Author Topic: no proposal chosen  (Read 878 times)

timur016

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
no proposal chosen
« on: August 24, 2016, 12:54:10 pm »
hello!
have the problem to set up ipsec vpn between srx210 and srx100h. The last one is behind NAT device with two different IP-addresses (one or another at time), so policy on responder is "aggresive" with dynamic host. And initiators (srx100) ip-address on external interface is 2.2.2.2. On edge NAT device there is a port mapping of ike traffic to my srx100.
tried to set up both policy-based and route-based vpns, but the problem in logs was the same: No proposal chosen
had a lot of hours spent but no result. At the moment using "standard" proposal-sets both in IKE in IPSEC policies. Checked:
pre-shared key on both sides presence of st0 interface in "vpn" part of ipsec. presence of st0 interface in appropriate security zone. here is my config. Appreciate your help
srx210:
interfaces
{
  st 0
    unit 10 {
      family inet;
  }
}
policy ike-pol-sip {
  pomode aggressive;
  proposal-set standard;
  pre-shared-key ascii-text "$9$JcDkmzFNd"; ## SECRET-DATA

}
 
ike gateway SIP {
  ike-policy ike-pol-sip;
  dynamic hostname sipsrx.ykt;
  external-interface fe-0/0/7.0;
  version v1-only;
}
 
ipsec ipsec-pol-sip {
  perfect-forward-secrecy {
    keys group2;
  }
  proposal-set standard;
}
ipsec vpn vpn-sip {
  bind-interface st0.10;
  ike {
    gateway SIP;
    proxy-identity {
         local 0.0.0.0/0;
         remote 0.0.0.0/0;
         service any;
     }
      ipsec-policy ipsec-pol-sip;
   }
   establish-tunnels immediately;
}
 
zone security-zone vpn {
  address-book {
    address sip-lan 192.168.16.0/24;
  }
  interfaces {
    st0.10 {
        host-inbound-traffic {
            system-services {
               ike;
            }
            protocols {
               all;
        }
}
 
policy from-zone vpn to-zone trust {
  policy clients-to-sita {
    match {
      source-address [ irkutsk-lan sip-lan ];
      destination-address SITA;
      application any;
    }
    then {
      permit;
    }
  }
}
 
 
policy from-zone trust to-zone vpn {
  policy trust-to-sip {
    match {
      source-address SITA;
      destination-address sip-lan;
      application any;
    }
    then {
       permit;
      }
   }
}
 
srx100:

ike {
  traceoptions {
    flag ike;
    flag all;
}
policy ike-pol-vnk {
  mode aggressive;
  proposal-set standard;
  pre-shared-key ascii-text "$9$EBiyKWN-w2C"; ## SECRET-DATA
}
gateway office {
  ike-policy ike-pol-vnk;
  address 1.1.1.1;
  external-interface fe-0/0/7.0;
version v1-only;
}
}
ipsec {
traceoptions {
flag all;
}
policy ipsec-pol-vnk {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn office-vpn {
bind-interface st0.0;
ike {
gateway office;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy ipsec-pol-vnk;
}
establish-tunnels immediately;


policies from-zone vpn to-zone Internal {
policy vpn-to-trust {
match {
source-address SITA;
destination-address lan;
application any;
}
then {
permit;
}
from-zone Internal to-zone vpn {
policy sip-to-vpn {
match {
source-address lan;
destination-address SITA;
application any;
}
then {
permit;
}

zones security-zone vpn {
address-book {
address SITA 5.5.5.0/24;
}
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
ike;
}
protocols {
all;
}

 
KMD log
 
 [Aug 24 19:02:06]iked_pm_ike_spd_notify_request: Sending Initial contact
[Aug 24 19:02:06]ssh_ike_connect: Start, remote_name = 1.1.1.1:500, xchg = 4, flags = 00040000
[Aug 24 19:02:06]ike_sa_allocate: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
[Aug 24 19:02:06]ike_init_isakmp_sa: Start, remote = 1.1.1.1:500, initiator = 1
[Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Warning: Number of proposals != 1 in ISAKMP SA, this is against draft!
[Aug 24 19:02:06]ssh_ike_connect: SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1
[Aug 24 19:02:06]ike_st_o_sa_proposal: Start
[Aug 24 19:02:06]ike_st_o_ke: Start
[Aug 24 19:02:06]ike_st_o_nonce: Start
[Aug 24 19:02:06]ike_policy_reply_isakmp_nonce_data_len: Start
[Aug 24 19:02:06]ike_st_o_id: Start
[Aug 24 19:02:06]ike_policy_reply_isakmp_vendor_ids: Start
[Aug 24 19:02:06]ike_st_o_private: Start
[Aug 24 19:02:06]ike_policy_reply_private_payload_out: Start
[Aug 24 19:02:06]ike_encode_packet: Start, SA = { 0x5ccab5ea 2076bcd0 - 00000000 00000000 } / 00000000, nego = -1
[Aug 24 19:02:06]ike_send_packet: Start, send SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1, dst = 1.1.1.1:500, routing table id = 0
[Aug 24 19:02:06]ikev2_packet_allocate: Allocated packet dad400 from freelist
[Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
[Aug 24 19:02:06]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Aug 24 19:02:06]ike_get_sa: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 } / 44cc48b0, remote = 1.1.1.1:500
[Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ike_sa_find_half: Found half SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
[Aug 24 19:02:06]ike_sa_upgrade: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 } -> { ... - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ike_alloc_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}
[Aug 24 19:02:06]ike_decode_packet: Start
[Aug 24 19:02:06]ike_decode_packet: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757} / 44cc48b0, nego = 0
[Aug 24 19:02:06]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..16] = 5ccab5ea 2076bcd0 ..., data[0..46] = 800c0001 00060022 ...
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757
  • / 0x44cc48b0 } Info; Notification data has attribute list
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757
  • / 0x44cc48b0 } Info; Notify message version = 1
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757
  • / 0x44cc48b0 } Info; Error text = Could not find acceptable proposal
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757
  • / 0x44cc48b0 } Info; Offending message id = 0x00000000
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757
  • / 0x44cc48b0 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
[Aug 24 19:02:06]ike_st_i_private: Start
[Aug 24 19:02:06]ike_send_notify: Connected, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
[Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
[Aug 24 19:02:06]ike_free_negotiation_info: Start, nego = 0
[Aug 24 19:02:06]ike_free_negotiation: Start, nego = 0
[Aug 24 19:02:06]ike_remove_callback: Start, delete SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
[Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [-1] / 0x00000000 } Aggr; Connection got error = 14, calling callback
[Aug 24 19:02:06]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Aug 24 19:02:06]IKE negotiation fail for local:2.2.2.2, remote:1.1.1.1 IKEv1 with status: No proposal chosen
[Aug 24 19:02:06] IKEv1 Error : No proposal chosen
[Aug 24 19:02:06]IPSec Rekey for SPI 0x0 failed
[Aug 24 19:02:06]IPSec SA done callback called for sa-cfg vnukovo-vpn local:2.2.2.2, remote:1.1.1.1 IKEv1 with status No proposal chosen
[Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
[Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Aug 24 19:02:06]ike_sa_delete: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ike_free_negotiation_isakmp: Start, nego = -1
[Aug 24 19:02:06]ike_free_negotiation: Start, nego = -1
[Aug 24 19:02:06]IKE SA delete called for p1 sa 7930823 (ref cnt 1) local:2.2.2.2, remote:1.1.1.1, IKEv1
[Aug 24 19:02:06]iked_pm_p1_sa_destroy: p1 sa 7930823 (ref cnt 0), waiting_for_del 0x0
[Aug 24 19:02:06]ike_free_id_payload: Start, id type = 1
[Aug 24 19:02:06]ike_free_sa: Start
[Aug 24 19:02:06]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)