Knowledge Center Search

When trying to connect the Access Manager client to the SRX, the status connection result message shows 'IKE Negotiaions Failed'.  The security ike traceoptions output reports the error 'No proposal chosen'.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Troubleshoot Dynamic VPN client that is not working.

Unless otherwise noted these steps apply to all versions of Dynamic VPN. Any steps which apply to a specific version will note which versions the step applies to.

Symptoms:

• Dynamic VPN client is not connecting to the SRX. The Connection Status in the Juniper Networks Access Manager window reports the Connection Result: 'IKE Negotiations Failed'.
  
  
  



• The No proposal chosen error is reported in the output of security ike traceoptions debug, when the Dynamic VPN client attempts to connect to the SRX device. 


• You followed the steps in KB17232 - Dynamic VPN Client status is 'Disconnected' and it referred you to this article.

This error message may occur for the following configuration issues on the SRX:

• IKE misconfiguration


• IPsec misconfiguration


• Security policy allowing the VPN does not exist

Review the following portions of the configuration on the SRX:

• IKE (Phase 1) on the SRX may be misconfigured.  This is documented in the Dynamic VPN application note.
  
  Double check the configuration with the command show security ike.  Below are sample working configurations:
   
  Junos 10.3 and below:  
  

  root@srx# show security ike

proposal simple-ike-proposal {

  authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;

  }

  policy simple-ike-policy {

  mode aggressive;
proposals simple-ike-proposal;
pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA

  }

  gateway dyn-gw-user1{

  ike-policy simple-ike-policy;
dynamic hostname host1;
external-interface ge-0/0/5.0;
xauth access-profile radius-server-profile;

             }

  
  Junos 10.4 and above:
  

  root@srx# show security ike
policy ike-dyn-vpn-policy {

  mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA

  }

  gateway dyn-vpn-local-gw{

  ike-policy simple-ike-policy;
dynamic hostname dynvpn;
external-interface ge-0/0/5.0;
xauth access-profile dyn-vpn-access-profile;

             }



• IPsec (Phase 2) on the SRX may be misconfigured.  This is also documented in the Dynamic VPN application note. 

Double check the configuration with command show security ipsec. Below are sample working configurations:
 
Junos 10.3 and below:


root@srx# show security ipsec

proposal simple-ipsec-proposal {

protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;

}

policy simple-ipsec-policy {

perfect-forward-secrecy {

keys group2;

}

proposals simple-ipsec-proposal;

}

vpn dyn-vpn-user1 {

ike {

gateway dyn-gw-user1;
ipsec-policy simple-ipsec-policy
}

           }

 
Junos 10.4 and above:


root@srx# show security ipsec
policy ipsec-dyn-vpn-policy {

perfect-forward-secrecy {

keys group2;

}

proposal-set standard;

}

vpn dyn-vpn {

ike {

gateway dyn-vpn-local-gw;
ipsec-policy simple-ipsec-policy
}

           }



• Security Policy on the SRX may be misconfigured
  
  On Junos 10.3 and below, one security policy must be created for each user.  In Junos 10.4 and above, you may use a single security policy as long as the same VPN from the security ipsec configuration section is used.
  
  Please note the security policies behavior for Dynamic VPN configuration is different than security policy behavior for other traffic. For Dynamic VPN security policies It is required that the match criteria be specified as source-address any, destination-address any, and application any.  For Dynamic VPN security policies the restriction of resources is handled by the dynamic-vpn configuration section.
  
  Note: This is similar to the fashion that the Unified Access Control (UAC) solution works with Junos. The security policy match criteria is specified to allow everything for session setup/ike negotiation purposes and the actual allowed resources are substituted per user at the time the traffic arrives. Also similar to the UAC solution, you will typically place this policy at the top; so that other policies do not match the incoming traffic first. You usually only want very specific, pinhole type policies above the Dynamic VPN security policy.
  
  
  user@srx>show security policies
from-zone untrust to-zone trust {
  policy vpn-user1 {
  match {
  source-address any;
destination-address any;
application any;
  }
  then {
  permit {
  tunnel {
ipsec-vpn dyn-vpn-user1;
}
  }
  }
  }
  }


  Set the following IKE and IPSec debug commands on the SRX to capture all IKE debugs to the file named 'ike-debug':

user@srx# set security ike traceoptions file ike-debug
user@srx# set security ike traceoptions flag all
user@srx# set security ipsec traceoptions flag all
user@srx# commit
user@srx# run clear log ike-debug

[Have user attempt to connect and login again]

user@srx# run show log ike-debug | match ike


Review the ike-debug output for any clues.  For an example output of a successful connection and configuration to compare yours with, click here.

Note: The ike and ipsec traceoptions are exhaustive in nature. They consume substantial processing cycles of the CPU and may overwhelm it, in case there are multiple tunnels configured on the SRX device. They should only be used for troubleshooting purpose and not be left unchecked on the device.

  If the problem is still not resolved after completing the steps above, collect the information listed in KB21781- [SRX] Data Collection Checklist- Logs/Data to collect for troubleshooting, along with the debugs captured above, and open a technical support case with your technical support representative.