IKE Peer Validation error on certificate based tunnel
search cancel

IKE Peer Validation error on certificate based tunnel


Article ID: 173683


Updated On:


Cloud Secure Web Gateway - Cloud SWG


During normal operation on a certificate-based IPsec tunnel on a CISCO device, an outage will occur, and the logs will read as follows:

Jan 13 6:12:24 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, IKE Identity DN does not match peer cert DN


Certificate-based IPsec tunnel to Cloud Secure Web Gateway (Cloud SWG) coming from a CISCO device.


During IKE tunnel establishment, the peer provides its identity: either an IP address, a Fully Qualified Domain Name (FQDN), or a Distinguished Name (DN). It also presents a certificate, which contains none, some, or all of these fields.

If IKE peer identity validation is enabled, the VPN Concentrator compares the peer’s identity to the respective field in the certificate to see if the information matches. If the information matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional level of security. IKE Peer Identity Validation can be useful for binding a peer to a particular IP address or domain name.

If the feature for IKE Peer Identity Validation is enabled, then the error described above will occur.


The solution is to disable IKE Peer Identity Validation. By default, it is enabled, but by adding the following lines to your running configuration, you may disable it.

From CLI, add peer-id-validate nocheck
Replace <Peer ID> with the WSS Peer IP 

tunnel-group <Peer ID> ipsec-attributes
peer-id-validate nocheck

This feature is not available in GUI, you must use CLI to add the setting.