• November 24, 2017, 08:03:14 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Juniper SRX - No proposal chosen in IKE Phase 1  (Read 10311 times)

0 Members and 1 Guest are viewing this topic.

Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3821
    • michaelfmcnamara
    • Michael McNamara
Juniper SRX - No proposal chosen in IKE Phase 1
« on: July 15, 2012, 08:31:40 PM »
I've been trying to setup my home Juniper SRX 210H with a dynamic (aggressive mode) VPN tunnel to my office Juniper SRX 650 for the last two days. I was getting "No proposal chosen" errors while using the standard proposal sets in JUNOS 10.4R9.2.

Jul 15 15:58:05 Phase-1 negotiation failed with error No proposal chosen for p1_local=fqdn(any:0,[0..12]=junipersrx210) p1_remote=ipv4(udp:500,[0..3]=208.1.1.1)


So I knew it wasn't an issue with the phase 1 options, just to be sure I setup a custom proposal.

set security ike proposal P1-DYNAMIC authentication-method pre-shared-keys
set security ike proposal P1-DYNAMIC dh-group group2
set security ike proposal P1-DYNAMIC authentication-algorithm sha1
set security ike proposal P1-DYNAMIC encryption-algorithm aes-128-cbc
set security ike proposal P1-DYNAMIC lifetime-seconds 28800

set security ipsec proposal P2-DYNAMIC protocol esp
set security ipsec proposal P2-DYNAMIC authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-DYNAMIC encryption-algorithm aes-128-cbc


With the custom proposal I was still getting "No proposal chosen" so I knew it was something else.

I'm using a routed tunnel with an IP address on each st0 interface - that was correct. On the main office I'm using a routing-instance so I can route all Internet traffic from the branch over the internal network so it can be policed and logged by my IDS/IPS and content management systems.

I had neglected to add st0.0 to the security zone and routing-instance. Once I did that the tunnel came right up!

So "No proposal chosen" doesn't always mean it's a configuration issue between the branch and main office.

Cheers!
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!


Offline rohit

  • Rookie
  • **
  • Posts: 3
Re: Juniper SRX - No proposal chosen in IKE Phase 1
« Reply #1 on: January 31, 2013, 07:51:38 AM »
For knowing more about "Group VPN", maybe this would help  :)
http:// www. juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45780.html