SRX

Hi

I am configuring dynamic vpn on srx240 chasis cluster [[12.1X46-D76]]with pusle client 5.1.5 and if I try to connect I get this error.

 

Jul  1 12:22:47  fwba01 kmd[2550]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=80.94.48.251, dst_ip=81.161.60.203]
Jul  1 12:22:47  fwba01 kmd[2550]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 80.94.48.251/500, Remote: 81.161.60.203/56609, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

I followed Juniper documentation and I not able to get it working. Could you please check the config and let me know if I am missing something. Thanks

Here's my dynamic vpn config

profile RA-VPN {
    client administrator {
        firewall-user {
            password "aaa"; ## SECRET-DATA
        }
    }
    client manager {
        firewall-user {
            password "aaa"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool RA-VPN-POOL;
    }
}
address-assignment {
    pool RA-VPN-POOL {
        family inet {
            network 192.168.252.0/24;
            xauth-attributes {
                primary-dns 192.168.200.65/32;
                secondary-dns 192.168.200.66/32;
            }
        }
    }
}
firewall-authentication {
    web-authentication {
        default-profile RA-VPN;
    }
}

#run show configuration security ike
policy ike-policy-ra {
    mode aggressive;
    description "BACKUP RA VPN";
    proposal-set standard;
    pre-shared-key ascii-text "aaa"; ## SECRET-DATA
}

gateway ike-gw-ra {
    ike-policy ike-policy-ra;
    dynamic {
        hostname dynvpn;
        connections-limit 2;
        ike-user-type shared-ike-id;
    }
    external-interface reth1;
    xauth access-profile RA-VPN;
}

#run show configuration security ipsec
policy ipsec-policy-ra {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}

vpn ipsec-vpn-ra {
    ike {
        gateway ike-gw-ra;
        idle-time 300;
        ipsec-policy ipsec-policy-ra;
    }
    establish-tunnels immediately;
}

# run show configuration security dynamic-vpn 
force-upgrade;
access-profile RA-VPN;
clients {
    service {
        remote-protected-resources {
            10.1.0.0/16;
            192.168.0.0/23;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn ipsec-vpn-ra;
        user {
            manager;
        }
    }
}


# run show configuration security policies from-zone internet to-zone LAN 
policy allow-tunnel {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn ipsec-vpn-ra;
            }
        }
    }
}


# run show configuration security zones security-zone internet 
screen untrust-screen;
interfaces {
    reth1.0 {
        host-inbound-traffic {
            system-services {
                ping;
                ike;
                ssh;
                https;
            }
            protocols {
                all;
            }
        }
    }
}

 

No proposal chosen usually means a mismatch in the ike cryto settings.  I see in this kb that for the pulse client you should create a custom proposal instead of the standard one you have.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22980

 

security {
    ike {
        proposal ike-prop1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm des-cbc;
            lifetime-seconds 86400;
        }
        ## Remember to set the mode to aggressive, else "IKE negotiations fail"
        policy ike-dyn-vpn-policy {
            mode aggressive; 
            proposals ike-prop1;
            pre-shared-key ascii-text "asdasdxyzxyz##$$%%^"; ## SECRET-DATA
        }

 

Thanks I changed the proposal

 

proposal ra-vpn-proposal {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm des-cbc;
    lifetime-seconds 86400;
}

policy ike-policy-ra {
    mode aggressive;
    description "BACKUP RA VPN";
    proposals ra-vpn-proposal;
    pre-shared-key ascii-text "aaa"; ## SECRET-DATA
}

but I get the same error.

The only other difference I see from the reference is this one in ike you have shared instead of group.

ike-user-type group-ike-id;

 

Have you run trace options for more detailed messages

 

set security ike traceoptions flag all
  set security ike traceoptions file ike-trace

 

 

Hello,

Below is the working SRX IPsec VPN configuration for Pulse for Your reference:

access {
    profile pulse-vpn-access-profile {
        authentication-order password;
        client client01 {
            firewall-user {
                password "hashed-password"; 
            }
        }
        client client02 {
            firewall-user {
                password "hashed-password";
            }
        }
        address-assignment {
            pool pulse-vpn-address-pool;
        }
    }
    address-assignment {
        pool pulse-vpn-address-pool {
            family inet {
                network 10.11.12.0/24;
                xauth-attributes {
                    primary-dns 8.8.4.4/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile pulse-vpn-access-profile;
        }
    }
}
security {
    ike {
        policy ike-pulse-vpn-policy {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "$9$AvfvuBRreW-VYhSVYgojiAp0"; ## SECRET-DATA
        }
        gateway pulse-vpn-local-gw {
            ike-policy ike-pulse-vpn-policy;
            dynamic {
                hostname dynvpn;
                connections-limit 5;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/5.0;
            xauth access-profile pulse-vpn-access-profile;
            version v1-only;
        }
    }
    ipsec {
        policy ipsec-pulse-vpn-policy {
            proposal-set standard;
        }
        vpn pulse-vpn {
            ike {
                gateway pulse-vpn-local-gw;
                ipsec-policy ipsec-pulse-vpn-policy;
            }
        }
    }
    dynamic-vpn {
        access-profile pulse-vpn-access-profile;
        clients {
            all {
                remote-protected-resources {
                    192.168.1.0/24;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn pulse-vpn;
                user {
                    client01;
                    client02;
                }
            }
        }
    }

BTW, the IKE preshared secret for Pulse is Juniper (with capital J) and cannot be changed.

HTH

Thx

Alex

Thanks

Hi I have configured dynamic vpn following your config but I still get no proposal chosen error. I've enabled trace.

 

[Jul  5 22:39:27]80.94.48.252:500 (Responder) <-> 81.161.60.203:55869 { 95afc084 d5348ec1 - 6533fd82 202b6cf7 [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14)
[Jul  5 22:39:27]ike_alloc_negotiation: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}
[Jul  5 22:39:27]ike_encode_packet: Start, SA = { 0x95afc084 d5348ec1 - 6533fd82 202b6cf7 } / 268bad45, nego = 0
[Jul  5 22:39:27]ike_send_packet: Start, send SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}, nego = 0, local ip= 80.94.48.252, dst = 81.161.60.203:55869,  routing table id = 0
[Jul  5 22:39:27]ike_delete_negotiation: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}, nego = 0
[Jul  5 22:39:27]ike_free_negotiation_info: Start, nego = 0
[Jul  5 22:39:27]ike_free_negotiation: Start, nego = 0
[Jul  5 22:39:27]IKE negotiation fail for local:80.94.48.252, remote:81.161.60.203 IKEv1 with status: No proposal chosen
[Jul  5 22:39:27]  IKEv1 Error : No proposal chosen
[Jul  5 22:39:27]ikev2_packet_allocate: Allocated packet e4fc00 from freelist
[Jul  5 22:39:27]ike_sa_find: Found SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7 }
[Jul  5 22:39:27]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jul  5 22:39:27]ike_get_sa: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7 } / 6e8208ed, remote = 81.161.60.203:55869
[Jul  5 22:39:27]ike_sa_find: Found SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7 }
[Jul  5 22:39:27]ike_alloc_negotiation: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}
[Jul  5 22:39:27]ike_decode_packet: Start
[Jul  5 22:39:27]ike_decode_packet: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7} / 6e8208ed, nego = 0
[Jul  5 22:39:27]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ...
[Jul  5 22:39:27]<none>:500 (Responder) <-> 81.161.60.203:55869 { 95afc084 d5348ec1 - 6533fd82 202b6cf7 [0] / 0x6e8208ed } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
[Jul  5 22:39:27]ike_st_i_private: Start
[Jul  5 22:39:27]ike_send_notify: Connected, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}, nego = 0
[Jul  5 22:39:27]ike_delete_negotiation: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}, nego = 0
[Jul  5 22:39:27]ike_free_negotiation_info: Start, nego = 0
[Jul  5 22:39:27]ike_free_negotiation: Start, nego = 0
[Jul  5 22:39:27]ike_remove_callback: Start, delete SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}, nego = -1
[Jul  5 22:39:27]ike_delete_negotiation: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7}, nego = -1
[Jul  5 22:39:27]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jul  5 22:39:27]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jul  5 22:39:27]ike_sa_delete: Start, SA = { 95afc084 d5348ec1 - 6533fd82 202b6cf7 }
[Jul  5 22:39:27]ike_free_negotiation_isakmp: Start, nego = -1
[Jul  5 22:39:27]ike_free_negotiation: Start, nego = -1
[Jul  5 22:39:27]IKE SA delete called for p1 sa 1414753 (ref cnt 1) local:<none>, remote:81.161.60.203, IKEv1
[Jul  5 22:39:27]iked_pm_p1_sa_destroy:  p1 sa 1414753 (ref cnt 0), waiting_for_del 0x0
[Jul  5 22:39:27]ike_free_id_payload: Start, id type = 2
[Jul  5 22:39:27]ike_free_sa: Start

Looking over the kb sample configuration again.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22980

 

can you confirm that https for mgmt is enabled under system services.

 

Also that the interface assignment matches with the public address you connecting to.

 

Yes I can confirm

> show configuration system services 
ssh;
web-management {
    https {
        system-generated-certificate;
    }
}

interfaces {
    reth1.0 {
        host-inbound-traffic {
            system-services {
                ping;
                ike;
                ssh;
                https;
            }
            protocols {
                all;
            }
        }
    }
}

> show configuration interfaces reth1            
description "LINK to INET";
redundant-ether-options {
    redundancy-group 1;
}
unit 0 {
    family inet {
        filter {
            input from_internet;
        }
        sampling {
            input;
            output;
        }
        address 80.94.48.251/29;
    }
}

firewall fiter is to filter some traffic from inet, I've tried also with inactive thanks

Why do the logs show the response to the vpn request coming from 80.94.48.252 while the interface is setup at 80.94.48.251

 

[Jul  5 22:39:27]80.94.48.252:500 (Responder) <-> 81.161.60.203:55869 { 95afc084 d5348ec1 - 6533fd82 202b6cf7 [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14)

 

address 80.94.48.251/29;