IKEv2 negotiation fails between an Quantum Spark Appliance and an Azure / AWS peer

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk172648
Technical Level
Product	Quantum Spark Appliances, IPSec VPN
Version	R77.20, R80.20
OS	Gaia Embedded
Platform / Model	1500, 1400, 1100, 700, 900
Date Created	06-Apr-2021
Last Modified	07-Apr-2021

Symptoms

The "VPN" log on the Quantum Spark Appliance shows one of these messages in the "Description" section:
- IKE failure: Informational exchange: Sending notification to peer: Invalid IKE SPI
  Example:
- Received CCSA request with an IKE SA that is not authenticated Could not allocate inbound Create Child SA exchange

Cause

Due to IKEv2 limitations, the support for Azure/AWS is limited for:

Certificate authentication
Renegotiation

Solution

No fix is required; the system is functioning as designed.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating