Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
BOVPN tunnel negotiations fail when one endpoint uses IKEv1 and the other endpoint uses IKEv2. Both VPN endpoints must use the same Internet Key Exchange (IKE) version to complete tunnel negotiation.
Cloud‑managed Fireboxes support IKEv2 only. If an endpoint attempts to negotiate with a cloud‑managed Firebox and uses IKEv1, tunnel negotiation fails.
Symptoms
When a BOVPN tunnel fails because of an IKE version mismatch, you might notice these symptoms:
- The BOVPN tunnel does not establish.
- Negotiation stops at Phase 1 (IKE setup).
- Log messages show IKE version mismatch errors. Example:
IKEv2 IKE_SA_INIT exchange from 172.16.12.82:500 to 172.16.12.81:500 failed. GatewayEndpoint='gateway.1'. Reason=Received IKE version did not match the configured IKE version. - No encrypted traffic passes between tunnel endpoints.
Diagnostic Steps
On each BOVPN endpoint, perform these steps:
- In the Phase 1 settings, verify the configured IKE version type (IKEv1 or IKEv2).
- Confirm that both tunnel endpoints use the same IKE version type, and verify that the endpoint supports IKEv2 if it connects to a cloud‑managed Firebox.
- Review log messages for IKE version mismatch errors.
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| The BOVPN endpoints use different IKE versions. |
Configure both sides of the BOVPN tunnel to use the same IKE version. For more information, go to: Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint |
| VPN negotiation traffic does not take the intended network path. |
Upgrade the endpoint firmware on the device to make sure it supports IKEv2 when it connects to a cloud‑managed Firebox. For more information, go to: Locally-Managed: Configure IKEv2 Shared Settings Cloud-Managed: Configure BOVPN Security Settings |