Security

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.

Remote Access VPN Error - Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed

  • 1.  Remote Access VPN Error - Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed

    Posted 02-16-2022 09:32
    Edited by Michael Pappas 02-18-2022 09:39

    Hello. I am configuring remote access vpn on juniper srx 340.

    When I connect using Pulse the phase 1 is coming up and can be seen with the show security ike sa. The pulse app though keeps prompting for password. Show security ipsec sa does not show any active phase 2.
     
    show log kmd-log throws the error below:

    IPSec negotiation failed with error: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed. IKE Version:


    Below is the configuration.


    set security ike policy IKE-REMOTE-VPN-POLICY mode aggressive
    set security ike policy IKE-REMOTE-VPN-POLICY proposal-set standard
    set security ike policy IKE-REMOTE-VPN-POLICY pre-shared-key ascii-text "$9$FmNF6pOhSeK8XIEvL7d4o9AtuRS8X7"
    set security ike gateway REMOTE-VPN-GW ike-policy IKE-REMOTE-VPN-POLICY
    set security ike gateway REMOTE-VPN-GW dynamic hostname eftsecure.local
    set security ike gateway REMOTE-VPN-GW dynamic ike-user-type group-ike-id
    set security ike gateway REMOTE-VPN-GW external-interface irb.850
    set security ike gateway REMOTE-VPN-GW xauth access-profile REM-XAUTH
    set security ike gateway REMOTE-VPN-GW version v1-only

    set security ipsec policy IPSEC-REMOTE-VPN-POLICY perfect-forward-secrecy keys group14
    set security ipsec policy IPSEC-REMOTE-VPN-POLICY proposal-set standard
    set security ipsec vpn REMOTE-VPN ike gateway REMOTE-VPN-GW
    set security ipsec vpn REMOTE-VPN ike ipsec-policy IPSEC-REMOTE-VPN-POLICY
    set security ipsec vpn REMOTE-VPN establish-tunnels immediately

    set security dynamic-vpn force-upgrade
    set security dynamic-vpn access-profile REM-XAUTH
    set security dynamic-vpn clients all remote-protected-resources 10.87.0.0/16
    set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
    set security dynamic-vpn clients all ipsec-vpn REMOTE-VPN
    set security dynamic-vpn clients all user xxxx

    set security policies from-zone EFT-ZAMTEL-VR to-zone CDEF-HOSTS policy REMOTE-VPN-CDEF-HOSTS match source-address ZAMTEL-INTERNET-DEFAULT
    set security policies from-zone EFT-ZAMTEL-VR to-zone CDEF-HOSTS policy REMOTE-VPN-CDEF-HOSTS match destination-address CDEF-HOSTS-SUBNET
    set security policies from-zone EFT-ZAMTEL-VR to-zone CDEF-HOSTS policy REMOTE-VPN-CDEF-HOSTS match application any
    set security policies from-zone EFT-ZAMTEL-VR to-zone CDEF-HOSTS policy REMOTE-VPN-CDEF-HOSTS then permit tunnel ipsec-vpn REMOTE-VPN

    set access profile REM-XAUTH client xxxxx firewall-user password "$9$LUGXx-Vb2ZUHVwPQF39CKMWxVw"
    set access profile REM-XAUTH client xxxxx firewall-user password "$9$AWrxtpO1IcKMX1Rds2gJZn/9p1R"
    set access profile REM-XAUTH client xxxxx firewall-user password "$9$hKqcSlWLNdVYRhX-VsJZUjHqfzn/Ct0B"
    set access profile REM-XAUTH client nota firewall-user password "$9$LUGXx-Vb2ZUHVwPQF39CKMWxVw"
    set access profile REM-XAUTH client sly firewall-user password "$9$LUGXx-Vb2ZUHVwPQF39CKMWxVw"
    set access profile REM-XAUTH address-assignment pool REMOTE-VPN-Pool
    set access address-assignment pool REMOTE-VPN-Pool family inet network 10.86.61.0/26
    set access address-assignment pool REMOTE-VPN-Pool family inet xauth-attributes primary-dns 8.8.8.8/32
    set access firewall-authentication web-authentication default-profile REM-XAUTH


    Kindly seeking help to resolve the issue.



    ------------------------------
    AMOS NOTA
    ------------------------------