01-06-2017 08:38 AM
Box is an SRX 320, v 15.1X49-D45
I'm at my wits end. I've done this before with an SRX... But I can't seem to make it work on this box. It's an Avaya phone with an IPSEC vpn client builtin trying to establish a tunnel to the SRX, a policy based VPN and local XAUTH. I get these common errors:
[Jan 7 00:28:18]ike_st_i_sa_proposal: Start
[Jan 7 00:28:18]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 7 00:28:18]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 1157000)
I hope someone can look at this and tell me what I'm missing and hopefully it's something obvious. This seems pretty simple, I don't know what I'm missing. I've checked that the client side matches all parameters and the shared secret matches of course.
Solved! Go to Solution.
01-06-2017 11:38 AM
policy-based VPN was initially removed from the 15.1X49 software train but was reintroduced in 15.1X49-D50. VPN client support was also initially removed and the reintroduced in 15.1X49-D60.
If you look in the attached configuration you will also see the "unsupported platform" multiple times. In this case it's due to missing support for policy-based VPN.
So first step would be to upgrade to at least 15.1X49-D60 and preferably 15.1X49-D70. Then try again.
Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)