SRX

Good Afternoon,

I am workign to configure a dynamic VPN on a VSRX located in AWS.  I am running into no proposal selected errors when I try to connect.

Here's how things look on the SRX side, error wise:

[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ike_st_i_sa_proposal: Start
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ike_process_packet: No output packet, returning
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_phase1_sa_cfg_lookup_by_addr: Found SA-CFG CORIOS-AWS-VSRX-2-VPN by ip address for local:10.132.0.52, remote:XXX.XXX.XXX.XXX IKEv1 remote_port:22709 ksa_cfg_remote_port=4500
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate id NOT matched.
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8f29e00)

Similarly, I run into this client side (NCP Exclusive Access client)

2/28/2019 1:40:12 PM - IpsDial: connection time interface choice,LocIpa=10.1.11.146,AdapterIndex=201
2/28/2019 1:40:12 PM - Ike: Outgoing connect request AGGRESSIVE mode - gateway=XXX.XXX.XXX.XXX : Corios VPN2
2/28/2019 1:40:12 PM - Ike: ConRef=82, XMIT_MSG1_AGGRESSIVE, name=Corios VPN2, vpngw=XXX.XXX.XXX.XXX:500
2/28/2019 1:40:12 PM - ike_phase1:send_id:ID_USER_FQDN:pid=0,port=0,itadmins@coriosgroup.com
2/28/2019 1:40:12 PM - Ike: ConRef=82, Send NAT-D vendor ID,remprt=500
2/28/2019 1:40:12 PM - Ike: ConRef=82, NOTIFY : Corios VPN2 : RECEIVED : NO_PROPOSAL_CHOSEN : 14

Here's my IKE config:

proposal PSK-DH19-AES256-SHA256-L28800 {
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}

policy Corios-VPN-IKE-Pol {
mode aggressive;
proposals PSK-DH19-AES256-SHA256-L28800;
pre-shared-key ascii-text "SHARED SECRET HASH"; ## SECRET-DATA
}

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 2;
ike-user-type shared-ike-id;
}
dead-peer-detection;
local-identity inet XXX.XXX.XXX.XXX;
external-interface ge-0/0/0.0;
aaa {
access-profile LOCAL_AUTH;
}
version v1-only;
tcp-encap-profile NCP;
}

Here's my IPSEC config:

proposal ESP-AES256-SHA256-L3600 {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}

proposal ESP-AES256-SHA256-L3600 {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}

vpn Corios-VPN {
bind-interface st0.9;
ike {
gateway Corios-VPN-IKE-GW;
ipsec-policy Corios-VPN-IPSEC-Pol;
}
traffic-selector TS1 {
local-ip 0.0.0.0/0;
remote-ip 0.0.0.0/0;
}
}

Here's the config for the tunnel interface:

ec2-user@VSRX2> show configuration interfaces st0.9
enable;
description VPN;
family inet {
mtu 1436;
address 10.132.3.1/24;
}

It's also in a security zone:

ec2-user@VSRX2> show configuration security zones security-zone vpn
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.9;
}

The attached images are screenshots from the NCP client config.

One other thing I should also mention is that I have several site-to-s-te VPNs landing on this VSRX.  They're working.

Whatever I'm doing wrong here just isn't making sense to me.  Thanks in advance for pointing me in the right direction.

PFS is enabled in NCP configuration. I do not see srx ipsec policy config in your post. Please check whether pfs is enabled on SRX

Also enable ike debug on srx  to see what proposal you are getting from NCP

1. Enable debug on srx

request security ike debug-enable local <ge-0/0/0.0 ip> remote <peer-ip> level 12

2. monitor kmd log file

monitor start kmd

3. Initiate connection from NCP

4. Check kmd log for error/mismatch and then disable ike debug

monitor stop kmd

request security ike debug-disable

I've found some interesting things in the logs:

[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] Parsing notification payload for local:10.132.0.52, remote:XXX.XXX.XXX.XXX IKEv1
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] Search for a tunnel matching the IKE peers, local:10.132.0.52, remote:YYY.YYY.YYY.YYY IKEv1
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_phase1_sa_cfg_lookup_by_addr: Found SA-CFG CORIOS-AWS-VSRX-2-VPN by ip address for local:10.132.0.52, remote:XXX.XXX.XXX.XXX IKEv1 remote_port:14947 ksa_cfg_remote_port=4500
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID IDa(type = email (3), len = 24, value = itadmins@coriosgroup.com) to IKEv1 ID
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID usr@fqdn(any:0,[0..23]=itadmins@coriosgroup.com)
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate called with id usr@fqdn(any:0,[0..23]=itadmins@coriosgroup.com)
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate Use default id [ipv4(any:0,[0..3]=XXX.XXX.XXX.XXX)]
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate id NOT matched.
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_phase1_sa_cfg_lookup: Setting tunnel-event Peer's IKE-ID validation failed during negotiation for P1-SA 5426182
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] address based lookup failed, ID not match: Sa_cfg:CORIOS-AWS-VSRX-2-VPN Gateway:CORIOS-PREM-SRX
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8f29e00)

I already have an IPSEC tunnel (site to site, not dynamic) that has the same source and destination IPs that are showing up on the logs.  Do they need to be different?

Yes, it should be different. In this case, dynamic vpn request is matching with site-to-site vpn CORIOS-AWS-VSRX-2-VPN  [Gateway:CORIOS-PREM-SRX] and not with dynamic vpn config. You may have to use different nat ip for client side.

I moved the ike gateway over to another interface and it works now.  Thank you.

Hi

no proposal chosen in your case can also mean you have the wrong authentication method

this is what I see :

on SRX:   user@hostname

on client : U-FQDN

so make it the same on both sides and see whats happening then

regards

Alexander

PS I had the same problem 2 months ago, it took me 2 hours to find it out, that no proosal chosen sometimes has nothing to do with your proposals

Thanks for getting back to me Alexander.

The choices I have for the local identity type  in the NCP client are

IPv4 address

FQDN (Fully Qualified Domain Name)

U-FQDN (Fully Qualified Username)

ASN.1 DN (ASN.1 Disginguished Name)

I think the fully qualified username is the same as user@hostname.

No

user@ hostname is not U-FQDN

admin@router is not admin@router.company.com

and beside that 2 tunnels with the same address a no proposal chosen often comes from different authentication identities

regards

alexander