SRX Services Gateway
SRX Services Gateway

Juniper proxy-id

[ Edited ]
‎09-17-2015 10:32 AM

Hello everyone,


I am attempting to set up an IPSEC tunnel with my SRX240. The other side of the tunnel is a Cisco ASA.


I have phase 1 up, but phase 2 keeps failing because of this message:


I[Sep 17 20:16:07]IPSec negotiation failed for SA-CFG IPSECVPN-VERIZON-VPN for local:X.X.X.X, remote:X.X.X.X IKEv1. status: No proposal chosen


My proxy-id is set to:



proxy-identity {
service any;


It is my understanding that this has to match the Cisco side in order for phase 2 to finish.


What is the Cisco equivelant of the proxy-id? What is it called in IOS? I am having trouble getting the third party vendor to understand what the proxy-id is.

SRX Services Gateway

Re: Juniper proxy-id

‎09-17-2015 01:10 PM


ASA takes proxy-ids from its crypto ACL.

Check out this KB




Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements


Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Juniper proxy-id

‎09-23-2015 06:51 AM
You enter you subnet into the local proxy id and the remote subnet in the remote proxy id. I there are multiple subnets behind the remote end you must create an ipsec for each subnet you wish to reach at the remote end. Also set the dead peer detection to match the ASA.