• The VPN session status remains DOWN or toggles to IKE_STATUS_DOWN.

• Authentication type is certificate based.

• NSX Edge syslogs (iked) report the following error: Message: Authentication failed (24) Reason: Remote ID mismatch similar to below:

• 2026-03-04T10:55:16.330Z ... NSX 46794 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"] Message: Authentication failed (24)2026-03-04T10:55:16.330Z ... NSX 46794 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"] Reason: Remote ID mismatch

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

VMware NSX

The identity string (Remote ID) configured on the devices does not match expected values.
The identity fields (SAN or DN) present in the certificate assigned to the NSX Edge VPN service is what NSX will expect the other peer to be using. In IKEv2 certificate authentication, the identity must strictly match the certificate contents.

To resolve this issue, you must align the ID configuration on the peer device with the NSX certificate and the NSX configuration with the ID configured on the peer:

1. Check the NSX Certificate:

   • Navigate to the certificate assigned to your IPsec VPN Service in NSX.

   • Identify the Subject Alternative Name (SAN) (e.g., a DNS entry like vpn.example.com) or the Subject Distinguished Name (DN).

2. Update the Peer Configuration:

   1. On the remote VPN gateway (the peer), locate the setting for the Remote ID (the ID it expects from NSX).

   2. Update this field to match the exact string found in the NSX certificate SAN or DN

3. Review the Peer config for its Local ID and ensure NSX matches this.

Reference the official documentation: Using Certificate-Based Authentication for IPsec VPN Sessions.