No proposal chosen



  • hello!
    have the problem to set up ipsec vpn between srx210 and srx100h. The last one is behind NAT device with two different IP-addresses (one or another at time), so policy on responder is “aggresive” with dynamic host. And initiators (srx100) ip-address on external interface is 2.2.2.2. On edge NAT device there is a port mapping of ike traffic to my srx100.
    tried to set up both policy-based and route-based vpns, but the problem in logs was the same: No proposal chosen
    had a lot of hours spent but no result. At the moment using “standard” proposal-sets both in IKE in IPSEC policies. Checked:
    pre-shared key on both sides presence of st0 interface in “vpn” part of ipsec. presence of st0 interface in appropriate security zone. here is my config. Appreciate your help
    srx210:
    interfaces
    {
      st 0
        unit 10 {
          family inet;
      }
    }
    policy ike-pol-sip {
      pomode aggressive;
      proposal-set standard;
      pre-shared-key ascii-text “$9$JcDkmzFNd”; ## SECRET-DATA

    }

    ike gateway SIP {
      ike-policy ike-pol-sip;
      dynamic hostname sipsrx.ykt;
      external-interface fe-0/0/7.0;
      version v1-only;
    }

    ipsec ipsec-pol-sip {
      perfect-forward-secrecy {
        keys group2;
      }
      proposal-set standard;
    }
    ipsec vpn vpn-sip {
      bind-interface st0.10;
      ike {
        gateway SIP;
        proxy-identity {
             local 0.0.0.0/0;
             remote 0.0.0.0/0;
             service any;
         }
          ipsec-policy ipsec-pol-sip;
       }
       establish-tunnels immediately;
    }

    zone security-zone vpn {
      address-book {
        address sip-lan 192.168.16.0/24;
      }
      interfaces {
        st0.10 {
            host-inbound-traffic {
                system-services {
                   ike;
                }
                protocols {
                   all;
            }
    }

    policy from-zone vpn to-zone trust {
      policy clients-to-sita {
        match {
          source-address [ irkutsk-lan sip-lan ];
          destination-address SITA;
          application any;
        }
        then {
          permit;
        }
      }
    }

    policy from-zone trust to-zone vpn {
      policy trust-to-sip {
        match {
          source-address SITA;
          destination-address sip-lan;
          application any;
        }
        then {
           permit;
          }
       }
    }

    srx100:

    ike {
      traceoptions {
        flag ike;
        flag all;
    }
    policy ike-pol-vnk {
      mode aggressive;
      proposal-set standard;
      pre-shared-key ascii-text “$9$EBiyKWN-w2C”; ## SECRET-DATA
    }
    gateway office {
      ike-policy ike-pol-vnk;
      address 1.1.1.1;
      external-interface fe-0/0/7.0;
    version v1-only;
    }
    }
    ipsec {
    traceoptions {
    flag all;
    }
    policy ipsec-pol-vnk {
    perfect-forward-secrecy {
    keys group2;
    }
    proposal-set standard;
    }
    vpn office-vpn {
    bind-interface st0.0;
    ike {
    gateway office;
    proxy-identity {
    local 0.0.0.0/0;
    remote 0.0.0.0/0;
    service any;
    }
    ipsec-policy ipsec-pol-vnk;
    }
    establish-tunnels immediately;

    policies from-zone vpn to-zone Internal {
    policy vpn-to-trust {
    match {
    source-address SITA;
    destination-address lan;
    application any;
    }
    then {
    permit;
    }
    from-zone Internal to-zone vpn {
    policy sip-to-vpn {
    match {
    source-address lan;
    destination-address SITA;
    application any;
    }
    then {
    permit;
    }

    zones security-zone vpn {
    address-book {
    address SITA 5.5.5.0/24;
    }
    interfaces {
    st0.0 {
    host-inbound-traffic {
    system-services {
    ike;
    }
    protocols {
    all;
    }

    KMD log

    [Aug 24 19:02:06]iked_pm_ike_spd_notify_request: Sending Initial contact
    [Aug 24 19:02:06]ssh_ike_connect: Start, remote_name = 1.1.1.1:500, xchg = 4, flags = 00040000
    [Aug 24 19:02:06]ike_sa_allocate: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
    [Aug 24 19:02:06]ike_init_isakmp_sa: Start, remote = 1.1.1.1:500, initiator = 1
    [Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Warning: Number of proposals != 1 in ISAKMP SA, this is against draft!
    [Aug 24 19:02:06]ssh_ike_connect: SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1
    [Aug 24 19:02:06]ike_st_o_sa_proposal: Start
    [Aug 24 19:02:06]ike_st_o_ke: Start
    [Aug 24 19:02:06]ike_st_o_nonce: Start
    [Aug 24 19:02:06]ike_policy_reply_isakmp_nonce_data_len: Start
    [Aug 24 19:02:06]ike_st_o_id: Start
    [Aug 24 19:02:06]ike_policy_reply_isakmp_vendor_ids: Start
    [Aug 24 19:02:06]ike_st_o_private: Start
    [Aug 24 19:02:06]ike_policy_reply_private_payload_out: Start
    [Aug 24 19:02:06]ike_encode_packet: Start, SA = { 0x5ccab5ea 2076bcd0 - 00000000 00000000 } / 00000000, nego = -1
    [Aug 24 19:02:06]ike_send_packet: Start, send SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1, dst = 1.1.1.1:500, routing table id = 0
    [Aug 24 19:02:06]ikev2_packet_allocate: Allocated packet dad400 from freelist
    [Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
    [Aug 24 19:02:06]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Aug 24 19:02:06]ike_get_sa: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 } / 44cc48b0, remote = 1.1.1.1:500
    [Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ike_sa_find_half: Found half SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
    [Aug 24 19:02:06]ike_sa_upgrade: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 } -> { … - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ike_alloc_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}
    [Aug 24 19:02:06]ike_decode_packet: Start
    [Aug 24 19:02:06]ike_decode_packet: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757} / 44cc48b0, nego = 0
    [Aug 24 19:02:06]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0…16] = 5ccab5ea 2076bcd0 …, data[0…46] = 800c0001 00060022 …
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Notification data has attribute list
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Notify message version = 1
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Error text = Could not find acceptable proposal
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Offending message id = 0x00000000
    [Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
    [Aug 24 19:02:06]ike_st_i_private: Start
    [Aug 24 19:02:06]ike_send_notify: Connected, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
    [Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
    [Aug 24 19:02:06]ike_free_negotiation_info: Start, nego = 0
    [Aug 24 19:02:06]ike_free_negotiation: Start, nego = 0
    [Aug 24 19:02:06]ike_remove_callback: Start, delete SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
    [Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [-1] / 0x00000000 } Aggr; Connection got error = 14, calling callback
    [Aug 24 19:02:06]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
    [Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
    [Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
    [Aug 24 19:02:06]IKE negotiation fail for local:2.2.2.2, remote:1.1.1.1 IKEv1 with status: No proposal chosen
    [Aug 24 19:02:06] IKEv1 Error : No proposal chosen
    [Aug 24 19:02:06]IPSec Rekey for SPI 0x0 failed
    [Aug 24 19:02:06]IPSec SA done callback called for sa-cfg vnukovo-vpn local:2.2.2.2, remote:1.1.1.1 IKEv1 with status No proposal chosen
    [Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
    [Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
    [Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn’t exist in IKE tunnel table
    [Aug 24 19:02:06]ike_sa_delete: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
    [Aug 24 19:02:06]ike_free_negotiation_isakmp: Start, nego = -1
    [Aug 24 19:02:06]ike_free_negotiation: Start, nego = -1
    [Aug 24 19:02:06]IKE SA delete called for p1 sa 7930823 (ref cnt 1) local:2.2.2.2, remote:1.1.1.1, IKEv1
    [Aug 24 19:02:06]iked_pm_p1_sa_destroy: p1 sa 7930823 (ref cnt 0), waiting_for_del 0x0
    [Aug 24 19:02:06]ike_free_id_payload: Start, id type = 1
    [Aug 24 19:02:06]ike_free_sa: Start
    [Aug 24 19:02:06]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)</none></none></none></none></none>


 

40
Online

38.4k
Users

12.7k
Topics

44.5k
Posts