SRX

Hi,

While I am troubleshooting this error, I thought I would ask for help here too as someone may know the resolution:

I am configuring an SRX1500 and the NCP Client and am getting the following error on IKE Phase 1 initiation:

No Proposal Chosen: 14

I have configured st0.1 to share a physical interface gateway and have placed st0.1 into the Customer-VR and the Customer secuirty Zone and configured it as follows:

set interfaces st0 unit 1 family inet

It shares the physical interface with a site-to-site VPN that works fine (Azure to Juniper).

I am not sure if anyone has seen this error on the NCP client before? There are too many options to put here, but here is the phase 1 SRX configuration:

set security ike proposal ike-prop1 authentication-method pre-shared-keys

set security ike proposal ike-prop1 dh-group group2

set security ike proposal ike-prop1 authentication-algorithm sha1

set security ike proposal ike-prop1 encryption-algorithm aes-192-cbc

set security ike proposal ike-prop1 lifetime-seconds 28800

set security ike policy ike-pol2 mode aggressive

set security ike policy ike-pol2 proposals ike-prop1

set security ike policy ike-pol2 pre-shared-key ascii-text xxxxxxxxx

set security ike gateway remote-vpn1 ike-policy ike-pol2

set security ike gateway remote-vpn1 dynamic hostname "user@wherever.com"

set security ike gateway remote-vpn1 dynamic connections-limit 2

set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id

set security ike gateway remote-vpn1 external-interface ge-0/0/1

set security ike gateway remote-vpn1 aaa access-profile vpn-users

set security ike gateway remote-vpn1 version v1-only

Usually this means the tunnel interface st0 is not assigned to a zone.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24642

Hi Spuluka,

I have assigned the st0.1 interface to the Customer-VR and also to the Customer-Network zone... I already made sure that was the case and had also read the document before posting here 🙂

set security zones security-zone Customer-Network interfaces st0.1

set routing-instances Customer-VR interface st0.1

 I have completed a traceoptions on IKE with the following error:

error_code: No proposal chosen

ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 92a2000)

and the NCP log shows the following error:

Ike: NOTIFY : ISP Data Network : RECEIVED : NO_PROPOSAL_CHOSEN : 14

Still not operational ......  

Thanks

Let me put the whole traceoptions output for this Client:

[Jun 4 10:23:22]---------> Received from 166.166.166.166:10952 to 195.80.24.17:0, VR 13, length 568 on IF
[Jun 4 10:23:22]ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_v1_get_sa
[Jun 4 10:23:22]ikev2_packet_st_input_v1_get_sa: FSM_SET_NEXT:ikev2_packet_st_input_v1_create_sa
[Jun 4 10:23:22]ikev2_packet_st_input_v1_create_sa: [9215c00/0] No IKE SA for packet; requesting permission to create one.
[Jun 4 10:23:22]ikev2_packet_st_input_v1_create_sa: FSM_SET_NEXT:ikev2_packet_st_connect_decision
[Jun 4 10:23:22]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jun 4 10:23:22]ike_get_sa: Start, SA = { 8f0b4c3d 27a8a164 - 00000000 00000000 } / 00000000, remote = 166.166.166.166:10952
[Jun 4 10:23:22]ike_sa_allocate: Start, SA = { 8f0b4c3d 27a8a164 - 8cb7464f cf378454 }
[Jun 4 10:23:22]ike_init_isakmp_sa: Start, remote = 166.166.166.166:10952, initiator = 0
[Jun 4 10:23:22]ikev2_fb_p1_negotiation_allocate_sa: FSM_SET_NEXT:ikev2_fb_p1_negotiation_wait_sa_done
[Jun 4 10:23:22]ikev2_fb_st_new_p1_connection_start: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_local_addresses
[Jun 4 10:23:22]ikev2_fb_st_new_p1_connection_local_addresses: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_result
[Jun 4 10:23:22]IKEv1 packet R(<none>:500 <- 166.166.166.166:500): len= 568, mID=00000000, HDR, SA, KE, Nonce, ID, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Jun 4 10:23:22]ike_st_i_vid: VID[0..8] = da8e9378 80010000 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = eb4c1b78 8afd4a9c ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = cbe79444 a0870de4 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = c61baca1 f1a60cc1 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
[Jun 4 10:23:22]ike_st_i_id: Start
[Jun 4 10:23:22]ike_st_i_sa_proposal: Start
[Jun 4 10:23:22]ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Jun 4 10:23:22]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jun 4 10:23:22]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 92a2000)
[Jun 4 10:23:22]ike_isakmp_sa_reply: Start

I see the error message for the kb was on the wrong side, the client not the SRX.

This one generally means either the proposals don't match or the gateway is not matching for an aggressive tunnel this will be the hostname declarations.  I don't see a local hostname declared in the configuration.

I also notice you don't have an ip address assigned to the tunnel interface, I have always had an address or configured it as unnumbered with another interface.  I think you need an ip here too but that would not affect phase 1.

Hi Spuluka,

Thanks for the response......

I am using a Juniper configuration sent by NCP, but changing it slightly to fit our requirements......

We are using the SRX Gateway address from the Client itself, but the dynamic requirement is there because it is for remote anywhere usage and not a specific location......

I have the following configured on the client:

aggressive mode (IKEv1)

Pre-shared-key

DH2

IPSec Policy - Automatic (There is no other option)

PFS Group - DH2

Policy Editor:

IKE : Pre-shared-key : AES 192 Bit : SHA

IPSec: ESP : AES 128 Bit : SHA

Gateway Tunnel Endpoint is correct:

I'm in agreement with you with regards to the "unnumbered" but NCP are adamant that this is not required.....

Hi Spuluka,

I changed the hostname to user-at-hostname and Phase 1 is working.... now we are gettting the same on Phase 2 - No proposal chosen, but working through it  🙂

Okay. It is all up and running.

So, the Phase 1 (IKE) issue was a simple change of "hostname" to "user-at-hostname"

Phase 2.... unbelievzbly, the XAUTH for the pool had no Secondary DNS configured but the NCP cline thad 8.8.4.4... I set this to 0.0.0.0 on the Client and it all worked.

Awesome

As an add on,

 in case anyone would like to know the configuration I used on the SRX to get this working, here it is..... all you should need to do is change parameters to suit your needs..... posting the NCP Client configuration here is not viable, just make sure it is the same as the SRX config:

set security ike proposal ncp-proposal authentication-method pre-shared-keys
set security ike proposal ncp-proposal dh-group group2
set security ike proposal ncp-proposal authentication-algorithm sha1
set security ike proposal ncp-proposal encryption-algorithm aes-192-cbc
set security ike proposal ncp-proposal lifetime-seconds 10800

et security ike policy ncp-policy mode aggressive
set security ike policy ncp-policy proposals ncp-proposal
set security ike policy ncp-policy pre-shared-key ascii-text (password)

set security ike gateway ncp-gateway ike-policy ncp-policy
set security ike gateway ncp-gateway dynamic user-at-hostname "programme@ncp.juniper.net"
set security ike gateway ncp-gateway dynamic connections-limit 10
set security ike gateway ncp-gateway dynamic ike-user-type shared-ike-id
set security ike gateway ncp-gateway external-interface ge-0/0/5
set security ike gateway ncp-gateway aaa access-profile radius
set security ike gateway ncp-gateway version v1-only
set security ike gateway ncp-gateway tcp-encap-profile NCP

set security ipsec proposal ncp-ipsec-proposal protocol esp
set security ipsec proposal ncp-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ncp-ipsec-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal ncp-ipsec-proposal lifetime-seconds 3600

set security ipsec policy ncp-ipsec-policy perfect-forward-secrecy keys group2
set security ipsec policy ncp-ipsec-policy proposals ncp-ipsec-proposal

set security ipsec vpn ncp-ipsec-vpn bind-interface st0.1
set security ipsec vpn ncp-ipsec-vpn ike gateway ncp-gateway
set security ipsec vpn ncp-ipsec-vpn ike idle-time 300
set security ipsec vpn ncp-ipsec-vpn ike ipsec-policy ncp-ipsec-policy
set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 local-ip 0.0.0.0/0
set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 remote-ip 0.0.0.0/0

set security tcp-encap profile NCP
set interfaces st0 unit 1 family inet

set access profile radius client (Username) firewall-user password password
set access profile radius client (Username) firewall-user password password
set access profile radius address-assignment pool NCP_POOL

set access address-assignment pool NCP_POOL family inet network 192.168.120.0/24
set access address-assignment pool NCP_POOL family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool NCP_POOL family inet xauth-attributes secondary-dns 8.8.4.4/32

set routing-instances Customer-VR interface st0.1
set security zones security-zone Customer-Network interfaces st0.1

Don't forget on the SRX, you need to route your networks back to the st0 interface configured (In this case st0.1).... that static route will need to be placed in the same VR as the st interface. Also, add in your address book/address set the network VPN assigned range and addresses coming from.... then apply to the policies......

Thanks for sharing the updated configuration.