Knowledge Center Search


 

[IPSec/SRX] Dynamic VPN: 'IKE Negotiations Failed' reported on Access Manager client

  [KB17453] Show KB Properties

  [KB17453] Hide KB Properties

Categories:
Knowledge Base ID: KB17453
Last Updated: 02 Jun 2014
Version: 5.0

Summary:

When trying to connect the Access Manager client to the SRX, the status connection result message shows 'IKE Negotiations Failed'.  The security ike traceoptions output reports the error No proposal chosen.

This article is part of the Dynamic VPN Resolution Guide: KB17220 - Troubleshoot Dynamic VPN client that is not working.

Unless otherwise noted, the steps below apply to all versions of Dynamic VPN. Any steps that apply to a specific version will be noted as such.

Problem or Goal:

Symptoms:

  • Dynamic VPN client is not connecting to the SRX. The Connection Status in the Juniper Networks Access Manager window reports the Connection Result: IKE Negotiations Failed.

  • The No proposal chosen error is reported in the output of security ike traceoptions debug, when the Dynamic VPN client attempts to connect to the SRX device.

  • You followed the steps in KB17232 - Dynamic VPN Access Manager client is 'Disconnected' and were referred to this article.

Cause:

Solution:

This error message may occur on the SRX for the configuration issues listed below:

  • IKE misconfiguration
  • IPSec misconfiguration
  • Security policy allowing the VPN does not exist


Step 1. Review configuration on SRX

Review the following portions of the configuration on the SRX:

IKE (Phase 1) on the SRX may be misconfigured. 

This is documented in the Dynamic VPN Tech Note.

Double-check the configuration with the command show security ike.  Below are sample working configurations:

  • Junos 10.3 and below 
root@srx# show security ike

proposal simple-ike-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy simple-ike-policy {
mode aggressive;
proposals simple-ike-proposal;
pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA
}
gateway dyn-gw-user1{
ike-policy simple-ike-policy;
dynamic hostname host1;
external-interface ge-0/0/5.0;
xauth access-profile radius-server-profile;
           }
  • Junos 10.4 and above
root@srx# show security ike
policy ike-dyn-vpn-policy {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA
}
gateway dyn-vpn-local-gw{
ike-policy simple-ike-policy;
dynamic hostname dynvpn;
external-interface ge-0/0/5.0;
xauth access-profile dyn-vpn-access-profile;
           }


IPSec (Phase 2) on the SRX may be misconfigured.

This is also documented in the Dynamic VPN Tech Note.


Security Policy on the SRX may be misconfigured.

On Junos 10.3 and below, one security policy must be created for each user. In Junos 10.4 and above, you may use a single security policy as long as the same VPN from the security ipsec configuration section is used.

Note that the security policies behavior for Dynamic VPN configuration is different from the security policy behavior for other traffic. For Dynamic VPN security policies, the match criteria must be specified as source-address any, destination-address any, and application any. For Dynamic VPN security policies, the restriction of resources is handled by the dynamic-vpn configuration section.

Note: This is similar to the way the Unified Access Control (UAC) solution works with Junos. The security policy match criteria is specified to allow everything for session setup/ike negotiation purposes, and the actual allowed resources are substituted per user when the traffic arrives. Also similar to the UAC solution, you will typically place this policy at the top, so that other policies do not match the incoming traffic first. You usually want only very specific, pinhole type policies above the Dynamic VPN security policy.


user@srx>show security policies
from-zone untrust to-zone trust {
policy vpn-user1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn-user1;
}
}
}
}
}


Step 2. Set IKE and IPSec debug commands

Set the following IKE and IPSec debug commands on the SRX to capture all IKE debugs to the file named ike-debug:

user@srx# set security ike traceoptions file ike-debug
user@srx# set security ike traceoptions flag all
user@srx# set security ipsec traceoptions flag all
user@srx# commit
user@srx# run clear log ike-debug


[Have user attempt to connect and login again.]

user@srx# run show log ike-debug | match ike

Review the ike-debug output for any clues. For an example output of a successful connection and configuration, see this: ike-debug log for a successful connection.

Note: The ike and ipsec traceoptions are exhaustive. They consume substantial processing cycles of the CPU and may overwhelm it (especially if there are multiple tunnels configured on the SRX device). The ike and ipsec traceoptions should be used only for troubleshooting, and should not be left unchecked on the device.


Step 3. If problem is not resolved

If the problem is still not resolved after completing the steps above, collect the information listed in KB21781- [SRX] Data Collection Checklist- Logs/Data to collect for troubleshooting, along with the debugs captured above, and open a technical support case with your technical support representative.

Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.