IKE negotiation fails between Security Gateway and DAIP non-Centrally Managed Gateway
||R77, R77.10, R77.20, R77.30
|Platform / Model
IKE negotiation fails between Security Gateway and non-Centrally Managed DAIP Gateway (e.g., Locally Managed 600 / 1100 / 1200R appliance with DAIP, 3rd party peer with DAIP).
When deleting the first keys created on the 1100 appliance, the VPN tunnel will not come up until the keys are also deleted on the Security Gateway.
This causes the tunnel to be down until a manual deletion of the keys on the Security Gateway, or the negotiation times out on the Security Gateway.
Debug of VPND daemon on Security Gateway (per sk89940) shows IKE negotiation fails at Main Mode packet 5 because Security Gateway is unable to fetch the peer object and therefore cannot validate the certificate:
[vpnd ...] < FWIKE_MM_PACKET_5_FETCH_PEER > Id = ...
[vpnd ...] MMProcess5FetchPeer: stage=0; idType=3;
[vpnd ...] FwIkeP1FetchUser: entering
[vpnd ...] FwIkeP1FetchUser: vpn realm is not cert realm - fetch should fail, set: state->peer_cannot_be_user = 1, and return FWIKE_MACHINE_STATE_ERROR
Security Gateway first tries to fetch VPN peer, but gets an error because there is no certificate realm.
Note: To view this solution you need to