Hi everyone
I’m trying to set up a site-to-site VPN connection, and am now at a point, where 2 IKE messages from my end are answered by the other end, but the third message does not receive an answer.
The admin from the other side can see on his firewall that an IKE packet from me was rejected:
That admin is telling me that’s because I have “Peer ID enabled”. So how can I disable it?
Here’s one thing I tried - without success:
# set vpn ipsec site-to-site peer x.x.x.x authentication id ""
invalid ID ""
Value validation failed
Set failed
Here’s my configuration, that makes clear that I did not set up a Peer ID explicitly in the authentication {} groups.
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 4800
mode tunnel
pfs dh-group20
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group IKE-1W {
ikev2-reauth no
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 20
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer x.x.x.x {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
ikev2-reauth inherit
local-address 192.168.30.34
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local {
prefix z.z.z.z/32
}
remote {
prefix a.a.a.a/32
}
}
}
peer y.y.y.y {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
ikev2-reauth inherit
local-address 192.168.30.34
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local {
prefix z.z.z.z/32
}
remote {
prefix b.b.b.b/32
}
}
}
}
}
}