When trying to connect the Access Manager client to the SRX, the status connection result message shows 'IKE Negotiations Failed'. The security ike traceoptions output reports the error No proposal chosen.
Problem or Goal:
Dynamic VPN client is not connecting to the SRX. The Connection Status in the Juniper Networks Access Manager window reports the Connection Result: IKE Negotiations Failed.
The No proposal chosen error is reported in the output of security ike traceoptions debug, when the Dynamic VPN client attempts to connect to the SRX device.
This error message may occur on the SRX for the configuration issues listed below:
Security policy allowing the VPN does not exist
Review configuration on SRX
Review the following portions of the configuration on the SRX:
On Junos 10.3 and below, one security policy must be created for each user. In Junos 10.4 and above, you may use a single security policy as long as the same VPN from the security ipsec configuration section is used.
Note that the security policies behavior for Dynamic VPN configuration is different from the security policy behavior for other traffic. For Dynamic VPN security policies, the match criteria must be specified as source-address any, destination-address any, and application any. For Dynamic VPN security policies, the restriction of resources is handled by the dynamic-vpn configuration section.
Note: This is similar to the way the Unified Access Control (UAC) solution works with Junos. The security policy match criteria is specified to allow everything for session setup/ike negotiation purposes, and the actual allowed resources are substituted per user when the traffic arrives. Also similar to the UAC solution, you will typically place this policy at the top, so that other policies do not match the incoming traffic first. You usually want only very specific, pinhole type policies above the Dynamic VPN security policy.
Set the following IKE and IPSec debug commands on the SRX to capture all IKE debugs to the file named ike-debug:
user@srx# set security ike traceoptions file ike-debug user@srx# set security ike traceoptions flag all user@srx# set security ipsec traceoptions flag all user@srx# commit user@srx# run clear log ike-debug
Note: The ike and ipsec traceoptions are exhaustive. They consume substantial processing cycles of the CPU and may overwhelm it (especially if there are multiple tunnels configured on the SRX device). The ike and ipsec traceoptions should be used only for troubleshooting, and should not be left unchecked on the device.