Junos OS

Having troubles getting a site to site vpn to work. It appears that IKE version phase 1 is not coming up. Here is the error message that I harvested from the SRX. The IP address is sticky so it never changes on the SRX end, but is supplied by DHCP, do this have to be static?

root@CPARK> show log kmd-logs
Apr 20 03:00:01 CPARK newsyslog[1652]: logfile turned over due to size>100K
Apr 20 03:00:07  CPARK kmd[1371]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=#### remote_ip=####]
Apr 20 03:00:07  CPARK kmd[1371]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=####, dst_ip=####]
Apr 20 03:00:07  CPARK kmd[1371]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: Not-Available Gateway: Not-Available, Local: ####/500, Remote: ####/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 20 03:00:22  CPARK kmd[1371]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=#### remote_ip=####]
Apr 20 03:00:22  CPARK kmd[1371]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=####, dst_ip=####]
Apr 20 03:00:22  CPARK kmd[1371]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: Not-Available Gateway: Not-Available, Local: ####/500, Remote: ####/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Apr 20 03:00:52  CPARK kmd[1371]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=#### remote_ip=####]
Apr 20 03:00:52  CPARK kmd[1371]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=####, dst_ip=####]

Hi aaron9615

Since your external interface (fe-0/0/0) is having dynamic IP , we need to specify local-identity under [security ike gateway ].

The same should be mentioned as remote identity on CISCO .

Hope this helps

I did check and I do have that set.

Hi ,

I do not see that configuration under your [security ike gateway ]

gateway County {
 ike-policy ike-phase1-policy;
 address XXXX;
 external-interface fe-0/0/0.0;

 }

can you share the current configuration .

root@CPARK# show security ike gateway County
ike-policy ike-phase1-policy;
address remote IP;
no-nat-traversal;
external-interface fe-0/0/0.0;
version v2-only;

Dear Aaron,

I expect that you need to use the aggressive mode configuration.

for the local device that you know its IP address use these commands:

policy phase1policy{
 mode aggressive;
 proposal-set standard;
 pre-shared-key ascii-text abcd1234;
 }
gateway phase1gw{
 dynamic hostname x;
 ike-policy phase1policy;
 external-interface fe-0/0/0.0;
 }

in the remote device that you dont know its IP address:

policy phase1policy{
 mode aggressive;
 proposal-set standard;
 pre-shared-key ascii-text abcd1234;
 }
gateway phase1gw{
 address IPOfTheLocalDevice;
 local-identity hostname x;
 ike-policy phase1policy;
 external-interface fe-0/0/0.0;
 }

summary:

first device

aggressive

dynamic hostname x

second:

aggressive

local-identity hostname x

I hope it is useful for you.

I just liked to share you.

Best Regards

OK I am a little farther now. If I run the command show security ike security-associations

I do see the cookie responses, and the state show as up. My ipsec tunnels still show as inactive SA not initiated. Any ideas?

Hi ,

Can you please check if the proxy ID's in SRX IPSEC  and the ACL's in CISCO are matching .

Also please check the IPSEC configuration for any mismatch between SRX and CISCO .

If you cannot find anything please enable per tunnel debugging using the below KB :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19943

It was an issue with IPSEC proposal mismatch, specifically the integriy hash.