SRX Services Gateway
Highlighted
SRX Services Gateway

Ipsec from OS X

‎08-26-2015 12:40 AM

I have followed multiple tutorials for setting up a VPN connection from OS X.  I've even used the web-based "wizard" in the SRX.  And I've tried several third-party VPN clients (NCP and VPN Tracker).  But all produces the same error messages in the logs...

 

Aug 26 00:07:30 srx100_1 kmd[1434]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=66.66.66.66, dst_ip=1.2.3.4]
Aug 26 00:07:30 srx100_1 kmd[1434]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=66.66.66.66 remote_ip=1.2.3.4]
Aug 26 00:07:30 srx100_1 kmd[1434]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 66.66.66.66/500, Remote: 1.2.3.4/56758, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

 

I thought Cisco ASA was challenging to configure, but I'm starting to think there's something really wrong with JunOS and VPN.  Anyone have some advise on how to proceed?

 

I'm running 12.1X44-D35.5. 

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Ipsec from OS X

‎08-26-2015 12:58 AM

Hello ,

 

It looks to be some misconfiguration done . I hope its the Dynamic VPN that you are trying  ( not site to site ) . So please share the configuration .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Ipsec from OS X

‎08-26-2015 01:17 AM

This is my most recent attempt...

Attachments

Highlighted
SRX Services Gateway

Re: Ipsec from OS X

‎08-26-2015 09:45 PM

I tried redoing the configuration again based on a config sent from Juniper support.  And I used Windows to connect and launch the Pulse client.  Same error received...

 

Aug 26 21:38:09 srx100_1 kmd[1373]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=66.66.66.66 remote_ip=1.2.3.4]
Aug 26 21:38:09 srx100_1 kmd[1373]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=66.66.66.66, dst_ip=1.2.3.4]
Aug 26 21:38:09 srx100_1 kmd[1373]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 66.66.66.66/500, Remote: 1.2.3.4/49886, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Highlighted
SRX Services Gateway

Re: Ipsec from OS X

‎08-26-2015 11:05 PM

I've made some progress using VPN Tracker.  It seems to get further in Phase 1, but the IKE ID isn't coming through.

 

The error is now...

 

Aug 26 22:52:59  srx100_1 kmd[1373]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: DYN-VPN Gateway: REMOTE-VPN-GATEWAY, Local: 66.66.66.66/500, Remote: 1.2.3.4/52527, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Highlighted
SRX Services Gateway

Re: Ipsec from OS X

‎08-31-2015 06:07 AM

Hello ,

 

Thanks for the update . The new error suggest that it could be hitting some bug , but we can try using the "general-ikeid " and test it again .

 

set security ike gateway <gateway name > general-ikeid .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Feedback