You have created a route-based VPN. When you try to connect to the remote device you see the following message in your event log:
No policy exists for the proxy id received
What two (2) things can cause this occur?
A proxy id conflict
An unbound tunnel interface
The remote device is a policy-based VPN
The tunnel interface is configured in a different zone than the physical interface
In theNetScreenevent log, during IKE Phase 2 negotiations – the “No Policy Exists for the proxy id” error message indicates a problem with the address or service book entries that are used in the P2 Proxy ID.
Basically, the Proxy ID (local network, remote network, service port, etc.) used must be a mirror image between the local and remote IKE VPN endpoints.
By default, the CLI command “setikepolicy-checking” is enabled which means that the address and service book entries that are passed in the Proxy ID MUST match. By disabling this CLI command, “unsetikepolicy-checking” – this will allow the Proxy ID to be completed WITHOUT being “checked” against the Proxy ID (local network, remote network, service port, etc.) used in the VPN policy.
Note: It is recommended that the “policy-checking” feature be enabled as it provides for another level of security.
Note: With policy-checking disabled (unsetikepolicy-checking) ONLY one policy can be configured for this IKE gateway. The following warning message will be displayed:
“If more than one policy is desired per Gateway, policy checking must first be enabled by executing the “setikepolicy checking” command.
If multiple policies per IKE gateway are required, the “policy-checking” CLI command should NOT be disabled.