Security

Hi All, I know most of this audience is full of very smart people. 

I am looking for any information on creating an IPSec VPN from a SRX running version 22.2R1.9 with a Juniper SSG5 running version  6.2.0.1. 

I am not sure if these are incompatible with the phase 1 and 2 settings. 

Initially I was getting a message in the logs as follows:

" IKE negotiation failed with error: No proposal chosen. "

So I tweaked the phase 1 proposal and received the following:

"IKE negotiation failed with error: Invalid syntax. IKE Version: 2,"

I am using IKEv2 on both devices. 

Current State:

show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
6131020 DOWN   e733cfa0b43ba9e3  4de62aa3e0a2a734  IKEv2 

I did set the time on both firewalls to sync up,

I will keep adjusting the proposals but looking for any info that can help me out.

Thanks as always for input and support. 

------------------------------
Paul Andreozzi
------------------------------

For troubleshooting vpn issues like this you would need to go through the tests and error messages in order.  You start with confirming phase 1 and moving up to phase 2.  Usually the responding side of the vpn as opposed to the initiating side will have the most useful messages.

You are on the right track that the parameters and timers all need to match on both sides.

On the ScreenOS device the list of monitor commands order and confirmation is here.

https://supportportal.juniper.net/s/article/ScreenOS-How-to-Troubleshoot-a-VPN-Tunnel-that-won-t-come-up?language=en_US

The SRX side will use these commands.

https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels?language=en_US

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message:
Sent: 11-28-2023 10:01
From: Paul Andreozzi
Subject: IPSec VPN SRX300 to SSG5

Hi All, I know most of this audience is full of very smart people. 

I am looking for any information on creating an IPSec VPN from a SRX running version 22.2R1.9 with a Juniper SSG5 running version  6.2.0.1. 

I am not sure if these are incompatible with the phase 1 and 2 settings. 

Initially I was getting a message in the logs as follows:

" IKE negotiation failed with error: No proposal chosen. "

So I tweaked the phase 1 proposal and received the following:

"IKE negotiation failed with error: Invalid syntax. IKE Version: 2,"

I am using IKEv2 on both devices. 

Current State:

show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
6131020 DOWN   e733cfa0b43ba9e3  4de62aa3e0a2a734  IKEv2 

I did set the time on both firewalls to sync up,

I will keep adjusting the proposals but looking for any info that can help me out.

Thanks as always for input and support. 

------------------------------
Paul Andreozzi
------------------------------