SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  No proposal chosen

    Posted 08-24-2016 08:08

    hello!

    have the problem to set up ipsec vpn between srx210 and srx100h. The last one is behind NAT device with two different IP-addresses (one or another at time), so policy on responder is "aggresive" with dynamic host. And initiators (srx100) ip-address on external interface is 2.2.2.2. On edge NAT device there is a port mapping of ike traffic to my srx100.

    tried to set up both policy-based and route-based vpns, but the problem in logs was the same: No proposal chosen

    had a lot of hours spent but no result. At the moment using "standard" proposal-sets both in IKE in IPSEC policies. Checked:

    1. pre-shared key on both sides
    2. presence of st0 interface in "vpn" part of ipsec.
    3. presence of st0 interface in appropriate security zone.

    here is my config. Appreciate your help

    srx210:

    interfaces

    {

      st 0

        unit 10 {
          family inet;
      }

    }

    policy ike-pol-sip {

      pomode aggressive;
      proposal-set standard;
      pre-shared-key ascii-text "$9$JcDkmzFNd"; ## SECRET-DATA

    }

     

    ike gateway SIP {
      ike-policy ike-pol-sip;
      dynamic hostname sipsrx.ykt;
      external-interface fe-0/0/7.0;
      version v1-only;

    }

     

    ipsec ipsec-pol-sip {
          perfect-forward-secrecy {
        keys group2;
      }
      proposal-set standard;
    }

    ipsec vpn vpn-sip {
      bind-interface st0.10;
      ike {
        gateway SIP;
        proxy-identity {
             local 0.0.0.0/0;
             remote 0.0.0.0/0;
             service any;
         }
          ipsec-policy ipsec-pol-sip;
       }
       establish-tunnels immediately;
    }

     

    zone security-zone vpn {
      address-book {
        address sip-lan 192.168.16.0/24;
      }
      interfaces {
        st0.10 {
            host-inbound-traffic {
                system-services {
                   ike;
                }
                protocols {
                   all;
            }
    }

     

    policy from-zone vpn to-zone trust {
      policy clients-to-sita {
        match {
          source-address [ irkutsk-lan sip-lan ];
          destination-address SITA;
          application any;
        }
        then {
          permit;
        }
      }
    }

     

     

    policy from-zone trust to-zone vpn {
      policy trust-to-sip {
        match {
          source-address SITA;
          destination-address sip-lan;
          application any;
        }
        then {
           permit;
          }
       }
    }

     

    srx100:


    ike {
      traceoptions {
        flag ike;
        flag all;
    }
    policy ike-pol-vnk {
      mode aggressive;
      proposal-set standard;
      pre-shared-key ascii-text "$9$EBiyKWN-w2C"; ## SECRET-DATA
    }
    gateway office {
      ike-policy ike-pol-vnk;
      address 1.1.1.1;
      external-interface fe-0/0/7.0;
    version v1-only;
    }
    }
    ipsec {
    traceoptions {
    flag all;
    }
    policy ipsec-pol-vnk {
    perfect-forward-secrecy {
    keys group2;
    }
    proposal-set standard;
    }
    vpn office-vpn {
    bind-interface st0.0;
    ike {
    gateway office;
    proxy-identity {
    local 0.0.0.0/0;
    remote 0.0.0.0/0;
    service any;
    }
    ipsec-policy ipsec-pol-vnk;
    }
    establish-tunnels immediately;


    policies from-zone vpn to-zone Internal {
    policy vpn-to-trust {
    match {
    source-address SITA;
    destination-address lan;
    application any;
    }
    then {
    permit;
    }
    from-zone Internal to-zone vpn {
    policy sip-to-vpn {
    match {
    source-address lan;
    destination-address SITA;
    application any;
    }
    then {
    permit;
    }

    zones security-zone vpn {
    address-book {
    address SITA 5.5.5.0/24;
    }
    interfaces {
    st0.0 {
    host-inbound-traffic {
    system-services {
    ike;
    }
    protocols {
    all;
    }

     

    KMD log

     

     [Aug 24 19:02:06]iked_pm_ike_spd_notify_request: Sending Initial contact
    [Aug 24 19:02:06]ssh_ike_connect: Start, remote_name = 1.1.1.1:500, xchg = 4, flags = 00040000
    [Aug 24 19:02:06]ike_sa_allocate: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
    [Aug 24 19:02:06]ike_init_isakmp_sa: Start, remote = 1.1.1.1:500, initiator = 1
    [Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Warning: Number of proposals != 1 in ISAKMP SA, this is against draft!
    [Aug 24 19:02:06]ssh_ike_connect: SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1
    [Aug 24 19:02:06]ike_st_o_sa_proposal: Start
    [Aug 24 19:02:06]ike_st_o_ke: Start
    [Aug 24 19:02:06]ike_st_o_nonce: Start
    [Aug 24 19:02:06]ike_policy_reply_isakmp_nonce_data_len: Start
    [Aug 24 19:02:06]ike_st_o_id: Start
    [Aug 24 19:02:06]ike_policy_reply_isakmp_vendor_ids: Start
    [Aug 24 19:02:06]ike_st_o_private: Start
    [Aug 24 19:02:06]ike_policy_reply_private_payload_out: Start
    [Aug 24 19:02:06]ike_encode_packet: Start, SA = { 0x5ccab5ea 2076bcd0 - 00000000 00000000 } / 00000000, nego = -1
    [Aug 24 19:02:06]ike_send_packet: Start, send SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1, dst = 1.1.1.1:500, routing table id = 0
    [Aug 24 19:02:06]ikev2_packet_allocate: Allocated packet dad400 from freelist
    [Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
    [Aug 24 19:02:06]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Aug 24 19:02:06]ike_get_sa: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 } / 44cc48b0, remote = 1.1.1.1:500
    [Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ike_sa_find_half: Found half SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
    [Aug 24 19:02:06]ike_sa_upgrade: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 } -> { ... - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ike_alloc_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}
    [Aug 24 19:02:06]ike_decode_packet: Start
    [Aug 24 19:02:06]ike_decode_packet: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757} / 44cc48b0, nego = 0
    [Aug 24 19:02:06]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..16] = 5ccab5ea 2076bcd0 ..., data[0..46] = 800c0001 00060022 ...
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Notification data has attribute list
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Notify message version = 1
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Error text = Could not find acceptable proposal
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Offending message id = 0x00000000
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
    [Aug 24 19:02:06]ike_st_i_private: Start
    [Aug 24 19:02:06]ike_send_notify: Connected, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
    [Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
    [Aug 24 19:02:06]ike_free_negotiation_info: Start, nego = 0
    [Aug 24 19:02:06]ike_free_negotiation: Start, nego = 0
    [Aug 24 19:02:06]ike_remove_callback: Start, delete SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
    [Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [-1] / 0x00000000 } Aggr; Connection got error = 14, calling callback
    [Aug 24 19:02:06]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
    [Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
    [Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
    [Aug 24 19:02:06]IKE negotiation fail for local:2.2.2.2, remote:1.1.1.1 IKEv1 with status: No proposal chosen
    [Aug 24 19:02:06] IKEv1 Error : No proposal chosen
    [Aug 24 19:02:06]IPSec Rekey for SPI 0x0 failed
    [Aug 24 19:02:06]IPSec SA done callback called for sa-cfg vnukovo-vpn local:2.2.2.2, remote:1.1.1.1 IKEv1 with status No proposal chosen
    [Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
    [Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
    [Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
    [Aug 24 19:02:06]ike_sa_delete: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ike_free_negotiation_isakmp: Start, nego = -1
    [Aug 24 19:02:06]ike_free_negotiation: Start, nego = -1
    [Aug 24 19:02:06]IKE SA delete called for p1 sa 7930823 (ref cnt 1) local:2.2.2.2, remote:1.1.1.1, IKEv1
    [Aug 24 19:02:06]iked_pm_p1_sa_destroy: p1 sa 7930823 (ref cnt 0), waiting_for_del 0x0
    [Aug 24 19:02:06]ike_free_id_payload: Start, id type = 1
    [Aug 24 19:02:06]ike_free_sa: Start
    [Aug 24 19:02:06]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)


  • 2.  RE: No proposal chosen
    Best Answer

    Posted 08-24-2016 16:31

    you will need to configure the the parameter local-identity user-at-hostname on the dynamic address side gateway configuration.

    And the matching dynamic user-at-hostname value on the fixed ip address side.

     

     

    Full instructions

    https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/ipsec-vpn-ike2-nat-t-configuring.html



  • 3.  RE: No proposal chosen

    Posted 08-25-2016 00:09

    thanks a lot for your help

    did change the thins you've mentioned, but result is next:

     

    [Aug 25 10:53:26]ikev2_packet_allocate: Allocated packet d88800 from freelist
    [Aug 25 10:53:56]P1 SA 4357381 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [Aug 25 10:53:56]IKE SA delete called for p1 sa 4357381 (ref cnt 3) local:2.2.2.2, remote:1.1.1.1, IKEv2
    [Aug 25 10:53:56]P1 SA 4357381 reference count is not zero (1). Delaying deletion of SA
    [Aug 25 10:53:56]iked_pm_p1_sa_destroy: p1 sa 4357381 (ref cnt 0), waiting_for_del 0xd6ad00
    [Aug 25 10:53:56]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [Aug 25 10:53:56]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [Aug 25 10:54:26]ikev2_packet_allocate: Allocated packet d9dc00 from freelist

     

    there is the output i get for flow session

     

    root@sipsrx.ykt# run show security flow session
    Session ID: 1, Policy name: N/A, Timeout: N/A, Valid
    In: 1.1.1.1/0 --> 2.2.2.2/0;esp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0

    Session ID: 2, Policy name: N/A, Timeout: N/A, Valid
    In: 1.1.1.1/0 --> 2.2.2.2/0;esp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0

    Session ID: 1912, Policy name: self-traffic-policy/1, Timeout: 24, Valid
    In: 2.2.2.2/500 --> 1.1.1.1/500;udp, If: .local..0, Pkts: 1731, Bytes: 643932
    Out: 1.1.1.1/500 --> 2.2.2.2/500;udp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0

     

    i tend that actually the problem is on edge router. between my srx devices.

    it's windows kerio

    it has ipsec, udp 500 and udp 4500 mapping from its external interface to the external interface of srx100 (2.2.2.2)

    but as you see in flow session result there is port 500 - so nat-t is not implemented?

    do i have to setup this kerio nat some way for my srx100?



  • 4.  RE: No proposal chosen

    Posted 08-25-2016 02:27

    thanks a lot!

    problem is solved.

    did it as it written in article by link above.

    only one change - ike version v2-only to version v1-only



  • 5.  RE: No proposal chosen

    Posted 08-25-2016 03:12

    Thanks for the update.  I'm surprised that ikev2 did not work but glad you have the connection up and running.