Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive][IPSec/SRX] Dynamic VPN: 'IKE Negotiations Failed' reported on Access Manager client

0

0

Article ID: KB17453 KB Last Updated: 27 Feb 2020Version: 7.0
Summary:

When trying to connect the Access Manager client to the SRX, the status connection result message shows 'IKE Negotiations Failed'.  The security ike traceoptions output reports the error No proposal chosen.

 

Symptoms:
  • Dynamic VPN client is not connecting to the SRX. The Connection Status in the Juniper Networks Access Manager window reports the Connection Result: IKE Negotiations Failed.

  • The No proposal chosen error is reported in the output of security ike traceoptions debug, when the Dynamic VPN client attempts to connect to the SRX device.

Solution:

This error message may occur on the SRX for the configuration issues listed below:

  • IKE misconfiguration
  • IPSec misconfiguration
  • Security policy allowing the VPN does not exist

 

Step 1: Review configuration on SRX

Review the following portions of the configuration on the SRX

  1. IKE (Phase 1) on the SRX could be incorrectly configured.  Double-check the configuration using the command show security ike.  (For more information, read: Dynamic VPN Tech Note.) 

    Below are sample working configurations:

    • Junos 10.3 and below 
      root@srx# show security ike

      proposal simple-ike-proposal {
      authentication-method pre-shared-keys;
      dh-group group2;
      authentication-algorithm sha1;
      encryption-algorithm 3des-cbc;
      }
      policy simple-ike-policy {
      mode aggressive;
      proposals simple-ike-proposal;
      pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
      }
      gateway dyn-gw-user1{
      ike-policy simple-ike-policy;
      dynamic hostname host1;
      external-interface ge-0/0/5.0;
      xauth access-profile radius-server-profile;
                 }
    • Junos 10.4 and above
      root@srx# show security ike
      policy ike-dyn-vpn-policy {
      mode aggressive;
      proposal-set standard;
      pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
      }
      gateway dyn-vpn-local-gw{
      ike-policy simple-ike-policy;
      dynamic hostname dynvpn;
      external-interface ge-0/0/5.0;
      xauth access-profile dyn-vpn-access-profile;
                 }
  2. Check the IPSec (Phase 2) on the SRX as it could be misconfigured.  ( For additional information, read: Dynamic VPN Tech Note.)
  3. Check the Security Policy on the SRX as it could be misconfigured.

    On Junos 10.3 and below, one security policy must be created for each user. In Junos 10.4 and above, you may use a single security policy as long as the same VPN from the security ipsec configuration section is used.

    Note that the security policies behavior for Dynamic VPN configuration is different from the security policy behavior for other traffic. For Dynamic VPN security policies, the match criteria must be specified as source-address any, destination-address any, and application any. For Dynamic VPN security policies, the restriction of resources is handled by the dynamic-vpn configuration section.

    Note: This is similar to the way the Unified Access Control (UAC) solution works with Junos. The security policy match criteria is specified to allow everything for session setup/ike negotiation purposes, and the actual allowed resources are substituted per user when the traffic arrives. Also similar to the UAC solution, you will typically place this policy at the top, so that other policies do not match the incoming traffic first. You usually want only very specific, pinhole type policies above the Dynamic VPN security policy.

     
    user@srx>show security policies
    from-zone untrust to-zone trust {
    policy vpn-user1 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    tunnel {
    ipsec-vpn dyn-vpn-user1;
    }
    }
    }
    }
    }

Step 2:Set IKE and IPSec debug commands

Set the following IKE and IPSec debug commands on the SRX to capture all IKE debugs to the file named ike-debug:

user@srx# set security ike traceoptions file ike-debug
user@srx# set security ike traceoptions flag all
user@srx# set security ipsec traceoptions flag all
user@srx# commit
user@srx# run clear log ike-debug


[Have user attempt to connect and login again.]

user@srx# run show log ike-debug | match ike

Review the ike-debug output for any clues. For an example output of a successful connection and configuration, see this: ike-debug log for a successful connection.

Note: The ike and ipsec traceoptions are exhaustive. They consume substantial processing cycles of the CPU and may overwhelm it (especially if there are multiple tunnels configured on the SRX device). The ike and ipsec traceoptions should be used only for troubleshooting, and should not be left unchecked on the device.

Step 3: If problem is not resolved

If the problem is still not resolved after completing the steps above, collect the information listed in KB21781- [SRX] Data Collection Checklist- Logs/Data to collect for troubleshooting, along with the debugs captured above, and open a technical support case with your technical support representative.

Modification History:
2020-02-27: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search