Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hi All, I know most of this audience is full of very smart people.
I am looking for any information on creating an IPSec VPN from a SRX running version 22.2R1.9 with a Juniper SSG5 running version 126.96.36.199. I am not sure if these are incompatible with the phase 1 and 2 settings.
Initially I was getting a message in the logs as follows:
" IKE negotiation failed with error: No proposal chosen. "
So I tweaked the phase 1 proposal and received the following:
"IKE negotiation failed with error: Invalid syntax. IKE Version: 2,"
I am using IKEv2 on both devices.
show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address6131020 DOWN e733cfa0b43ba9e3 4de62aa3e0a2a734 IKEv2
I did set the time on both firewalls to sync up,
I will keep adjusting the proposals but looking for any info that can help me out.
Thanks as always for input and support.
For troubleshooting vpn issues like this you would need to go through the tests and error messages in order. You start with confirming phase 1 and moving up to phase 2. Usually the responding side of the vpn as opposed to the initiating side will have the most useful messages.
You are on the right track that the parameters and timers all need to match on both sides.
On the ScreenOS device the list of monitor commands order and confirmation is here.
The SRX side will use these commands.
Thanks, Steve, for your reply. I did get this to work by playing with the proposals.
I appreciate your feedback.
Sorry to chime in late -- but I have several SRX series firewalls VPN tunneling back to my SSG140 (running 6.3.something)It works fine as long as you get all the parameters the same. I'm doing both static IPs at both ends and my SSG set to accept SRX connections from non-static addresses.but I can also see you got it working. Them proposals are important. :D Cheers, -Ben