When trying to connect the Access Manager client to the SRX, the status connection result message shows 'IKE Negotiaions Failed'. The security ike traceoptions output reports the error 'No proposal chosen'.
On Junos 10.3 and below, one security policy must be created for each user. In Junos 10.4 and above, you may use a single security policy as long as the same VPN from the security ipsec configuration section is used.
Please note the security policies behavior for Dynamic VPN configuration is different than security policy behavior for other traffic. For Dynamic VPN security policies It is required that the match criteria be specified as source-address any, destination-address any, and application any. For Dynamic VPN security policies the restriction of resources is handled by the dynamic-vpn configuration section.
Note: This is similar to the fashion that the Unified Access Control (UAC) solution works with Junos. The security policy match criteria is specified to allow everything for session setup/ike negotiation purposes and the actual allowed resources are substituted per user at the time the traffic arrives. Also similar to the UAC solution, you will typically place this policy at the top; so that other policies do not match the incoming traffic first. You usually only want very specific, pinhole type policies above the Dynamic VPN security policy.
Set the following IKE and IPSec debug commands on the SRX to capture all IKE debugs to the file named 'ike-debug':
user@srx# set security ike traceoptions file ike-debug user@srx# set security ike traceoptions flag all user@srx# set security ipsec traceoptions flag all user@srx# commit user@srx# run clear log ike-debug
[Have user attempt to connect and login again]
user@srx# run show log ike-debug | match ike
Review the ike-debug output for any clues. For an example output of a successful connection and configuration to compare yours with, click here.
Note: The ike and ipsec traceoptions are exhaustive in nature. They consume substantial processing cycles of the CPU and may overwhelm it, in case there are multiple tunnels configured on the SRX device. They should only be used for troubleshooting purpose and not be left unchecked on the device.