SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  IP Phone VPN at my wits end

    Posted 01-06-2017 08:39
      |   view attached

    Box is an SRX 320, v 15.1X49-D45

    I'm at my wits end. I've done this before with an SRX... But I can't seem to make it work on this box.  It's an Avaya phone with an IPSEC vpn client builtin  trying to establish a tunnel to the SRX, a policy based VPN and local XAUTH.  I get these common errors:

     

    [Jan 7 00:28:18]ike_st_i_sa_proposal: Start
    [Jan 7 00:28:18]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
    [Jan 7 00:28:18]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 1157000)

     

    I hope someone can look at this and tell me what I'm missing and hopefully it's something obvious.  This seems pretty simple, I don't know what I'm missing.  I've checked that the client side matches all parameters and the shared secret matches of course.

    Attachment(s)

    txt
    SRX320config.txt   25 KB 1 version


  • 2.  RE: IP Phone VPN at my wits end
    Best Answer

    Posted 01-06-2017 11:38

    Hi JayNEC,

     

    policy-based VPN was initially removed from the 15.1X49 software train but was reintroduced in 15.1X49-D50. VPN client support was also initially removed and the reintroduced in 15.1X49-D60.

     

    If you look in the attached configuration you will also see the "unsupported platform" multiple times. In this case it's due to missing support for policy-based VPN.

     

    So first step would be to upgrade to at least 15.1X49-D60 and preferably 15.1X49-D70. Then try again.


    #policy-based
    #vpn
    #srx300


  • 3.  RE: IP Phone VPN at my wits end

    Posted 01-06-2017 13:04

    Oh. My. God. 

     

     

    I didn't notice those blocks. 

     

    Thank you.