Hello,
Having the following setup:
SRX{IPSec}{NAT} ---------- NW ------- IPsec
I am getting no proposal chosen error, here is the configuration:
set security ike traceoptions file ike-trace
set security ike traceoptions flag all
set security ike proposal TUNNEL_ike_prop authentication-method pre-shared-keys
set security ike proposal TUNNEL_ike_prop dh-group group14
set security ike proposal TUNNEL_ike_prop authentication-algorithm sha-256
set security ike proposal TUNNEL_ike_prop encryption-algorithm aes-256-cbc
set security ike proposal TUNNEL_ike_prop lifetime-seconds 86400
set security ike policy TUNNEL_ike_policy mode main
set security ike policy TUNNEL_ike_policy proposals TUNNEL_ike_prop
set security ike policy TUNNEL_ike_policy pre-shared-key ascii-text "$8$aes256-gcm$hmac-sha2-256$100$BeQLn2LwAhc$R6tFSuEkhnBkjMobyS/suA$Ekk0P1+K82L9DQOY+LmefQ$bloVJb2OEhHHUjDa0Lmd40tAXF9nVCaQ5r+xbEMxAeoYyRhwSzaDZTR7HrlxJm+nTRet2OVv8a1uBHU+OUmRWw"
set security ike gateway TUNNEL_ike_gw ike-policy TUNNEL_ike_policy
set security ike gateway TUNNEL_ike_gw address 62.217.213.233
set security ike gateway TUNNEL_ike_gw local-identity inet 92.187.101.135
set security ike gateway TUNNEL_ike_gw external-interface ae92.601
set security ike gateway TUNNEL_ike_gw version v2-only
set security ipsec proposal TUNNEL_ipsec_prop protocol esp
set security ipsec proposal TUNNEL_ipsec_prop authentication-algorithm hmac-sha-256-128
set security ipsec proposal TUNNEL_ipsec_prop lifetime-seconds 3600
set security ipsec policy TUNNEL_ipsec_policy perfect-forward-secrecy keys group14
set security ipsec policy TUNNEL_ipsec_policy proposals TUNNEL_ipsec_prop
set security ipsec vpn TUNNEL_ipsec bind-interface st0.0
set security ipsec vpn TUNNEL_ipsec ike gateway TUNNEL_ike_gw
set security ipsec vpn TUNNEL_ipsec ike ipsec-policy TUNNEL_ipsec_policy
set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Proxy local-ip 92.187.101.136/32
set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Proxy remote-ip 109.166.189.66/32
set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Bastion local-ip 92.187.101.137/32
set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Bastion remote-ip 109.166.189.66/32
set security ipsec vpn TUNNEL_ipsec establish-tunnels immediately
set security nat static rule-set 1 from zone GRT
set security nat static rule-set 1 rule 1 match destination-address 92.187.101.135/32
set security nat static rule-set 1 rule 1 then static-nat prefix 192.168.65.12/32
set security nat static rule-set 2 from zone VPN
set security nat static rule-set 2 rule Proxy_nat match destination-address 92.187.101.136/32
set security nat static rule-set 2 rule Proxy_nat then static-nat prefix 10.193.98.4/32
set security nat static rule-set 2 rule Bastion_nat match destination-address 92.187.101.137/32
set security nat static rule-set 2 rule Bastion_nat then static-nat prefix 10.193.98.12/32
set security zones security-zone GRT address-book address nat 92.187.101.135/32
set security zones security-zone GRT address-book address VPN 62.217.213.233/32
set security zones security-zone GRT host-inbound-traffic system-services ping
set security zones security-zone GRT host-inbound-traffic system-services ike
set security zones security-zone GRT interfaces ae92.601
And logs:
Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
And traces:
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Freeing all P2 SAs for IKEv2 p1 SA 7728645
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728645 reference count is not zero (1). Delaying deletion of SA
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_p1_sa_destroy: p1 sa 7728645 (ref cnt 0), waiting_for_del 0x8f0f9c0
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_remove_p1sa_entry: Remove p1 sa 7728645 from peer entry 0x8d4e580
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] delete from id_hash key: 704e3924abbeb40c4de534b88850c51a82920c8a
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d4e580 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0 from ID hash table
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_patricia_delete:Peer entry 0x8d4e580 deleted for local 192.168.65.12:500 and remote 62.217.213.233:500
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Triggering negotiation for instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866 config block
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent GT-ORO_Pikeo_ipsec_ORO_Bastion for sa_cfg instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent ORO_Pikeo_ipsec for sa_cfg GT-ORO_Pikeo_ipsec_ORO_Bastion
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_callback: lookup peer entry for gateway ORO_Pikeo_ike_gw, local_port=500, remote_port=500
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_create_peer_entry: Created peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_fetch_or_create_peer_entry: Create peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_callback: FOUND peer entry for gateway ORO_Pikeo_ike_gw
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] id_key key: 704e3924abbeb40c4de534b88850c51a82920c8a
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] id_key key: 704e3924abbeb40c4de534b88850c51a82920c8a
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] user_key_id key: 704e3924abbeb40c4de534b88850c51a82920c8a
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Initiating new P1 SA for gateway ORO_Pikeo_ike_gw
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 start timer. timer duration 30, reason 1.
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_negotiation Set p2_ed in sa_cfg=instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_insert_p1sa_entry: Insert p1 sa 7728646 in peer entry 0x8d4e940
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ssh_ikev2_ipsec_send: Creating IKE and IPsec SA 62.217.213.233;500
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ssh_ikev2_ipsec_send: Started IPsec SA creation 62.217.213.233;500
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out: FSM_SET_NEXT:ikev2_state_init_initiator_out_cookie
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_cookie: FSM_SET_NEXT:ikev2_state_init_initiator_out_fill_sa
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_fill_sa: FSM_SET_NEXT:ikev2_state_init_initiator_out_sa
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE SA fill called for negotiation of local:192.168.65.12, remote:62.217.213.233 IKEv2
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_sa: FSM_SET_NEXT:ikev2_state_init_initiator_out_dh_setup
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_dh_setup: FSM_SET_NEXT:ikev2_state_init_initiator_out_nonce
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Inside kmd_sw_dh_gen...
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_nonce: FSM_SET_NEXT:ikev2_state_init_initiator_out_notify
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_notify: FSM_SET_NEXT:ikev2_state_init_initiator_out_notify_request
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_notify_request: FSM_SET_NEXT:ikev2_state_init_initiator_out_vid
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request Parse notification paylad in last received pkt
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request send NHTB_SUPPORTED
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request: Add fragmentation supported notify
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_vid: FSM_SET_NEXT:ikev2_state_init_initiator_out_private_payload
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_private_payload: FSM_SET_NEXT:ikev2_state_init_initiator_out_done
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_done: FSM_SET_NEXT:ikev2_state_send
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_list_packet_payloads: Sending packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(RESERVED), N(FRAGMENTATION_SUPPORTED), Vid, Vid, Vid
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKEv2 packet S(<none>:500 -> 62.217.213.233:500): len= 518, mID=0, HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(RESERVED), N(FRAGMENTATION_S
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_send_request_address: FSM_SET_NEXT:ikev2_packet_st_send
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_udp_send_packet: [95e5100/8fc5e00] <-------- Sending packet - length = 0 VR id 0
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_send: FSM_SET_NEXT:ikev2_packet_st_send_request_address
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ---------> Received from 62.217.213.233:500 to 192.168.65.12:0, VR 0, length 36 on IF
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_verify
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_verify: [95e5400/8fc5e00] R: IKE SA REFCNT: 3
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_list_packet_payloads: Receiving packet: HDR, N(NO_PROPOSAL_CHOSEN)
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKEv2 packet R(<none>:500 <- 62.217.213.233:500): len= 36, mID=0, HDR, N(NO_PROPOSAL_CHOSEN)
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_decode_notify: Storing information about received unprotected error notify 'No proposal chosen' (14) to IKE SA 8fc5e00
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_window_set_retransmit_count: Transmit window 8fc5f84: Setting retransmit count to 4 on IKE SA 8fc5e00
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_received - START
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_decode_packet: [95e5400/8fc5e00] Updating responder IKE SPI to IKE SA 8fc5e00 I 1f0b75da c0d917e2 R 2d2b4bf3 1fd0750a
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_init_initiator_in
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_dispatch: [95e5400/8fc5e00] Initiator side IKE_SA_INIT
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_in: FSM_SET_NEXT:ikev2_state_init_initiator_in_notify
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_in_notify: [95e5400/8fc5e00] N(14) error found
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_error: [95e5400/8fc5e00] Negotiation failed because of error No proposal chosen (14)
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE negotiation fail for local:192.168.65.12, remote:62.217.213.233 IKEv2 with status: No proposal chosen
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Inside iked_pm_ipsec_sa_done
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IPSec negotiation failed for SA-CFG GT-ORO_Pikeo_ipsec_ORO_Bastion for local:192.168.65.12, remote:62.217.213.233 IKEv2. status: No proposal chosen
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P2 ed info: flags 0x8842, P2 error: Error ok
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent ORO_Pikeo_ipsec for sa_cfg GT-ORO_Pikeo_ipsec_ORO_Bastion
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Looking for ts group template, GT name is GT-ORO_Pikeo_ipsec_ORO_Proxy
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Found sa_cfg for ts ORO_Proxy
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Looking for ts group template, GT name is GT-ORO_Pikeo_ipsec_ORO_Bastion
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Found sa_cfg for ts ORO_Bastion
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IPSec SA done callback. ed 955e028. status: No proposal chosen
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE SA delete called for p1 sa 7728646 (ref cnt 2) local:192.168.65.12, remote:62.217.213.233, IKEv2
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 stop timer. timer duration 30, reason 1.
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Freeing all P2 SAs for IKEv2 p1 SA 7728646
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 reference count is not zero (1). Delaying deletion of SA
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_p1_sa_destroy: p1 sa 7728646 (ref cnt 0), waiting_for_del 0x8f0f9a0
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_remove_p1sa_entry: Remove p1 sa 7728646 from peer entry 0x8d4e940
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] delete from id_hash key: 704e3924abbeb40c4de534b88850c51a82920c8a
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0 from ID hash table
[Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_patricia_delete:Peer entry 0x8d4e940 deleted for local 192.168.65.12:500 and remote 62.217.213.233:500
I am not sure that this is working while doing a static nat directly on the SRX.
Can you please help?
------------------------------
ALEXANDRU MINZAT
------------------------------