SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  IPsec behind a nat

    Posted 07-08-2022 09:59
    Hello,

    Having the following setup:

    SRX{IPSec}{NAT} ---------- NW ------- IPsec

    I am getting no proposal chosen error, here is the configuration:

    set security ike traceoptions file ike-trace
    set security ike traceoptions flag all
    set security ike proposal TUNNEL_ike_prop authentication-method pre-shared-keys
    set security ike proposal TUNNEL_ike_prop dh-group group14
    set security ike proposal TUNNEL_ike_prop authentication-algorithm sha-256
    set security ike proposal TUNNEL_ike_prop encryption-algorithm aes-256-cbc
    set security ike proposal TUNNEL_ike_prop lifetime-seconds 86400
    set security ike policy TUNNEL_ike_policy mode main
    set security ike policy TUNNEL_ike_policy proposals TUNNEL_ike_prop
    set security ike policy TUNNEL_ike_policy pre-shared-key ascii-text "$8$aes256-gcm$hmac-sha2-256$100$BeQLn2LwAhc$R6tFSuEkhnBkjMobyS/suA$Ekk0P1+K82L9DQOY+LmefQ$bloVJb2OEhHHUjDa0Lmd40tAXF9nVCaQ5r+xbEMxAeoYyRhwSzaDZTR7HrlxJm+nTRet2OVv8a1uBHU+OUmRWw"
    set security ike gateway TUNNEL_ike_gw ike-policy TUNNEL_ike_policy
    set security ike gateway TUNNEL_ike_gw address 62.217.213.233
    set security ike gateway TUNNEL_ike_gw local-identity inet 92.187.101.135
    set security ike gateway TUNNEL_ike_gw external-interface ae92.601
    set security ike gateway TUNNEL_ike_gw version v2-only
    set security ipsec proposal TUNNEL_ipsec_prop protocol esp
    set security ipsec proposal TUNNEL_ipsec_prop authentication-algorithm hmac-sha-256-128
    set security ipsec proposal TUNNEL_ipsec_prop lifetime-seconds 3600
    set security ipsec policy TUNNEL_ipsec_policy perfect-forward-secrecy keys group14
    set security ipsec policy TUNNEL_ipsec_policy proposals TUNNEL_ipsec_prop
    set security ipsec vpn TUNNEL_ipsec bind-interface st0.0
    set security ipsec vpn TUNNEL_ipsec ike gateway TUNNEL_ike_gw
    set security ipsec vpn TUNNEL_ipsec ike ipsec-policy TUNNEL_ipsec_policy
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Proxy local-ip 92.187.101.136/32
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Proxy remote-ip 109.166.189.66/32
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Bastion local-ip 92.187.101.137/32
    set security ipsec vpn TUNNEL_ipsec traffic-selector ORO_Bastion remote-ip 109.166.189.66/32
    set security ipsec vpn TUNNEL_ipsec establish-tunnels immediately

    set security nat static rule-set 1 from zone GRT
    set security nat static rule-set 1 rule 1 match destination-address 92.187.101.135/32
    set security nat static rule-set 1 rule 1 then static-nat prefix 192.168.65.12/32
    set security nat static rule-set 2 from zone VPN
    set security nat static rule-set 2 rule Proxy_nat match destination-address 92.187.101.136/32
    set security nat static rule-set 2 rule Proxy_nat then static-nat prefix 10.193.98.4/32
    set security nat static rule-set 2 rule Bastion_nat match destination-address 92.187.101.137/32
    set security nat static rule-set 2 rule Bastion_nat then static-nat prefix 10.193.98.12/32

    set security zones security-zone GRT address-book address nat 92.187.101.135/32
    set security zones security-zone GRT address-book address VPN 62.217.213.233/32
    set security zones security-zone GRT host-inbound-traffic system-services ping
    set security zones security-zone GRT host-inbound-traffic system-services ike
    set security zones security-zone GRT interfaces ae92.601


    And logs:

    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator
    Jul 8 12:31:36 MXFUNFW03 kmd[9274]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ORO_Pikeo_ipsec Gateway: ORO_Pikeo_ike_gw, Local: 192.168.65.12/500, Remote: 62.217.213.233/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

    And traces:

    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Freeing all P2 SAs for IKEv2 p1 SA 7728645
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728645 reference count is not zero (1). Delaying deletion of SA
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_p1_sa_destroy: p1 sa 7728645 (ref cnt 0), waiting_for_del 0x8f0f9c0
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_remove_p1sa_entry: Remove p1 sa 7728645 from peer entry 0x8d4e580
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] delete from id_hash key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d4e580 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0 from ID hash table
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_patricia_delete:Peer entry 0x8d4e580 deleted for local 192.168.65.12:500 and remote 62.217.213.233:500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Triggering negotiation for instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866 config block
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent GT-ORO_Pikeo_ipsec_ORO_Bastion for sa_cfg instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent ORO_Pikeo_ipsec for sa_cfg GT-ORO_Pikeo_ipsec_ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_callback: lookup peer entry for gateway ORO_Pikeo_ike_gw, local_port=500, remote_port=500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_create_peer_entry: Created peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_fetch_or_create_peer_entry: Create peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_callback: FOUND peer entry for gateway ORO_Pikeo_ike_gw
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] id_key key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] id_key key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] user_key_id key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Initiating new P1 SA for gateway ORO_Pikeo_ike_gw
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 start timer. timer duration 30, reason 1.
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_trigger_negotiation Set p2_ed in sa_cfg=instance-GT-ORO_Pikeo_ipsec_ORO_Bastion_67108866
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_insert_p1sa_entry: Insert p1 sa 7728646 in peer entry 0x8d4e940
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ssh_ikev2_ipsec_send: Creating IKE and IPsec SA 62.217.213.233;500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ssh_ikev2_ipsec_send: Started IPsec SA creation 62.217.213.233;500
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out: FSM_SET_NEXT:ikev2_state_init_initiator_out_cookie
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_cookie: FSM_SET_NEXT:ikev2_state_init_initiator_out_fill_sa
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_fill_sa: FSM_SET_NEXT:ikev2_state_init_initiator_out_sa
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE SA fill called for negotiation of local:192.168.65.12, remote:62.217.213.233 IKEv2
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_sa: FSM_SET_NEXT:ikev2_state_init_initiator_out_dh_setup
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_dh_setup: FSM_SET_NEXT:ikev2_state_init_initiator_out_nonce
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Inside kmd_sw_dh_gen...
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_nonce: FSM_SET_NEXT:ikev2_state_init_initiator_out_notify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_notify: FSM_SET_NEXT:ikev2_state_init_initiator_out_notify_request
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_notify_request: FSM_SET_NEXT:ikev2_state_init_initiator_out_vid
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request Parse notification paylad in last received pkt
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request send NHTB_SUPPORTED
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_request: Add fragmentation supported notify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_vid: FSM_SET_NEXT:ikev2_state_init_initiator_out_private_payload
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_private_payload: FSM_SET_NEXT:ikev2_state_init_initiator_out_done
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_out_done: FSM_SET_NEXT:ikev2_state_send
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_list_packet_payloads: Sending packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(RESERVED), N(FRAGMENTATION_SUPPORTED), Vid, Vid, Vid
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKEv2 packet S(<none>:500 -> 62.217.213.233:500): len= 518, mID=0, HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(RESERVED), N(FRAGMENTATION_S
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_send_request_address: FSM_SET_NEXT:ikev2_packet_st_send
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_udp_send_packet: [95e5100/8fc5e00] <-------- Sending packet - length = 0 VR id 0

    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_send: FSM_SET_NEXT:ikev2_packet_st_send_request_address
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ---------> Received from 62.217.213.233:500 to 192.168.65.12:0, VR 0, length 36 on IF
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_verify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_packet_st_verify: [95e5400/8fc5e00] R: IKE SA REFCNT: 3
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_list_packet_payloads: Receiving packet: HDR, N(NO_PROPOSAL_CHOSEN)
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKEv2 packet R(<none>:500 <- 62.217.213.233:500): len= 36, mID=0, HDR, N(NO_PROPOSAL_CHOSEN)
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_decode_notify: Storing information about received unprotected error notify 'No proposal chosen' (14) to IKE SA 8fc5e00
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_window_set_retransmit_count: Transmit window 8fc5f84: Setting retransmit count to 4 on IKE SA 8fc5e00
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_ike_spd_notify_received - START
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_decode_packet: [95e5400/8fc5e00] Updating responder IKE SPI to IKE SA 8fc5e00 I 1f0b75da c0d917e2 R 2d2b4bf3 1fd0750a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_init_initiator_in
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_dispatch: [95e5400/8fc5e00] Initiator side IKE_SA_INIT
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_in: FSM_SET_NEXT:ikev2_state_init_initiator_in_notify
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_init_initiator_in_notify: [95e5400/8fc5e00] N(14) error found
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] ikev2_state_error: [95e5400/8fc5e00] Negotiation failed because of error No proposal chosen (14)
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE negotiation fail for local:192.168.65.12, remote:62.217.213.233 IKEv2 with status: No proposal chosen
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Inside iked_pm_ipsec_sa_done

    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IPSec negotiation failed for SA-CFG GT-ORO_Pikeo_ipsec_ORO_Bastion for local:192.168.65.12, remote:62.217.213.233 IKEv2. status: No proposal chosen
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P2 ed info: flags 0x8842, P2 error: Error ok
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_sa_cfg_get_parent_sa_cfg Found parent ORO_Pikeo_ipsec for sa_cfg GT-ORO_Pikeo_ipsec_ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Looking for ts group template, GT name is GT-ORO_Pikeo_ipsec_ORO_Proxy
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Found sa_cfg for ts ORO_Proxy
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Looking for ts group template, GT name is GT-ORO_Pikeo_ipsec_ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_ts_config_find_sa_cfg_by_name Found sa_cfg for ts ORO_Bastion
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IPSec SA done callback. ed 955e028. status: No proposal chosen
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] IKE SA delete called for p1 sa 7728646 (ref cnt 2) local:192.168.65.12, remote:62.217.213.233, IKEv2
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 stop timer. timer duration 30, reason 1.
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] Freeing all P2 SAs for IKEv2 p1 SA 7728646
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] P1 SA 7728646 reference count is not zero (1). Delaying deletion of SA
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_pm_p1_sa_destroy: p1 sa 7728646 (ref cnt 0), waiting_for_del 0x8f0f9a0
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_remove_p1sa_entry: Remove p1 sa 7728646 from peer entry 0x8d4e940
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] delete from id_hash key: 704e3924abbeb40c4de534b88850c51a82920c8a
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d4e940 for local 192.168.65.12:500 remote 62.217.213.233:500. gw ORO_Pikeo_ike_gw, VR id 0 from ID hash table
    [Jul 8 12:31:36][192.168.65.12 <-> 62.217.213.233] iked_peer_entry_patricia_delete:Peer entry 0x8d4e940 deleted for local 192.168.65.12:500 and remote 62.217.213.233:500


    I am not sure that this is working while doing a static nat directly on the SRX.
    Can you please help?

    ------------------------------
    ALEXANDRU MINZAT
    ------------------------------


  • 2.  RE: IPsec behind a nat

    Posted 07-11-2022 12:07
    With the message "no proposal chosen" there is generally a mis-match between the two gateways in configuration elements.
    Verify the local Phase 2 VPN configuration elements. The Phase 2 proposal elements include the following:
    • Authentication algorithm

    • Encryption algorithm

    • Lifetime kilobytes

    • Lifetime seconds

    • Protocol

    • Perfect Forward Secrecy

    Either change the local configuration to accept at least one of the remote peer's Phase 2 proposals, or contact the remote peer's admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.

    More details on the phase two messages are here.
    https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-2-VPN-connection-issues

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------