find the corresponding solution.

    Error code

    Error message

    Keyword of the log entry

    Solution

    The peer does not match.

    The packet received does not match the customer gateway information.

    received UNSUPPORTED_CRITICAL_PAYLOAD error

    1. Make sure that the IP address of the customer gateway associated with the IPsec-VPN connection is the same as that of the customer gateway device.

    2. If the customer gateway device is assigned multiple IP addresses, make sure that the IP address used by the customer gateway device is specified as the IP address of the customer gateway.

    The algorithm does not match.

    The encryption algorithm, authentication algorithm, or DH group parameter does not match.

    • HASH mismatched

    • parsed INFORMATIONAL_V1 request

    • packet lacks expected payload

    • authentication failure

    1. Make sure that the following configurations of the IPsec-VPN connection are the same as those of the customer gateway device: the encryption algorithm, authentication algorithm, and DH group in the IKE configuration and IPsec configuration.

    2. If multiple encryption algorithms, authentication algorithms, or DH groups are specified in the IKE configuration and IPsec configuration of the customer gateway device, we recommend that you configure the customer gateway device to use the encryption algorithm, authentication algorithm, or DH group specified for the IPsec-VPN connection.

      Note

      When you configure the IP-sec VPN connection on the Alibaba Cloud side, specify only one encryption algorithm, authentication algorithm, and DH group in the IKE configuration and IPsec configuration.

    The encryption algorithm does not match.

    The encryption algorithm of the IPsec-VPN connection does not match.

    • invalid encryption algorithm

    • trns_id mismatched

    • rejected enctype

    • authentication failure

    1. Make sure that the encryption algorithm in the IPsec configuration of the IPsec-VPN connection is the same as that of the customer gateway device.

    2. If multiple encryption algorithms are specified in the IPsec configuration of the customer gateway device, we recommend that you configure the customer gateway device to use the encryption algorithm specified for the IPsec-VPN connection.

    The authentication algorithm does not match.

    The authentication algorithm of IKE does not match.

    • authtype mismatched

    • rejected hashtype

    • authentication failure

    1. Make sure that the authentication algorithm in the IKE configuration of the IPsec-VPN connection is the same as that of the customer gateway device.

    2. If multiple authentication algorithms are specified in the IKE configuration of the customer gateway device, we recommend that you configure the customer gateway device to use the authentication algorithm specified for the IPsec-VPN connection.

    The DH group does not match.

    The Phase 1 DH group parameter of IKE does not match.

    • received KE type 14,expected 2

    • failed to compute dh value

    • rejected dh_group

    • proposal mismatch, transform type:4

    1. Make sure that the DH group in the IKE configuration of the IPsec-VPN connection is the same as that of the customer gateway device.

    2. If multiple DH groups are specified in the IKE configuration of the customer gateway device, we recommend that you configure the customer gateway device to use the DH group specified for the IPsec-VPN connection.

    3. If multiple IPsec-VPN connections are associated with the customer gateway, make sure that all IPsec-VPN connections use the same IKE configuration, including the version, negotiation mode, encryption algorithm, authentication algorithm, DH group, and SA lifecycle (seconds).

      The LocalId value of the IPsec-VPN connection must be the same as the RemoteId value of the customer gateway device. The RemoteId value of the IPsec-VPN connection must be the same as the LocalId value of the customer gateway device.

    The pre-shared key does not match.

    The pre-shared key does not match.

    • Decryption failed! mismatch of preshared secrets

    • mismatch of preshared secrets

    • invalid HASH_V1 payload length, decryption failed

    • could not decrypt payloads

    • authentication failure

    1. Make sure that the pre-shared key of the IPsec-VPN connection is the same as that of the customer gateway device.

      You can modify the pre-shared key of the IPsec-VPN connection or customer gateway device to trigger an IPsec negotiation. The system will automatically check whether the pre-shared keys on both ends are the same.

    2. If the IPsec-VPN connection and customer gateway device use the same pre-shared key, make sure that they also use the same encryption algorithm, authentication algorithm, and DH group in the IKE configuration and IPsec configuration.

    3. If multiple encryption algorithms, authentication algorithms, or DH groups are specified in the IKE configuration and IPsec configuration of the customer gateway device, we recommend that you configure the customer gateway device to use the encryption algorithm, authentication algorithm, or DH group specified for the IPsec-VPN connection.

    PeerID does not match.

    The LocalID or RemoteID parameter does not match or is incompatible.

    • does not match peers id

    • message lacks IDr payload

    • Expecting IP address type in main mode,but FQDN

    • Unknow peer id

    • Parse PEERID failed

    • received ID_I(xxx) does not match peers id

    1. Make sure that the LocalId value of the IPsec-VPN connection is the same as the RemoteId value of the customer gateway device and the RemoteId value of the IPsec-VPN connection is the same as the LocalId value of the customer gateway device. If the values are different, change the values.

      • If your IPsec-VPN connection is associated with a VPN gateway, the IP address of the VPN gateway is specified as the LocalId value of the IPsec-VPN connection and the IP address of the customer gateway is specified as the RemoteId value by default.

      • If your IPsec-VPN connection is associated with a transit router, the gateway IP address of the IPsec-VPN connection is specified as the LocalId value of the IPsec-VPN connection and the IP address of the customer gateway is specified as the RemoteId value by default.

    2. If the IKE version and negotiation mode of the IPsec-VPN connection are ikev1 and main, the LocalId and RemoteId parameters support only IP addresses. Make sure that the values of the LocalId and RemoteId parameters are valid.

    3. Make sure that the negotiation mode of the IPsec-VPN connection is the same as that of the customer gateway device.

      We recommend that you set the negotiation mode of the connection and customer gateway device to main and set the LocalId and RemoteId parameters in the main mode to IP addresses.

    4. If the IKE version of the IPsec-VPN connection is ikev2 and you have verified the preceding configurations, check whether the IPsec-VPN connection and customer gateway device use the same encryption algorithm, authentication algorithm, and DH group in the IKE configuration and IPsec configuration. If the configurations are different, modify the configurations.

    DPD payload sequence is incompatible.

    DPD payload sequence is incompatible.

    ignore information because the message has no hash payload

    In scenarios where the Dead Peer Detection (DPD) feature is enabled, the default payload sequence is hash-notify. Check whether the DPD payload sequence of the customer gateway device is hash-notify. If not, change the payload sequence to hash-notify.

    DPD timed out.

    DPD packets timed out.

    DPD: remote seems to be dead

    1. Make sure that DPD is enabled for both the IPsec-VPN connection and customer gateway device.

      Note

      DPD packet timeouts can trigger IPsec negotiations.

    2. Check the network conditions and routing configuration of the IPsec-VPN connection and customer gateway device. Make sure that no connectivity issues occur between the IPsec-VPN connection and customer gateway device.

    The IKE version does not match.

    The IKE version or negotiation mode does not match.

    unknown ikev2 peer

    1. Make sure that the IPsec-VPN connection and customer gateway device use the same IKE version.

      • If the customer gateway device supports automatic IKE version selection or supports both IKEv1 and IKEv2, we recommend that you manually specify an IKE version for the customer gateway device and configure the IPsec-VPN connection to use the same IKE version.

      • We recommend that you select the IKEv2 version.

    2. Make sure that the IPsec-VPN connection and customer gateway device use the same negotiation mode.

    The negotiation mode does not match.

    The negotiation mode does not match.

    • in Identity not acceptable Aggressive mode

    • not acceptable Identity Protection mode

    1. Make sure that the IPsec-VPN connection and customer gateway device use the same negotiation mode.

      We recommend that you set the negotiation mode to main.

    2. If the IPsec negotiation still fails when both the IPsec-VPN connection and customer gateway device use the main mode, you can change the negotiation mode of the IPsec-VPN connection and customer gateway device to aggressive. This issue occurs only in a few scenarios.

    NAT-T does not match.

    NAT traversal does not match.

    ignore the packet, received unexpecting payload type 130

    Make sure that the IPsec-VPN connection and customer gateway device use the same NAT traversal setting.

    If the customer gateway device is a backend device of a NAT gateway, we recommend that you enable NAT traversal for the IPsec-VPN connection and customer gateway device.

    SA Lifetime does not match.

    The Lifetime parameter does not match.

    long lifetime proposed

    Make sure that the SA lifecycle (seconds) of the IPsec-VPN connection in the IKE configuration and IPsec configuration is the same as that of the customer gateway device.

    The IPsec-VPN connection and customer gateway device can use different SA lifecycle (seconds) values. However, to ensure the stability of the IPsec-VPN connection when customer gateway devices from different manufacturers are used, we recommend that you configure the IPsec-VPN connection and customer gateway device to use the same SA lifecycle (seconds) value.

    The security protocol does not match.

    The security protocol does not match.

    proto_id mismatched

    Make sure that the customer gateway device uses Encapsulating Security Payload (ESP) as the security protocol.

    VPN Gateway supports only the ESP protocol for IPsec-VPN connections. Authentication Header (AH) is not supported.

    The encapsulation mode does not match.

    The encapsulation mode does not match.

    encmode mismatched

    Make sure that the encapsulation mode of the customer gateway device is set to tunneling.

    VPN Gateway supports only the tunneling mode for IPsec-VPN connections. The transmission mode is not supported.

    The algorithm is incompatible.

    The algorithm is incompatible.

    None

    If the authentication algorithm in the IKE configuration and IPsec configuration of the IPsec-VPN connection and customer gateway device is incompatible, select another authentication algorithm, such as md5.

    Protected Data Flow does not match.

    The Protected Data Flows parameter does not match.

    • traffic selector mismatch

    • invalid-id-information

    • traffic selector unacceptable

    • can't find matching selector

    • received INVALID_ID_INFORMATION error notify

    • received Notify type TS_UNACCEPTABLE

    1. Check the CIDR blocks of the protected data flows based on the IKE version of the IPsec-VPN connection and make sure that the CIDR blocks meet the following requirements:

      • If the IKE version of the IPsec-VPN connection is ikev1, the protected data flows support only one CIDR block.

      • If the IKE version of the IPsec-VPN connection is ikev2, the protected data flows support multiple CIDR blocks.

        Note

        If multiple CIDR blocks are configured for the IPsec-VPN connection and the IPsec negotiation configurations of the IPsec-VPN connection and customer gateway device are different, some CIDR blocks may be inaccessible. For more information about how to resolve this issue, see FAQ.

    2. Check whether the CIDR blocks of the protected data flows for the IPsec-VPN connection and customer gateway device meet the following requirements:

      • The local CIDR block of the protected data flows for the IPsec-VPN connection is the same as the peer CIDR block of the protected data flows for the customer gateway device.

      • The peer CIDR block of the protected data flows for the IPsec-VPN connection is the same as the local CIDR block of the protected data flows for the customer gateway device.

    PFS does not match.

    The Phase 2 DH group parameter does not match.

    • pfs group mismatched

    • message lacks KE payload

    Make sure that the IPsec-VPN connection and customer gateway device use the same Perfect Forward Secrecy (PFS) setting in the IPsec configuration.

    • If the DH group setting in the IPsec configuration of the IPsec-VPN connection is set to disabled, PFS is disabled for the connection. You need to disable PFS for the customer gateway device.

    • If the DH group setting in the IPsec configuration of the IPsec-VPN connection is set to a value other than disabled, PFS is enabled for the connection. You need to enable PFS for the customer gateway device.

    We recommend that you enable PFS for the IPsec-VPN connection and customer gateway device.

    The commit bit does not match.

    The commit bit does not match.

    None

    Make sure that commits are disabled for the customer gateway device.

    Commits can ensure that IPsec negotiations are completed before the protected data flows are transmitted. VPN Gateway does not support commits.

    The proposal does not match.

    The proposal does not match.

    • no proposal chosen

    • received NO_PROPOSAL_CHOSEN

    • no suitable proposal found

    • failed to get valid proposal

    • none of my proposal matched

    • no matching proposal found, sending NO_PROPOSAL_CHOSEN

    • proposal mismatch

    • couldn't find configuaration

    • ignore the packet,expecting the packet encrypted

    1. Make sure that the IPsec-VPN connection and customer gateway device use the same IKE version.

      We recommend that you select IKEv2.

    2. Check whether the IPsec-VPN connection and customer gateway device use the same IKE configuration. If they use different IKE configurations, modify the configurations to meet the following requirements:

      • The IPsec-VPN connection and customer gateway device use the same version, negotiation mode, encryption algorithm, authentication algorithm, DH group, and SA lifecycle (seconds).

      • The LocalId value of the IPsec-VPN connection is the same as the RemoteId value of the customer gateway device and the RemoteId value of the IPsec-VPN connection is the same as the LocalId value of the customer gateway device.

    3. Check whether the IPsec-VPN connection and customer gateway device use the same IPsec configuration, including the encryption algorithm, authentication algorithm, DH group, SA lifecycle (seconds), and NAT traversal. If they use different IPsec configurations, modify the configurations.

      Make sure that the protected data flows of the IPsec-VPN connection and customer gateway device meet the following requirements:

      • The local CIDR block of the protected data flows for the IPsec-VPN connection is the same as the peer CIDR block of the protected data flows for the customer gateway device.

      • The peer CIDR block of the protected data flows for the IPsec-VPN connection is the same as the local CIDR block of the protected data flows for the customer gateway device.

    4. If multiple IPsec-VPN connections are associated with a customer gateway, make sure that all IPsec-VPN connections use the same IKE configuration, including the version, negotiation mode, encryption algorithm, authentication algorithm, DH group, and SA lifecycle (seconds).

      The LocalId value of each IPsec-VPN connection must be the same as the RemoteId value of the customer gateway device. The RemoteId value of each IPsec-VPN connection must be the same as the LocalId value of the customer gateway device.

    5. Reset the IPsec-VPN connection to trigger an IPsec negotiation.

    Negotiation failed.

    Negotiation failed.

    phase2 negotiation failed due to time up waiting for phase1

    Reset the IPsec-VPN connection to trigger an IPsec negotiation. The system will check the negotiation configuration again.

    Phase 1 negotiations timed out.

    Phase 1 packets cannot be received and negotiation timed out.

    • phase1 negotiation failed due to time up

    • ignore information because ISAKMP-SA has not been established

    1. Make sure that the customer gateway device can receive and send IPsec packets as expected.

    2. Make sure that the IP address of the customer gateway associated with the IPsec-VPN connection is the same as that of the customer gateway device.

    3. Check for anomalies, such as unexpected restarts, in the customer gateway device.

    4. Make sure that the IPsec-VPN connection and customer gateway device can access each other.

      Run the ping, mtr, or traceroute command on the customer gateway device to check whether the IP address of the VPN gateway or the gateway IP address of the IPsec-VPN connection is accessible.

    5. VPN Gateway does not support cross-border IPsec-VPN connections. If you want to create a cross-border IPsec-VPN connection, use Cloud Enterprise Network (CEN). For more information, see What is CEN?

    6. Reset the IPsec-VPN connection to trigger an IPsec negotiation.

    Phase 2 negotiations timed out.

    Phase 2 packets cannot be received and negotiation timed out.

    None

    1. Make sure that the IPsec-VPN connection and customer gateway device use the same IPsec configuration, including the encryption algorithm, authentication algorithm, DH group, and SA lifecycle (seconds).

    2. Check whether the IPsec-VPN connection and customer gateway device use the same NAT traversal setting. Make sure that the IPsec-VPN connection and customer gateway device have NAT traversal enabled or disabled at the same time.

    3. Change the IKE versions of the IPsec-VPN connection and customer gateway device to IKEv1 or IKEv2.

    Response packets cannot be received from the peer.

    The peer gateway does not respond.

    • sending retransmit 1 of request message ID 0, seq 1

    • retransmission count exceeded the limit

    1. Make sure that the customer gateway device can receive and send IPsec packets as expected.

    2. Make sure that the IP address of the customer gateway associated with the IPsec-VPN connection is the same as that of the customer gateway device.

    3. Check for anomalies, such as unexpected restarts, in the customer gateway device.

    4. Make sure that the IPsec-VPN connection and customer gateway device can access each other.

      Run the ping, mtr, or traceroute command on the customer gateway device to check whether the IP address of the VPN gateway or the gateway IP address of the IPsec-VPN connection is accessible.

    5. Make sure that the access control policy of the customer gateway device meets the following requirements:

      • UDP ports 500 and 4500 are open.

      • The IP address of the VPN gateway or the gateway IP address of the IPsec-VPN connection is allowed.

    6. Reset the IPsec-VPN connection to trigger an IPsec negotiation.

    The delete packet is received from the peer.

    The delete packet from the peer is received.

    received DELETE IKE_SA

    If the IPsec-VPN connection receives a delete notify packet from the customer gateway device, troubleshoot the issue on the customer gateway device.

    No error found.

    No error found.

    None

    The IPsec-VPN connection may not have started an IPsec negotiation. Reset the IPsec-VPN connection on the Alibaba Cloud side or customer gateway device.

    On the Alibaba Cloud side, you can change the value of the Effective Immediately parameter for the IPsec-VPN connection, save the change, and then set the Effective Immediately parameter to the original value to trigger an IPsec negotiation. Then, refresh the page and check the negotiation result.

    What to do next

    This section provides references for the operations that you may perform when you troubleshoot IPsec-VPN connection issues.

    • For more information, see Modify an IPsec-VPN connection.

    • You can modify only the name and description of a customer gateway after the customer gateway is created. If you want to modify the configuration of the customer gateway when you troubleshoot an IPsec-VPN connection issue, perform the following steps. The steps may vary based on the type of resource associated with the IPsec-VPN connection.

      • No resource is associated with the IPsec-VPN connection or a VPN gateway is associated with the connection

        1. Recreate a customer gateway to use the desired configuration. For more information, see Create a customer gateway.

        2. Delete the IPsec-VPN connection. For more information, see Delete an IPsec-VPN connection.

        3. Recreate an IPsec-VPN connection and associate the connection with the newly created customer gateway. For more information, see Create an IPsec-VPN connection.

        4. Delete the previous customer gateway. For more information, see Delete a customer gateway.

      • A transit router is associated with the IPsec-VPN connection

        1. Recreate a customer gateway to use the desired configuration. For more information, see Create a customer gateway.

        2. Associate the IPsec-VPN connection with the newly created customer gateway. For more information, see Modify an IPsec-VPN connection.

        3. Delete the previous customer gateway. For more information, see Delete a customer gateway.

    Note

    If you want to modify the configuration of the customer gateway device when you troubleshoot an IPsec-VPN connection issue, contact the manufacturer of the customer gateway device.