SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IP Phone VPN at my wits end

    Posted 01-06-2017 08:39
      |   view attached

    Box is an SRX 320, v 15.1X49-D45

    I'm at my wits end. I've done this before with an SRX... But I can't seem to make it work on this box.  It's an Avaya phone with an IPSEC vpn client builtin  trying to establish a tunnel to the SRX, a policy based VPN and local XAUTH.  I get these common errors:

     

    [Jan 7 00:28:18]ike_st_i_sa_proposal: Start
    [Jan 7 00:28:18]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
    [Jan 7 00:28:18]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 1157000)

     

    I hope someone can look at this and tell me what I'm missing and hopefully it's something obvious.  This seems pretty simple, I don't know what I'm missing.  I've checked that the client side matches all parameters and the shared secret matches of course.

    Attachment(s)

    txt
    SRX320config.txt   25 KB 1 version


  • 2.  RE: IP Phone VPN at my wits end
    Best Answer

    Posted 01-06-2017 11:38

    Hi JayNEC,

     

    policy-based VPN was initially removed from the 15.1X49 software train but was reintroduced in 15.1X49-D50. VPN client support was also initially removed and the reintroduced in 15.1X49-D60.

     

    If you look in the attached configuration you will also see the "unsupported platform" multiple times. In this case it's due to missing support for policy-based VPN.

     

    So first step would be to upgrade to at least 15.1X49-D60 and preferably 15.1X49-D70. Then try again.


    #policy-based
    #vpn
    #srx300


  • 3.  RE: IP Phone VPN at my wits end

    Posted 01-06-2017 13:04

    Oh. My. God. 

     

     

    I didn't notice those blocks. 

     

    Thank you.