SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  IPsec behind a nat

    Posted 07-08-2022 09:59
    Hello,

    Having the following setup:

    SRX{IPSec}{NAT} ---------- NW ------- IPsec

    I am getting no proposal chosen error, here is the configuration:

    set security ike traceoptions file ike-trace
    set security ike traceoptions flag all
    set security ike proposal TUNNEL_ike_prop authentication-method pre-shared-keys
    set security ike proposal TUNNEL_ike_prop dh-group group14
    set security ike proposal TUNNEL_ike_prop authentication-algorithm sha-256
    set security ike proposal TUNNEL_ike_prop encryption-algorithm aes-256-cbc
    set security ike proposal TUNNEL_ike_prop lifetime-seconds 86400
    set security ike policy TUNNEL_ike_policy mode main
    set security ike policy TUNNEL_ike_policy proposals TUNNEL_ike_prop
    set security ike policy TUNNEL_ike_policy pre-shared-key ascii-text "$8$aes256-gcm$hmac-sha2-256$100$BeQLn2LwAhc$R6tFSuEkhnBkjMobyS/suA$Ekk0P1+K82L9DQOY+LmefQ$bloVJb2OEhHHUjDa0Lmd40tAXF9nVCaQ5r+xbEMxAeoYyRhwSzaDZTR7HrlxJm+nTRet2OVv8a1uBHU+OUmRWw"
    set security ike gateway TUNNEL_ike_gw ike-policy TUNNEL_ike_policy
    set security ike gateway TUNNEL_ike_gw address 62.217.213.233
    set security ike gateway TUNNEL_ike_gw local-identity inet 92.187.101.135
    set security ike gateway TUNNEL_ike_gw external-interface ae92.601
    set security ike gateway TUNNEL_ike_gw version v2-only
    set security ipsec proposal TUNNEL_ipsec_prop protocol esp
    set security ipsec proposal TUNNEL_ipsec_prop authentication-algorithm hmac-sha-256-128
    set security ipsec proposal TUNNEL_ipsec_prop lifetime-seconds 3600
    set security ipsec policy TUNNEL_ipsec_policy perfect-forward-secrecy keys group14
    set security ipsec policy TUNNEL_ipsec_policy proposals TUNNEL_ipsec_prop
    set security ipsec vpn TUNNEL_ipsec bind-interface st0.0
    set security ipsec vpn TUNNEL_ipsec ike gateway TUNNEL_ike_gw
    set security ipsec vpn TUNNEL_ipsec ike ipsec-policy TUNNEL_ipsec_policy
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Proxy local-ip 92.187.101.136/32
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Proxy remote-ip 109.166.189.66/32
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Bastion local-ip 92.187.101.137/32
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Bastion remote-ip 109.166.189.66/32
    set security ipsec vpn TUNNEL_ipsec establish-tunnels immediately

    set security nat static rule-set 1 from zone GRT
    set security nat static rule-set 1 rule 1 match destination-address 92.187.101.135/32
    set security nat static rule-set 1 rule 1 then static-nat prefix 192.168.65.12/32
    set security nat static rule-set 2 from zone VPN
    set security nat static rule-set 2 rule Proxy_nat match destination-address 92.187.101.136/32
    set security nat static rule-set 2 rule Proxy_nat then static-nat prefix 10.193.98.4/32
    set security nat static rule-set 2 rule Bastion_nat match destination-address 92.187.101.137/32
    set security nat static rule-set 2 rule Bastion_nat then static-nat prefix 10.193.98.12/32

    set security zones security-zone GRT address-book address nat 92.187.101.135/32
    set security zones security-zone GRT address-book address VPN 62.217.213.233/32
    set security zones security-zone GRT host-inbound-traffic system-services ping
    set security zones security-zone GRT host-inbound-traffic system-services ike
    set security zones security-zone GRT interfaces ae92.601


    And logs:

    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

    And traces:

    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Freeing all P2 SAs for IKEv2 p1 SA 7728645
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728645 reference count is not zero (1). Delaying deletion of SA
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_p1_sa_destroy: p1 sa 7728645 (ref cnt 0), waiting_for_del 0x8f0f9c0
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_remove_p1sa_entry: Remove p1 sa 7728645 from peer entry 0x8d4e580
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] delete from id_hash key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d4e580 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0 from ID hash table
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_patricia_delete:Peer entry 0x8d4e580 deleted for local 192.168.65.12:500 and remote 62.217.213.233:500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Triggering negotiation for instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866 config block
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent GT-ORO_Pikeo_ipsec_ORO_Bastion for sa_cfg instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent ORO_Pikeo_ipsec for sa_cfg GT-ORO_Pikeo_ipsec_ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_callback: lookup peer entry for gateway ORO_Pikeo_ike_gw, local_port=500, remote_port=500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_create_peer_entry: Created peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_fetch_or_create_peer_entry: Create peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_callback: FOUND peer entry for gateway ORO_Pikeo_ike_gw
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] id_key key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] id_key key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] user_key_id key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Initiating new P1 SA for gateway ORO_Pikeo_ike_gw
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 start timer. timer duration 30, reason 1.
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_negotiation Set p2_ed in sa_cfg=instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_insert_p1sa_entry: Insert p1 sa 7728646 in peer entry 0x8d4e940
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ssh_ikev2_ipsec_send: Creating IKE and IPsec SA 62.217.213.233;500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ssh_ikev2_ipsec_send: Started IPsec SA creation 62.217.213.233;500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out: FSM_SET_NEXT:ikev2_state_init_initiator_out_cookie
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_cookie: FSM_SET_NEXT:ikev2_state_init_initiator_out_fill_sa
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_fill_sa: FSM_SET_NEXT:ikev2_state_init_initiator_out_sa
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE SA fill called for negotiation of local:192.168.65.12, remote:62.217.213.233 IKEv2
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_sa: FSM_SET_NEXT:ikev2_state_init_initiator_out_dh_setup
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_dh_setup: FSM_SET_NEXT:ikev2_state_init_initiator_out_nonce
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Inside kmd_sw_dh_gen...
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_nonce: FSM_SET_NEXT:ikev2_state_init_initiator_out_notify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_notify: FSM_SET_NEXT:ikev2_state_init_initiator_out_notify_request
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_notify_request: FSM_SET_NEXT:ikev2_state_init_initiator_out_vid
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request Parse notification paylad in last received pkt
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request send NHTB_SUPPORTED
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request: Add fragmentation supported notify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_vid: FSM_SET_NEXT:ikev2_state_init_initiator_out_private_payload
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_private_payload: FSM_SET_NEXT:ikev2_state_init_initiator_out_done
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_done: FSM_SET_NEXT:ikev2_state_send
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_list_packet_payloads: Sending packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(RESERVED), N(FRAGMENTATION_SUPPORTED), Vid, Vid, Vid
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKEv2 packet S(<none>:500 -> 62.217.213.233:500): len= 518, mID=0, HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(RESERVED), N(FRAGMENTATION_S
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_send_request_address: FSM_SET_NEXT:ikev2_packet_st_send
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_udp_send_packet: [95e5100/8fc5e00] <-------- Sending packet - length = 0 VR id 0

    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_send: FSM_SET_NEXT:ikev2_packet_st_send_request_address
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ---------> Received from 62.217.213.233:500 to 192.168.65.12:0, VR 0, length 36 on IF
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_verify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_verify: [95e5400/8fc5e00] R: IKE SA REFCNT: 3
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_list_packet_payloads: Receiving packet: HDR, N(NO_PROPOSAL_CHOSEN)
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKEv2 packet R(<none>:500 <- 62.217.213.233:500): len= 36, mID=0, HDR, N(NO_PROPOSAL_CHOSEN)
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_decode_notify: Storing information about received unprotected error notify 'No proposal chosen' (14) to IKE SA 8fc5e00
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_window_set_retransmit_count: Transmit window 8fc5f84: Setting retransmit count to 4 on IKE SA 8fc5e00
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_received - START
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_decode_packet: [95e5400/8fc5e00] Updating responder IKE SPI to IKE SA 8fc5e00 I 1f0b75da c0d917e2 R 2d2b4bf3 1fd0750a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_init_initiator_in
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_dispatch: [95e5400/8fc5e00] Initiator side IKE_SA_INIT
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_in: FSM_SET_NEXT:ikev2_state_init_initiator_in_notify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_in_notify: [95e5400/8fc5e00] N(14) error found
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_error: [95e5400/8fc5e00] Negotiation failed because of error No proposal chosen (14)
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE negotiation fail for local:192.168.65.12, remote:62.217.213.233 IKEv2 with status: No proposal chosen
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Inside iked_pm_ipsec_sa_done

    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IPSec negotiation failed for SA-CFG GT-ORO_Pikeo_ipsec_ORO_Bastion for local:192.168.65.12, remote:62.217.213.233 IKEv2. status: No proposal chosen
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P2 ed info: flags 0x8842, P2 error: Error ok
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent ORO_Pikeo_ipsec for sa_cfg GT-ORO_Pikeo_ipsec_ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Looking for ts group template, GT name is GT-ORO_Pikeo_ipsec_ORO_Proxy
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Found sa_cfg for ts ORO_Proxy
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Looking for ts group template, GT name is GT-ORO_Pikeo_ipsec_ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Found sa_cfg for ts ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IPSec SA done callback. ed 955e028. status: No proposal chosen
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE SA delete called for p1 sa 7728646 (ref cnt 2) local:192.168.65.12, remote:62.217.213.233, IKEv2
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 stop timer. timer duration 30, reason 1.
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Freeing all P2 SAs for IKEv2 p1 SA 7728646
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 reference count is not zero (1). Delaying deletion of SA
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_p1_sa_destroy: p1 sa 7728646 (ref cnt 0), waiting_for_del 0x8f0f9a0
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_remove_p1sa_entry: Remove p1 sa 7728646 from peer entry 0x8d4e940
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] delete from id_hash key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0 from ID hash table
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_patricia_delete:Peer entry 0x8d4e940 deleted for local 192.168.65.12:500 and remote 62.217.213.233:500


    I am not sure that this is working while doing a static nat directly on the SRX.
    Can you please help?

    ------------------------------
    ALEXANDRU MINZAT
    ------------------------------


  • 2.  RE: IPsec behind a nat

    Posted 07-11-2022 12:07
    With the message "no proposal chosen" there is generally a mis-match between the two gateways in configuration elements.
    Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:
    • Authentication algorithm

    • Encryption algorithm

    • Lifetime kilobytes

    • Lifetime seconds

    • Protocol

    • Perfect Forward Secrecy

    Either change the local configuration to accept at least one of the remote peer's Phase 2 proposals, or contact the remote peer's admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.

    More details on the phase two messages are here.
    https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-2-VPN-connection-issues

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------