SRX Services Gateway
SRX Services Gateway

VPN issues IKEv2 KMD_VPN_TS_MISMATCH

‎04-01-2018 12:57 PM

We have a IPsec site-to-site VPN from a SRX300 to a sonicwall. The VPN connection is working but after x hours the VPN got dropped and re-established after 5 minutes. I have investigated the logs of the Sonicwall and the SRX300 device and I found the following error logs in the kmd-logs

 

Apr 1 14:28:36 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:36 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:40 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:40 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:44 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:44 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:48 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:48 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:28:52 i3d-r1 kmd[1902]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-cfgr, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Apr 1 14:28:52 i3d-r1 kmd[1902]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0
Apr 1 14:29:53 i3d-r1 kmd[1902]: IKE negotiation failed with error: Timed out. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0: Role: Responder
Apr 1 14:29:53 i3d-r1 kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is down. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: IPSec SAs cleared as corresponding IKE SA deleted
Apr 1 14:30:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:30:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:31:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:31:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:32:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:32:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:33:00 i3d-r1 kmd[1902]: IKE negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Apr 1 14:33:00 i3d-r1 kmd[1902]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 1 14:33:56 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x8ebfc7b, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Apr 1 14:33:56 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x647814a1, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Apr 1 14:33:56 i3d-r1 kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is up. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
Apr 1 14:33:56 i3d-r1 kmd[1902]: IKE negotiation successfully completed. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0, Role: Responder
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is down. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: IPSec SAs cleared as corresponding IKE SA deleted
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x13177f86, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL-PUBLIC-IP, Remote gateway: REMOTE-SIDE-PUBLIC-IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xc7a8757a, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Apr 1 19:10:01 i3d-r1 kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-cfgr from REMOTE-SIDE-PUBLIC-IP is up. Local-ip: LOCAL-PUBLIC-IP, gateway name: ike-gate-cfgr, vpn name: ipsec-vpn-cfgr, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: ^EÈ^_^T, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
Apr 1 19:10:01 i3d-r1 kmd[1902]: IKE negotiation successfully completed. IKE Version: 2, VPN: ipsec-vpn-cfgr Gateway: ike-gate-cfgr, Local: LOCAL-PUBLIC-IP/500, Remote: REMOTE-SIDE-PUBLIC-IP/500, Local IKE-ID: LOCAL-PUBLIC-IP, Remote IKE-ID: REMOTE-SIDE-PUBLIC-IP, VR-ID: 0, Role: Responder

My config is:

security {
    ike {
        proposal ike-proposal-cfgr {
            authentication-method pre-shared-keys;
            dh-group group20;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike-policy-cfgr {
            mode main;
            proposals ike-proposal-cfgr;
            pre-shared-key ascii-text "hidden"; ## SECRET-DATA
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address PUBLIC-IP-REMOTE-SIDE;
            local-identity inet PUBLIC-IP-LOCAL;
            external-interface lo0.0;
            general-ikeid;
            version v2-only;
        }
    }
    ipsec {
        proposal ipsec-proposal-cfgr {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-policy-cfgr {
            perfect-forward-secrecy {
                keys group19;
            }
            proposals ipsec-proposal-cfgr;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.1;
            ike {
                gateway ike-gate-cfgr;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
    }
        from-zone trust to-zone vpn {
            policy trust-vpn-cfgr {
                match {
                    source-address lokaalSubnet;
                    destination-address [ remoteSubnet1 remoteSubnet2 ];
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-trust-cfgr {
                match {
                    source-address [ remoteSubnet1 remoteSubnet2 ];
                    destination-address lokaalSubnet;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
1 REPLY 1
Highlighted
SRX Services Gateway

Re: VPN issues IKEv2 KMD_VPN_TS_MISMATCH

‎04-02-2018 03:00 PM

One thing that can contribute to this problem is your lifetime  timers.

They are the same:

 

ike {

        proposal ike-proposal-cfgr {

            authentication-method pre-shared-keys;

            dh-group group20;

            authentication-algorithm sha1;

            encryption-algorithm aes-256-cbc;

            lifetime-seconds 28800;

 

 

ipsec {   

     proposal ipsec-proposal-cfgr {      

            protocol esp;

            authentication-algorithm hmac-sha1-96; 

            encryption-algorithm aes-256-cbc; 

            lifetime-seconds 28800;

 

It is not recommended in general set IPSEC timer for 8 hr And it must to be shorter than IKE timer.

Usually it is set to something like 3600 sec.

 

I suggest you to reconfigure IPSEC lifetime-seconds to 3600.

 

Remember that you need to do it on both pears.

It is not negotiable parameter and must match on both devices.

 

 

Regards

Leon Smirnov

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too