SRX

Expand all | Collapse all

Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed

  • 1.  Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed

    Posted 12-02-2017 03:09

    hi guys,

    i've created a site2site vpn between our srx340 running junos 17.3R1.10 and an SOPHOS ASG.

    3 subnets on my side and on on the other side all defined with Traffic Selectors.

     

    Tunnel comes up fine  and traffic is flowing in both directions  , unfortunatly  is still get this error:

    Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed 

     

     

    Config is like this:

    ike-policy-1

    mode main;
    proposals ike-proposal-1;
    pre-shared-key ascii-text 

     

    ike-proposal-1

    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;

     

    ike-gateway

    ike-policy ike-policy-1

    address **.***.***.***
    external-interface reth1.1;
    version v1-only;

    ipsec proposal ipsec-proposal-1

    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;

     

    vpn vpn-1

    bind-interface st0.2;
    ike {
    gateway ike-gateway-1;
    ipsec-policy ipsec-policy-1;
    }
    traffic-selector TS1 {
    local-ip 100.100.0.0/16;
    remote-ip 192.168.50.0/24;
    }
    traffic-selector TS2 {
    local-ip 110.100.0.0/16;
    remote-ip 192.168.50.0/24;
    }
    traffic-selector TS3 {
    local-ip 172.21.49.0/24;
    remote-ip 192.168.50.0/24;
    }
    establish-tunnels immediately;
    }

     

    how to fix this or is this a bug?



  • 2.  RE: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed

     
    Posted 12-03-2017 03:35

    You have posted the phase 1 configurations.  The phase 2 configurations are under:

    security ipsec 

     

    And to check we would need to see what the other side is expecting as the proposals.

     

    Are there other tunnels on this SRX?  

    Since this one is passing traffic maybe the event is from another connection.

     

    What is the output from:

    show security ipsec security-associations