SRX

Expand all | Collapse all

NCP Client - Phase 1 error

Jump to Best Answer
  • 1.  NCP Client - Phase 1 error

     
    Posted 05-30-2018 07:34

    Hi,

     

    While I am troubleshooting this error, I thought I would ask for help here too as someone may know the resolution:

     

    I am configuring an SRX1500 and the NCP Client and am getting the following error on IKE Phase 1 initiation:

     

    No Proposal Chosen: 14

     

    I have configured st0.1 to share a physical interface gateway and have placed st0.1 into the Customer-VR and the Customer secuirty Zone and configured it as follows:

     

    set interfaces st0 unit 1 family inet

     

    It shares the physical interface with a site-to-site VPN that works fine (Azure to Juniper).

     

    I am not sure if anyone has seen this error on the NCP client before? There are too many options to put here, but here is the phase 1 SRX configuration:

     

    set security ike proposal ike-prop1 authentication-method pre-shared-keys

    set security ike proposal ike-prop1 dh-group group2

    set security ike proposal ike-prop1 authentication-algorithm sha1

    set security ike proposal ike-prop1 encryption-algorithm aes-192-cbc

    set security ike proposal ike-prop1 lifetime-seconds 28800

     

    set security ike policy ike-pol2 mode aggressive

    set security ike policy ike-pol2 proposals ike-prop1

    set security ike policy ike-pol2 pre-shared-key ascii-text xxxxxxxxx

     

    set security ike gateway remote-vpn1 ike-policy ike-pol2

    set security ike gateway remote-vpn1 dynamic hostname "user@wherever.com"

    set security ike gateway remote-vpn1 dynamic connections-limit 2

    set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id

    set security ike gateway remote-vpn1 external-interface ge-0/0/1

    set security ike gateway remote-vpn1 aaa access-profile vpn-users

    set security ike gateway remote-vpn1 version v1-only



  • 2.  RE: NCP Client - Phase 1 error

     
    Posted 05-31-2018 03:32

    Usually this means the tunnel interface st0 is not assigned to a zone.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24642

     

     



  • 3.  RE: NCP Client - Phase 1 error

     
    Posted 06-04-2018 00:56

    Hi Spuluka,

     

    I have assigned the st0.1 interface to the Customer-VR and also to the Customer-Network zone... I already made sure that was the case and had also read the document before posting here 🙂

     

    set security zones security-zone Customer-Network interfaces st0.1

    set routing-instances Customer-VR interface st0.1

     

     I have completed a traceoptions on IKE with the following error:

    error_code: No proposal chosen

    ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 92a2000)

     

    and the NCP log shows the following error:

    Ike: NOTIFY : ISP Data Network : RECEIVED : NO_PROPOSAL_CHOSEN : 14

     

    Still not operational ......  

     

    Thanks

     

     



  • 4.  RE: NCP Client - Phase 1 error

     
    Posted 06-04-2018 01:36

    Let me put the whole traceoptions output for this Client:

     

    [Jun 4 10:23:22]---------> Received from 166.166.166.166:10952 to 195.80.24.17:0, VR 13, length 568 on IF
    [Jun 4 10:23:22]ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_v1_get_sa
    [Jun 4 10:23:22]ikev2_packet_st_input_v1_get_sa: FSM_SET_NEXT:ikev2_packet_st_input_v1_create_sa
    [Jun 4 10:23:22]ikev2_packet_st_input_v1_create_sa: [9215c00/0] No IKE SA for packet; requesting permission to create one.
    [Jun 4 10:23:22]ikev2_packet_st_input_v1_create_sa: FSM_SET_NEXT:ikev2_packet_st_connect_decision
    [Jun 4 10:23:22]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Jun 4 10:23:22]ike_get_sa: Start, SA = { 8f0b4c3d 27a8a164 - 00000000 00000000 } / 00000000, remote = 166.166.166.166:10952
    [Jun 4 10:23:22]ike_sa_allocate: Start, SA = { 8f0b4c3d 27a8a164 - 8cb7464f cf378454 }
    [Jun 4 10:23:22]ike_init_isakmp_sa: Start, remote = 166.166.166.166:10952, initiator = 0
    [Jun 4 10:23:22]ikev2_fb_p1_negotiation_allocate_sa: FSM_SET_NEXT:ikev2_fb_p1_negotiation_wait_sa_done
    [Jun 4 10:23:22]ikev2_fb_st_new_p1_connection_start: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_local_addresses
    [Jun 4 10:23:22]ikev2_fb_st_new_p1_connection_local_addresses: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_result
    [Jun 4 10:23:22]IKEv1 packet R(<none>:500 <- 166.166.166.166:500): len= 568, mID=00000000, HDR, SA, KE, Nonce, ID, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..8] = da8e9378 80010000 ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = eb4c1b78 8afd4a9c ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = cbe79444 a0870de4 ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = c61baca1 f1a60cc1 ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
    [Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
    [Jun 4 10:23:22]ike_st_i_id: Start
    [Jun 4 10:23:22]ike_st_i_sa_proposal: Start
    [Jun 4 10:23:22]ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
    [Jun 4 10:23:22]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
    [Jun 4 10:23:22]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 92a2000)
    [Jun 4 10:23:22]ike_isakmp_sa_reply: Start



  • 5.  RE: NCP Client - Phase 1 error
    Best Answer

     
    Posted 06-04-2018 02:52

    I see the error message for the kb was on the wrong side, the client not the SRX.

     

    This one generally means either the proposals don't match or the gateway is not matching for an aggressive tunnel this will be the hostname declarations.  I don't see a local hostname declared in the configuration.

     

    I also notice you don't have an ip address assigned to the tunnel interface, I have always had an address or configured it as unnumbered with another interface.  I think you need an ip here too but that would not affect phase 1.

     



  • 6.  RE: NCP Client - Phase 1 error

     
    Posted 06-04-2018 07:11

    Hi Spuluka,

     

    Thanks for the response......

     

    I am using a Juniper configuration sent by NCP, but changing it slightly to fit our requirements......

    We are using the SRX Gateway address from the Client itself, but the dynamic requirement is there because it is for remote anywhere usage and not a specific location......

     

    I have the following configured on the client:

     

    aggressive mode (IKEv1)

    Pre-shared-key

    DH2

    IPSec Policy - Automatic (There is no other option)

    PFS Group - DH2

     

    Policy Editor:

    IKE : Pre-shared-key : AES 192 Bit : SHA

    IPSec: ESP : AES 128 Bit : SHA

     

    Gateway Tunnel Endpoint is correct:

     

    I'm in agreement with you with regards to the "unnumbered" but NCP are adamant that this is not required.....

     

     

     

     

     

     

     



  • 7.  RE: NCP Client - Phase 1 error

     
    Posted 06-04-2018 09:04

    Hi Spuluka,

     

    I changed the hostname to user-at-hostname and Phase 1 is working.... now we are gettting the same on Phase 2 - No proposal chosen, but working through it  🙂

     

     



  • 8.  RE: NCP Client - Phase 1 error

     
    Posted 06-04-2018 09:34

    Okay. It is all up and running.

     

    So, the Phase 1 (IKE) issue was a simple change of "hostname" to "user-at-hostname"

     

    Phase 2.... unbelievzbly, the XAUTH for the pool had no Secondary DNS configured but the NCP cline thad 8.8.4.4... I set this to 0.0.0.0 on the Client and it all worked.


    Awesome



  • 9.  RE: NCP Client - Phase 1 error

     
    Posted 06-05-2018 01:17

    As an add on,

     in case anyone would like to know the configuration I used on the SRX to get this working, here it is..... all you should need to do is change parameters to suit your needs..... posting the NCP Client configuration here is not viable, just make sure it is the same as the SRX config:

     

    set security ike proposal ncp-proposal authentication-method pre-shared-keys
    set security ike proposal ncp-proposal dh-group group2
    set security ike proposal ncp-proposal authentication-algorithm sha1
    set security ike proposal ncp-proposal encryption-algorithm aes-192-cbc
    set security ike proposal ncp-proposal lifetime-seconds 10800

     

    et security ike policy ncp-policy mode aggressive
    set security ike policy ncp-policy proposals ncp-proposal
    set security ike policy ncp-policy pre-shared-key ascii-text (password)

     

    set security ike gateway ncp-gateway ike-policy ncp-policy
    set security ike gateway ncp-gateway dynamic user-at-hostname "programme@ncp.juniper.net"
    set security ike gateway ncp-gateway dynamic connections-limit 10
    set security ike gateway ncp-gateway dynamic ike-user-type shared-ike-id
    set security ike gateway ncp-gateway external-interface ge-0/0/5
    set security ike gateway ncp-gateway aaa access-profile radius
    set security ike gateway ncp-gateway version v1-only
    set security ike gateway ncp-gateway tcp-encap-profile NCP

     

    set security ipsec proposal ncp-ipsec-proposal protocol esp
    set security ipsec proposal ncp-ipsec-proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal ncp-ipsec-proposal encryption-algorithm aes-128-cbc
    set security ipsec proposal ncp-ipsec-proposal lifetime-seconds 3600

     

    set security ipsec policy ncp-ipsec-policy perfect-forward-secrecy keys group2
    set security ipsec policy ncp-ipsec-policy proposals ncp-ipsec-proposal

     

    set security ipsec vpn ncp-ipsec-vpn bind-interface st0.1
    set security ipsec vpn ncp-ipsec-vpn ike gateway ncp-gateway
    set security ipsec vpn ncp-ipsec-vpn ike idle-time 300
    set security ipsec vpn ncp-ipsec-vpn ike ipsec-policy ncp-ipsec-policy
    set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 local-ip 0.0.0.0/0
    set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 remote-ip 0.0.0.0/0

     

    set security tcp-encap profile NCP
    set interfaces st0 unit 1 family inet

     

    set access profile radius client (Username) firewall-user password password
    set access profile radius client (Username) firewall-user password password
    set access profile radius address-assignment pool NCP_POOL

     

    set access address-assignment pool NCP_POOL family inet network 192.168.120.0/24
    set access address-assignment pool NCP_POOL family inet xauth-attributes primary-dns 8.8.8.8/32
    set access address-assignment pool NCP_POOL family inet xauth-attributes secondary-dns 8.8.4.4/32

     

    set routing-instances Customer-VR interface st0.1
    set security zones security-zone Customer-Network interfaces st0.1

     

    Don't forget on the SRX, you need to route your networks back to the st0 interface configured (In this case st0.1).... that static route will need to be placed in the same VR as the st interface. Also, add in your address book/address set the network VPN assigned range and addresses coming from.... then apply to the policies......

     



  • 10.  RE: NCP Client - Phase 1 error

     
    Posted 06-05-2018 02:58

    Thanks for sharing the updated configuration.