[j-nsp] Tunnel failing at "No propsal chosen" but works when target is another device

Mattias Gyllenvarg mattias at gyllenvarg.se
Mon Nov 25 05:53:28 EST 2013

Hi All

This is my first post to j-nsp, since this is my first encounter with
anything "advanced" on a juniper platform.
JTAC is working on this as well, but I am hoping for a snappy response from
the community.

The issue is a IPsec tunnel that will not establish with one device as the
HUB but works with a different device.

Spoke is SRX210 cluster

Hub is SRX240 cluster

Replacement Hub is a stand-alone SRX210

Junos is 12.1X44-D20.3 across the board.

Relevant config for HUB240

ike {
    proposal <cleaned>-IKE-Proposal {
        authentication-method rsa-signatures;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
    policy <cleaned>-IKE-Policy {
        mode aggressive;
        proposals <cleaned>-IKE-Proposal;
        certificate {
            local-certificate XXXX-HUB;
    gateway Euro-Hub {
        ike-policy <cleaned>-IKE-Policy;
        dynamic {
            distinguished-name {
                wildcard "O=<cleaned>";
        dead-peer-detection {
            interval 10;
            threshold 3;
        local-identity distinguished-name;
        external-interface reth1;
ipsec {
    proposal <cleaned>-IPsec-Proposal {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm des-cbc;
    policy <cleaned>-VPN-Policy {
        perfect-forward-secrecy {
            keys group14;
        proposals <cleaned>-IPsec-Proposal;
    vpn hub-to-spoke-vpn {
        bind-interface st0.0;
        ike {
            gateway Euro-Hub;
            ipsec-policy <cleaned>-VPN-Policy;

int reth1
unit 0 {
    family inet {
        address x.x.x.71/24;
        address x.x.x.11/24;

    security-zone untrust {
        screen untrust-screen;
        host-inbound-traffic {
            system-services {
        interfaces {
            reth1.0 {
                host-inbound-traffic {
                    system-services {

static {
        rule-set XXXX-DMZ {
            from zone untrust;
            rule to-dmz {
                match {
                    destination-address <cleaned>.71/32;
                then {
                    static-nat {
                        prefix {

Difference in config from working sollution is.

No cluster, so no reth.
No secondary IP on tunnel externel interface. (removed this with no effect)
A static nat for the secondary address.

Proposals have been verified several times. Deleted and re-added,
240cluster has been rebooted.

Is there any known issue that with this kind of setup for the SRX240? I
have found none.

>From what I can tell in the kmd debug-log the work setup validates with DN
when the "Address based phase 1 SA-CFG lookup failed" fails. The 240 does
not seem to try to validate DN.

Snippet from log where it fails.

iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup
failed for local:x.x.x.11, remote:y.y.y.y. IKEv1
iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal
chosen (neg de5800)
ike_isakmp_sa_reply: Start

*Best Regards*
*Mattias Gyllenvarg*

More information about the juniper-nsp mailing list