SRX Services Gateway
SRX Services Gateway

IPSec VPN between SRX (hub) and Cisco (spoke) aggressive mode with NAT

[ Edited ]
‎11-18-2017 08:43 AM

Hi all,

 We need set up ipsec vpn between Juniper SRX1500 (Hub) and Cisco device (spoke) and use Aggresive mode, Cisco behind the moderm router as image attached (The result below is test with vSRX and Cisco C2600). But Phase 1 can't up, troubleshoot with show logs on 2 devices i see:

 

SRX1500:

root@SRX.JUNIPER.NET# run show log kmd-logs | last
Nov 18 16:03:40 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Cisco:

IOS.CISCO.COM#debug crypto isakmp
*Mar 1 04:06:00.849: ISAKMP: received ke message (1/1)
*Mar 1 04:06:00.849: ISAKMPSmiley Sad0:0:N/A:0): SA request profile is JUNIPER_IKE_PROF
*Mar 1 04:06:00.849: ISAKMP: Created a peer struct for 200.200.12.1, peer port 500
*Mar 1 04:06:00.849: ISAKMP: New peer created peer = 0x82E211FC peer_handle = 0x80000081
*Mar 1 04:06:00.853: ISAKMP: Locking peer struct 0x82E211FC, IKE refcount 1 for isakmp_initiator
*Mar 1 04:06:00.853: ISAKMP: local port 500, remote port 500
*Mar 1 04:06:00.853: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 04:06:00.853: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88417D18
*Mar 1 04:06:00.857: ISAKMPSmiley Sad0:0:N/A:0):Found HOST key in keyring default
*Mar 1 04:06:00.857: ISAKMPSmiley Sad0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 04:06:00.857: ISAKMPSmiley Sad0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 04:06:00.861: ISAKMPSmiley Sad0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 04:06:00.885: ISAKMPSmiley Sad0:118Smiley FrustratedW:1)Smiley FrustratedA is doing pre-shared key authentication using id type ID_FQDN
*Mar 1 04:06:00.885: ISAKMP (0:134217846): ID payload
next-payload : 13
type : 2
FQDN name : IOS.CISCO.COM
protocol : 17
port : 0
length : 21
*Mar 1 04:06:00.889: ISAKMPSmiley Sad0:118Smiley FrustratedW:1):Total payload length: 21
*Mar 1 04:06:00.889: ISAKMPSmiley Sad0:118Smiley FrustratedW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar 1 04:06:00.889: ISAKMPSmiley Sad0:118Smiley FrustratedW:1)Smiley Surprisedld State = IKE_READY New State = IKE_I_AM1

*Mar 1 04:06:00.893: ISAKMPSmiley Sad0:118Smiley FrustratedW:1): beginning Aggressive Mode exchange
*Mar 1 04:06:00.893: ISAKMPSmiley Sad0:118Smiley FrustratedW:1): sending packet to 200.200.12.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 04:06:00.893: ISAKMPSmiley Sad0:117Smiley FrustratedW:1)Smiley Tongueurging SA., sa=88417604, delme=88417604
*Mar 1 04:06:01.037: ISAKMP (0:134217846): received packet from 200.200.12.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar 1 04:06:01.037: ISAKMPSmiley Sad0:118Smiley FrustratedW:1):Couldn't find node: message_id -1546417211
*Mar 1 04:06:01.037: ISAKMP (0:134217846): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_AM1

*Mar 1 04:06:01.041: ISAKMPSmiley Sad0:118Smiley FrustratedW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 04:06:01.041: ISAKMPSmiley Sad0:118Smiley FrustratedW:1)Smiley Surprisedld State = IKE_I_AM1 New State = IKE_I_AM1

*Mar 1 04:06:01.041: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.200.12.1
IOS.CISCO.COM#debug crypto isakmp
IOS.CISCO.COM#debug crypto isakmp
*Mar 1 04:06:10.893: ISAKMPSmiley Sad0:118Smiley FrustratedW:1): retransmitting phase 1 AG_INIT_EXCH...
*Mar 1 04:06:10.893: ISAKMP (0:134217846): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 04:06:10.893: ISAKMPSmiley Sad0:118Smiley FrustratedW:1): retransmitting phase 1 AG_INIT_EXCH
*Mar 1 04:06:10.893: ISAKMPSmiley Sad0:118Smiley FrustratedW:1): sending packet to 200.200.12.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 04:06:11.142: ISAKMP (0:134217846): received packet from 200.200.12.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar 1 04:06:11.146: ISAKMPSmiley Sad0:118Smiley FrustratedW:1): phase 1 packet is a duplicte of a previous packet.

 

With wireshark tool,  Cisco device send the messages 1 to section initial and SRX send messages 2 to back but Cisco didn't send memessages 3 to complete the Phase 1. Attached config 2 sites and wireshark image and topo image. Pls help me troubleshoot this case. I tried and will try more times. 

 

Thanks Kudo team,

 

Attachments

2 REPLIES 2
SRX Services Gateway

Re: IPSec VPN between SRX (hub) and Cisco (spoke) aggressive mode with NAT

‎11-19-2017 04:46 AM

Nov 18 16:03:40 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

 

This message indicates the IKE proposals are not matching between the SRX and ASA.  Since this is an aggressive VPN I suspect your local and remote id on both sides are not matching.  What configuration do you have for local-identity and remote-identity on the SRX?

 

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway
Solution
Accepted by topic author thinhnd
‎11-19-2017 08:41 AM

Re: IPSec VPN between SRX (hub) and Cisco (spoke) aggressive mode with NAT

[ Edited ]
‎11-19-2017 08:41 AM

Thanks spuluka for your feedback,

On SRX, i defined id as below:

set security ike gateway CISCO_IKE_GW ike-policy CISCO_IKE_POLICY
set security ike gateway CISCO_IKE_GW dynamic hostname IOS.CISCO.COM

On Cisco device:

hostname IOS.CISCO.COM
ip host SRX.JUNIPER.NET 200.200.12.1
ip host IOS.CISCO.COM 192.168.23.3

crypto isakmp profile JUNIPER_IKE_PROF
keyring default
self-identity fqdn
match identity host SRX.JUNIPER.NET
initiate mode aggressive

 

 I have solved the problem with this link: http://rtodto.net/jncie-sec-traceoptions-ipsec-troubleshooting/ with WARNING.

Error 2: “IKEv1 Error : No proposal chosen”
You will get the following error if one of the followings mismatches in your IKE config;

  • dh-group
  • authentication algorithm
  • encryption algorithm

WARNING!!!: In addition to these mismatches, you will get the same error under the following conditions

  • if you forget to set “bind-interface st0.0” under your vpn configuration,
  • if st0.0 interface isn’t created with family inet and/or assigned to a security zone
  • if you are using routing instances, also make sure st0.0 interface is assigned to the right routing instance

I forgot bind interface st0.0 in ipsec vpn. Smiley Happy