SRX Services Gateway
SRX Services Gateway

IP Phone VPN at my wits end

01.06.17   |  
‎01-06-2017 08:38 AM

Box is an SRX 320, v 15.1X49-D45

I'm at my wits end. I've done this before with an SRX... But I can't seem to make it work on this box.  It's an Avaya phone with an IPSEC vpn client builtin  trying to establish a tunnel to the SRX, a policy based VPN and local XAUTH.  I get these common errors:


[Jan 7 00:28:18]ike_st_i_sa_proposal: Start
[Jan 7 00:28:18]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 7 00:28:18]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 1157000)


I hope someone can look at this and tell me what I'm missing and hopefully it's something obvious.  This seems pretty simple, I don't know what I'm missing.  I've checked that the client side matches all parameters and the shared secret matches of course.


SRX Services Gateway
Accepted by topic author jayNEC
‎01-06-2017 01:08 PM

Re: IP Phone VPN at my wits end

01.06.17   |  
‎01-06-2017 11:38 AM

Hi JayNEC,


policy-based VPN was initially removed from the 15.1X49 software train but was reintroduced in 15.1X49-D50. VPN client support was also initially removed and the reintroduced in 15.1X49-D60.


If you look in the attached configuration you will also see the "unsupported platform" multiple times. In this case it's due to missing support for policy-based VPN.


So first step would be to upgrade to at least 15.1X49-D60 and preferably 15.1X49-D70. Then try again.

Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
SRX Services Gateway

Re: IP Phone VPN at my wits end

01.06.17   |  
‎01-06-2017 01:03 PM

Oh. My. God. 



I didn't notice those blocks. 


Thank you.