JNCIS-ENT: Juniper Networks Certified Specialist – Enterprise Routing (legacy) — Question 2

You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase 1 negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)

Answer options

• A. Verify that the IKE gateway proposals on the initiator and responder are the same.
• B. Verify that the VPN tunnel configuration references the correct IKE gateway.
• C. Verify that the IPsec policy references the correct IKE proposals.
• D. Verify that the IKE initiator is configured for main mode.

Correct answer: A, C

Explanation

The correct answer includes verifying that the IKE gateway proposals on both sides match, which is essential for Phase 2 negotiations to succeed. Additionally, confirming that the IPsec policy references the correct IKE proposals is crucial since any mismatch can lead to failure in establishing the secure tunnel. The other options, while relevant, do not directly address the reason for Phase 2 negotiation failure.