Guides
All guides
VPN & Firewall
FortiGate IPsec VPNPalo Alto VPNCisco ASA VPNJuniper SRX VPNSonicWall VPN
Switching & Routing
Catalyst high CPUNexus vPCOSPF ExStartBGP Active/Idle
Load Balancing
F5 pool member down
Servers & Virtualization
Linux high loadWindows high memoryESXi disconnectedProxmox node offline
Containers
K8s CrashLoopDocker exit 137
Databases
MySQL replication lagPostgreSQL connsOracle ORA-12541
Cloud
AWS no internetAzure VPN gateway
Backup
Veeam job failed
Web & App
Nginx 502
Compare
Marvis alternativeChatGPT vs TM
Home / Troubleshoot / Juniper SRX IPsec VPN
Juniper SRX · IPsec VPN

Juniper SRX IPsec VPN Not Coming Up: How to Fix It

By the Tech Matrix engineering team · Updated June 2026

An SRX IPsec tunnel that won't establish fails in IKE (Phase 1) or IPsec (Phase 2) — and on route-based SRX VPNs there's a third trap: the st0 interface and routing. Here's how to find which.

Step 1 — Check the SAs

show security ike security-associations
show security ipsec security-associations

If there's no IKE SA, Phase 1 is failing. If IKE is up but no IPsec SA, it's Phase 2.

Step 2 — Phase 1 (IKE) down

  • Gateway: the IKE gateway's peer address and external-interface must be correct.
  • Pre-shared key & proposals: the PSK and the IKE proposal (auth, encryption, DH group, lifetime) must match the peer.
  • Reachability: UDP 500/4500 must reach the peer.

Turn on IKE tracing and read the log:

set security ike traceoptions file ike.log
set security ike traceoptions flag all
show log ike.log

Step 3 — Phase 2 (IPsec) down

  • Proxy-IDs / traffic selectors: the local and remote proxy-IDs must mirror the peer (your local = their remote). This is the most common Phase 2 failure on SRX.
  • IPsec proposal / PFS: must match on both ends.

Step 4 — Route-based VPN: the st0 trap

Route-based SRX VPNs bind to a secure tunnel interface (st0). Even with both phases up, traffic won't pass unless:

  • the IPsec VPN is bound to st0.x,
  • st0 is up and in the correct zone with host-inbound/policies allowing the traffic,
  • a route to the remote subnet points out st0.x.

How Tech Matrix solves this in ~60 seconds

The SRX combines IKE, IPsec and the st0 routing model, so the fix is rarely one command. Tech Matrix reads the IKE/IPsec SAs, the proxy-IDs and the st0 binding/route together, tells you which layer is broken, and gives the exact set command for your Junos version — with your approval.

Create free account →See how it works

Frequently asked questions

How do I check a Juniper SRX VPN tunnel?

Run 'show security ike security-associations' for Phase 1 and 'show security ipsec security-associations' for Phase 2. Enable 'set security ike traceoptions' to see negotiation.

Why is my SRX Phase 2 not coming up?

Usually the proxy-IDs (traffic selectors) don't mirror the peer, or the IPsec proposal/PFS doesn't match. Both must align on each side.

Why does my SRX route-based VPN pass no traffic?

The VPN must be bound to an st0 interface that's up and in the right zone, with a route to the remote subnet pointing out st0.