SRX Services Gateway
Reply
Visitor
ThunderEmperor
Posts: 1
Registered: ‎04-13-2012
0

IPSec Route Based VPN not coming up for a few peers

[ Edited ]

Hi,  I am facing a wierd issue with SRX firewalls. I have multiple SRX firewalls at each site and they are all having a route based multipoint NHTB VPN across all sites. They have a singl Phase1 policy and Single Phase2 policy with multiple gateways. 

 

On one of my sites, the VPN SA doesnt come up with a few sites. It was working fine, then it stopped working, when I do the traceoptions, it showsm no proposal chosen, but that cant be true as all of the sites are using the same proposals 

 

 

root@SHA-FWALL-INT01# show security ike
proposal MP_IKEProp {
    description IKE_Proposal;
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;
}
policy IKE-MP-Policy {
    mode main;
    description Multipoint_VPN_Policy;
    proposals MP_IKEProp;
    pre-shared-key ascii-text "$9$G5iPQF36AuOGDCt0Irl-VwgZUF39O1h9C0IESW8"; ## SECRET-DATA
}
gateway PDX-Gateway {
    ike-policy IKE-MP-Policy;
    address 65.x.x.204;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}
gateway NYC-Gateway {
    ike-policy IKE-MP-Policy;
    address 4.x.x.176;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}
gateway DEL-Gateway {
    ike-policy IKE-MP-Policy;
    address 180.x.x.200;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}
gateway AMS-Gateway {
    ike-policy IKE-MP-Policy;
    address 188.x.x.70;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}
gateway TOK-Gateway {
    ike-policy IKE-MP-Policy;
    address 124.x.x.163;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}
gateway SAO-Gateway {
    ike-policy IKE-MP-Policy;
    address 186.x.x.226;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}
gateway LON-Gateway {
    ike-policy IKE-MP-Policy;
    address 193.x.x.100;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}
gateway MSP-Gateway {
    ike-policy IKE-MP-Policy;
    address 65.x.x.66;
    dead-peer-detection always-send;
    external-interface ge-0/0/0.0;
}

[edit]


root@SHA-FWALL-INT01# show security ipsec
proposal MP-IPSec-Proposal {
    description "Multipoint Tunnel IPSec Proposal";
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;
}
policy MP-IPSec-Policy {
    description "Multipoint Tunnel Phase 2 Policy";
    proposals MP-IPSec-Proposal;
}
vpn MP_MSP {
    bind-interface st0.500;
    ike {
        gateway MSP-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
    establish-tunnels immediately;
}
vpn MP_NYC {
    bind-interface st0.500;
    ike {
        gateway NYC-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
    establish-tunnels immediately;
}
vpn MP_AMS {
    bind-interface st0.500;
    ike {
        gateway AMS-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
    establish-tunnels immediately;
}
vpn MP_PDX {
    bind-interface st0.500;
    ike {
        gateway PDX-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
    establish-tunnels immediately;
}
vpn MP_DEL {
    bind-interface st0.500;
    ike {
        gateway DEL-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
}
vpn MP_SAO {
    bind-interface st0.500;
    ike {
        gateway SAO-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
    establish-tunnels immediately;
}
vpn MP_LON {
    bind-interface st0.500;
    ike {
        gateway LON-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
    establish-tunnels immediately;
}
vpn MP_TOK {
    bind-interface st0.500;
    ike {
        gateway TOK-Gateway;
        ipsec-policy MP-IPSec-Policy;
    }
    establish-tunnels immediately;
}




SHA-FWALL-INT01# show interfaces st0.500
multipoint;
family inet {
    next-hop-tunnel 192.168.50.12 ipsec-vpn MP_NYC;
    next-hop-tunnel 192.168.50.8 ipsec-vpn MP_DEL;
    next-hop-tunnel 192.168.50.1 ipsec-vpn MP_PDX;
    next-hop-tunnel 192.168.50.2 ipsec-vpn MP_AMS;
    next-hop-tunnel 192.168.50.3 ipsec-vpn MP_LON;
    next-hop-tunnel 192.168.50.10 ipsec-vpn MP_MSP;
    next-hop-tunnel 192.168.50.4 ipsec-vpn MP_TOK;
    next-hop-tunnel 192.168.50.9 ipsec-vpn MP_SAO;
    address 192.168.50.6/24;
}

 

The same config works in all the other places, but for this one site, the configuration doesnt work for a few peers and the trance options show that the policy phase1 failed 

 

 

Apr 14 01:24:22 jnp_ike_connect: Start, remote_name = 124.x.x.163:500, local = 116.x.x.163:500 xchg = 2, flags = 00000000
Apr 14 01:24:22 ike_init_isakmp_sa: Start, remote = 124.x.x.163:500, initiator = 1
Apr 14 01:24:22 ike_send_packet: Start, send SA = { 632293ef b848e423 - 00000000 00000000}, nego = -1, src=116.x.x.163:500, dst = 124.x.x.163:500, routing table id = 0
Apr 14 01:24:22 ike_get_sa: Start, SA = { 632293ef b848e423 - 7be52284 19c56f90 } / 927c61bb, remote = 124.x.x.163:500
Apr 14 01:24:22 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { 632293ef b848e423 - 7be52284 19c56f90 [0] / 0x927c61bb } Info; Notification data has attribute list
Apr 14 01:24:22 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { 632293ef b848e423 - 7be52284 19c56f90 [0] / 0x927c61bb } Info; Notify message version = 1
Apr 14 01:24:22 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { 632293ef b848e423 - 7be52284 19c56f90 [0] / 0x927c61bb } Info; Error text = Could not find acceptable proposal
Apr 14 01:24:22 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { 632293ef b848e423 - 7be52284 19c56f90 [0] / 0x927c61bb } Info; Offending message id = 0x00000000
Apr 14 01:24:22 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { 632293ef b848e423 - 7be52284 19c56f90 [0] / 0x927c61bb } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
Apr 14 01:24:22 116.x.x.163:500 (Initiator) <-> 124.x.x.163:500 { 632293ef b848e423 - 7be52284 19c56f90 [-1] / 0x00000000 } IP; Connection got error = 14, calling callback
Apr 14 01:24:22 Phase-1 negotiation failed with error No proposal chosen for p1_local=ipv4(udp:500,[0..3]=116.x.x.163) p1_remote=ipv4(udp:500,[0..3]=124.x.x.163)
Apr 14 01:24:43 jnp_ike_connect: Start, remote_name = 124.x.x.163:500, local = 116.x.x.163:500 xchg = 2, flags = 00000000
Apr 14 01:24:43 ike_init_isakmp_sa: Start, remote = 124.x.x.163:500, initiator = 1
Apr 14 01:24:43 ike_send_packet: Start, send SA = { ec243f43 b7b79b43 - 00000000 00000000}, nego = -1, src=116.x.x.163:500, dst = 124.x.x.163:500, routing table id = 0
Apr 14 01:24:43 ike_get_sa: Start, SA = { ec243f43 b7b79b43 - 564cf91f ee9fdf07 } / a9f7ab21, remote = 124.x.x.163:500
Apr 14 01:24:43 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { ec243f43 b7b79b43 - 564cf91f ee9fdf07 [0] / 0xa9f7ab21 } Info; Notification data has attribute list
Apr 14 01:24:43 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { ec243f43 b7b79b43 - 564cf91f ee9fdf07 [0] / 0xa9f7ab21 } Info; Notify message version = 1
Apr 14 01:24:43 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { ec243f43 b7b79b43 - 564cf91f ee9fdf07 [0] / 0xa9f7ab21 } Info; Error text = Could not find acceptable proposal
Apr 14 01:24:43 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { ec243f43 b7b79b43 - 564cf91f ee9fdf07 [0] / 0xa9f7ab21 } Info; Offending message id = 0x00000000
Apr 14 01:24:43 116.x.x.163:500 (Responder) <-> 124.x.x.163:500 { ec243f43 b7b79b43 - 564cf91f ee9fdf07 [0] / 0xa9f7ab21 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
Apr 14 01:24:43 116.x.x.163:500 (Initiator) <-> 124.x.x.163:500 { ec243f43 b7b79b43 - 564cf91f ee9fdf07 [-1] / 0x00000000 } IP; Connection got error = 14, calling callback
Apr 14 01:24:43 Phase-1 negotiation failed with error No proposal chosen for p1_local=ipv4(udp:500,[0..3]=116.x.x.163) p1_remote=ipv4(udp:500,[0..3]=124.x.x.163)

 

Any ideas ???

 

I forgot to mention, the device is SRX240 and running 10.4R5

Distinguished Expert
spuluka
Posts: 2,614
Registered: ‎03-30-2009
0

Re: IPSec Route Based VPN not coming up for a few peers

This error essentially means that the contents of your phase 1 settings are not the same as that configured for the remote site.

 

 Phase-1 negotiation failed with error No proposal chosen

You need to look at what settings are in MP_IKEProp and see which one of these is not the same at the remote site that does not come up.

 

proposal MP_IKEProp {
    description IKE_Proposal;
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.