This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
So in our contrived little scenario, our IPSEC VPN between SRX-11 and SRX13, allowing the client and server to securetly communciate with each other, is humming along -- until.....
The administrator of the firewall, SRX-12, decides that in the name of security he needs to hide all of the client addresses from the rest of the world and turns on source NAT using the following config:
NAT config on SRX-12
[edit security nat]
juniper@SRX-12# show
source {
rule-set NAT-11-13 {
from zone SRX11;
to zone SRX13;
rule NAT-INTERFACE {
match {
source-address 192.168.11.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
[edit security nat]
juniper@SRX-12#
SRX-12, because of a policy-rematch statement, starts NATing all of the traffic including existing flows immediately.
sessions on SRX-12
juniper@SRX-12# run show security flow session Session ID: 276, Policy name: ALLOW-ESP/4, Timeout: 1798, Valid In: 192.168.11.11/0 --> 192.168.13.13/0;esp, If: ge-0/0/4.0, Pkts: 19, Bytes: 2888 Out: 192.168.13.13/0 --> 172.18.2.12/22261;esp, If: ge-0/0/5.0, Pkts: 0, Bytes: 0 Session ID: 277, Policy name: ALLOW-IKE-500/5, Timeout: 60, Valid In: 192.168.11.11/500 --> 192.168.13.13/500;udp, If: ge-0/0/4.0, Pkts: 25, Bytes: 7900 Out: 192.168.13.13/500 --> 172.18.2.12/13381;udp, If: ge-0/0/5.0, Pkts: 25, Bytes: 3250 Total sessions: 2 [edit security nat] juniper@SRX-12#
Within a few seconds, all of the SAs on SRX-11, the initator, dissappear.
security associations on SRX-11
juniper@SRX-11# run show security ike security-associations [edit security] juniper@SRX-11#
And SRX-13 starts listing a ton of SAs, now from the reflexive IP address, that never come up.
security associations on SRX-13
juniper@SRX13# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3194129 DOWN 8c2ff4cb5a606d29 213e80ff1c11e504 Any 172.18.2.12 3194132 DOWN c7ae637930376e4f 42f65ad42c119334 Any 172.18.2.12 3194133 DOWN ec1cf3655dcfab8b babe5be041340da8 Any 172.18.2.12 3194128 DOWN 0e1e466ac0f0b39a 86644e09820ceb25 Any 172.18.2.12 3194127 DOWN c6196c8c89e4a550 b8f7fdaad38d0307 Any 172.18.2.12 3194130 DOWN 439e78eb0ff360b1 d85a65a6750dc026 Any 172.18.2.12 3194126 DOWN 40d8144b395a44e2 5bb4acb6653d01f3 Any 172.18.2.12 3194131 DOWN 4ddd3570fe70831e 6bb5e6257823179d Any 172.18.2.12 [edit security] juniper@SRX13#
An IKE trace on SRX-11 shows that IKE is no longer getting past Phase I, the reason is that now suddenly during Phase I there isn't a common proposal ( Encryption algorythim, Authentication algorythm, etc) between the two endpoints.
ike trace on SRX-11
[Jan 11 09:50:35]ssh_ike_connect: Start, remote_name = 192.168.13.13:500, xchg = 2, flags = 00080000
[Jan 11 09:50:35]ike_sa_allocate: Start, SA = { e421c356 9493d275 - 00000000 00000000 }
[Jan 11 09:50:35]ike_init_isakmp_sa: Start, remote = 192.168.13.13:500, initiator = 1
[Jan 11 09:50:35]ssh_ike_connect: SA = { e421c356 9493d275 - 00000000 00000000}, nego = -1
[Jan 11 09:50:35]ike_st_o_sa_proposal: Start
[Jan 11 09:50:35]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 09:50:35]ike_st_o_private: Start
[Jan 11 09:50:35]ike_policy_reply_private_payload_out: Start
[Jan 11 09:50:35]ike_encode_packet: Start, SA = { 0xe421c356 9493d275 - 00000000 00000000 } / 00000000, nego = -1
[Jan 11 09:50:35]ike_send_packet: Start, send SA = { e421c356 9493d275 - 00000000 00000000}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:50:35]ikev2_packet_allocate: Allocated packet 8c31000 from freelist
[Jan 11 09:50:35]ike_sa_find: Not found SA = { e421c356 9493d275 - 658d7a4a 151532a0 }
[Jan 11 09:50:35]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
[Jan 11 09:50:35]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:50:35]ike_get_sa: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0 } / fe429800, remote = 192.168.13.13:500
[Jan 11 09:50:35]ike_sa_find: Not found SA = { e421c356 9493d275 - 658d7a4a 151532a0 }
[Jan 11 09:50:35]ike_sa_find_half: Found half SA = { e421c356 9493d275 - 00000000 00000000 }
[Jan 11 09:50:35]ike_sa_upgrade: Start, SA = { e421c356 9493d275 - 00000000 00000000 } -> { ... - 658d7a4a 151532a0 }
[Jan 11 09:50:35]ike_alloc_negotiation: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0}
[Jan 11 09:50:35]ike_decode_packet: Start
[Jan 11 09:50:35]ike_decode_packet: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0} / fe429800, nego = 0
[Jan 11 09:50:35]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..16] = e421c356 9493d275 ..., data[0..46] = 800c0001 00060022 ...
[Jan 11 09:50:35]:500 (Responder) <-> 192.168.13.13:500 { e421c356 9493d275 - 658d7a4a 151532a0 [0] / 0xfe429800 } Info; Notification data has attribute list
[Jan 11 09:50:35]:500 (Responder) <-> 192.168.13.13:500 { e421c356 9493d275 - 658d7a4a 151532a0 [0] / 0xfe429800 } Info; Notify message version = 1
[Jan 11 09:50:35]:500 (Responder) <-> 192.168.13.13:500 { e421c356 9493d275 - 658d7a4a 151532a0 [0] / 0xfe429800 } Info; Error text = Could not find acceptable proposal
[Jan 11 09:50:35]:500 (Responder) <-> 192.168.13.13:500 { e421c356 9493d275 - 658d7a4a 151532a0 [0] / 0xfe429800 } Info; Offending message id = 0x00000000
[Jan 11 09:50:35]:500 (Responder) <-> 192.168.13.13:500 { e421c356 9493d275 - 658d7a4a 151532a0 [0] / 0xfe429800 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
[Jan 11 09:50:35]ike_st_i_private: Start
[Jan 11 09:50:35]ike_send_notify: Connected, SA = { e421c356 9493d275 - 658d7a4a 151532a0}, nego = 0
[Jan 11 09:50:35]ike_delete_negotiation: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0}, nego = 0
[Jan 11 09:50:35]ike_free_negotiation_info: Start, nego = 0
[Jan 11 09:50:35]ike_free_negotiation: Start, nego = 0
[Jan 11 09:50:35]ike_remove_callback: Start, delete SA = { e421c356 9493d275 - 658d7a4a 151532a0}, nego = -1
[Jan 11 09:50:35]192.168.11.11:500 (Initiator) <-> 192.168.13.13:500 { e421c356 9493d275 - 658d7a4a 151532a0 [-1] / 0x00000000 } IP; Connection got error = 14, calling callback
[Jan 11 09:50:35]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Jan 11 09:50:35]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Jan 11 09:50:35]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Jan 11 09:50:35] IKEv1 Error : No proposal chosen
[Jan 11 09:50:35]ike_delete_negotiation: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0}, nego = -1
[Jan 11 09:50:35]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 11 09:50:35]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 11 09:50:35]ike_sa_delete: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0 }
[Jan 11 09:50:35]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 09:50:35]ike_free_negotiation: Start, nego = -1
[Jan 11 09:50:35]ike_free_id_payload: Start, id type = 1
[Jan 11 09:50:35]ike_free_sa: Start
[Jan 11 09:50:39]ssh_ike_connect: Start, remote_name = 192.168.13.13:500, xchg = 2, flags = 00080000
[Jan 11 09:50:39]ike_sa_allocate: Start, SA = { 13e721e9 a85bb191 - 00000000 00000000 }
[Jan 11 09:50:39]ike_init_isakmp_sa: Start, remote = 192.168.13.13:500, initiator = 1
[Jan 11 09:50:39]ssh_ike_connect: SA = { 13e721e9 a85bb191 - 00000000 00000000}, nego = -1
[Jan 11 09:50:39]ike_st_o_sa_proposal: Start
[Jan 11 09:50:39]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 09:50:39]ike_st_o_private: Start
[Jan 11 09:50:39]ike_policy_reply_private_payload_out: Start
[Jan 11 09:50:39]ike_encode_packet: Start, SA = { 0x13e721e9 a85bb191 - 00000000 00000000 } / 00000000, nego = -1
[Jan 11 09:50:39]ike_send_packet: Start, send SA = { 13e721e9 a85bb191 - 00000000 00000000}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:50:39]ikev2_packet_allocate: Allocated packet 8c31400 from freelist
[Jan 11 09:50:39]ike_sa_find: Not found SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f }
[Jan 11 09:50:39]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
[Jan 11 09:50:39]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:50:39]ike_get_sa: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f } / 524d6607, remote = 192.168.13.13:500
[Jan 11 09:50:39]ike_sa_find: Not found SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f }
[Jan 11 09:50:39]ike_sa_find_half: Found half SA = { 13e721e9 a85bb191 - 00000000 00000000 }
[Jan 11 09:50:39]ike_sa_upgrade: Start, SA = { 13e721e9 a85bb191 - 00000000 00000000 } -> { ... - 97bfa64c 604bac3f }
[Jan 11 09:50:39]ike_alloc_negotiation: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}
[Jan 11 09:50:39]ike_decode_packet: Start
[Jan 11 09:50:39]ike_decode_packet: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f} / 524d6607, nego = 0
[Jan 11 09:50:39]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..16] = 13e721e9 a85bb191 ..., data[0..46] = 800c0001 00060022 ...
[Jan 11 09:50:39]:500 (Responder) <-> 192.168.13.13:500 { 13e721e9 a85bb191 - 97bfa64c 604bac3f [0] / 0x524d6607 } Info; Notification data has attribute list
[Jan 11 09:50:39]:500 (Responder) <-> 192.168.13.13:500 { 13e721e9 a85bb191 - 97bfa64c 604bac3f [0] / 0x524d6607 } Info; Notify message version = 1
[Jan 11 09:50:39]:500 (Responder) <-> 192.168.13.13:500 { 13e721e9 a85bb191 - 97bfa64c 604bac3f [0] / 0x524d6607 } Info; Error text = Could not find acceptable proposal
[Jan 11 09:50:39]:500 (Responder) <-> 192.168.13.13:500 { 13e721e9 a85bb191 - 97bfa64c 604bac3f [0] / 0x524d6607 } Info; Offending message id = 0x00000000
[Jan 11 09:50:39]:500 (Responder) <-> 192.168.13.13:500 { 13e721e9 a85bb191 - 97bfa64c 604bac3f [0] / 0x524d6607 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
[Jan 11 09:50:39]ike_st_i_private: Start
[Jan 11 09:50:39]ike_send_notify: Connected, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}, nego = 0
[Jan 11 09:50:39]ike_delete_negotiation: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}, nego = 0
[Jan 11 09:50:39]ike_free_negotiation_info: Start, nego = 0
[Jan 11 09:50:39]ike_free_negotiation: Start, nego = 0
[Jan 11 09:50:39]ike_remove_callback: Start, delete SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}, nego = -1
[Jan 11 09:50:39]192.168.11.11:500 (Initiator) <-> 192.168.13.13:500 { 13e721e9 a85bb191 - 97bfa64c 604bac3f [-1] / 0x00000000 } IP; Connection got error = 14, calling callback
[Jan 11 09:50:39]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Jan 11 09:50:39]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Jan 11 09:50:39]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Jan 11 09:50:39] IKEv1 Error : No proposal chosen
[Jan 11 09:50:39]ike_delete_negotiation: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}, nego = -1
[Jan 11 09:50:39]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 11 09:50:39]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 11 09:50:39]ike_sa_delete: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f }
[Jan 11 09:50:39]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 09:50:39]ike_free_negotiation: Start, nego = -1
[Jan 11 09:50:39]ike_free_id_payload: Start, id type = 1
[Jan 11 09:50:39]ike_free_sa: Start
[Jan 11 09:50:43]ssh_ike_connect: Start, remote_name = 192.168.13.13:500, xchg = 2, flags = 00080000
[Jan 11 09:50:43]ike_sa_allocate: Start, SA = { 1e43c8f5 a7c32dde - 00000000 00000000 }
[Jan 11 09:50:43]ike_init_isakmp_sa: Start, remote = 192.168.13.13:500, initiator = 1
[Jan 11 09:50:43]ssh_ike_connect: SA = { 1e43c8f5 a7c32dde - 00000000 00000000}, nego = -1
[Jan 11 09:50:43]ike_st_o_sa_proposal: Start
[Jan 11 09:50:43]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 09:50:43]ike_st_o_private: Start
[Jan 11 09:50:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:50:43]ike_encode_packet: Start, SA = { 0x1e43c8f5 a7c32dde - 00000000 00000000 } / 00000000, nego = -1
[Jan 11 09:50:43]ike_send_packet: Start, send SA = { 1e43c8f5 a7c32dde - 00000000 00000000}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:50:43]ikev2_packet_allocate: Allocated packet 8c31800 from freelist
[Jan 11 09:50:43]ike_sa_find: Not found SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c }
[Jan 11 09:50:43]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
[Jan 11 09:50:43]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:50:43]ike_get_sa: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c } / ed27062e, remote = 192.168.13.13:500
[Jan 11 09:50:43]ike_sa_find: Not found SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c }
[Jan 11 09:50:43]ike_sa_find_half: Found half SA = { 1e43c8f5 a7c32dde - 00000000 00000000 }
[Jan 11 09:50:43]ike_sa_upgrade: Start, SA = { 1e43c8f5 a7c32dde - 00000000 00000000 } -> { ... - cc1e1a0c 5c50c18c }
[Jan 11 09:50:43]ike_alloc_negotiation: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}
[Jan 11 09:50:43]ike_decode_packet: Start
[Jan 11 09:50:43]ike_decode_packet: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c} / ed27062e, nego = 0
[Jan 11 09:50:43]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..16] = 1e43c8f5 a7c32dde ..., data[0..46] = 800c0001 00060022 ...
[Jan 11 09:50:43]:500 (Responder) <-> 192.168.13.13:500 { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c [0] / 0xed27062e } Info; Notification data has attribute list
[Jan 11 09:50:43]:500 (Responder) <-> 192.168.13.13:500 { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c [0] / 0xed27062e } Info; Notify message version = 1
[Jan 11 09:50:43]:500 (Responder) <-> 192.168.13.13:500 { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c [0] / 0xed27062e } Info; Error text = Could not find acceptable proposal
[Jan 11 09:50:43]:500 (Responder) <-> 192.168.13.13:500 { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c [0] / 0xed27062e } Info; Offending message id = 0x00000000
[Jan 11 09:50:43]:500 (Responder) <-> 192.168.13.13:500 { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c [0] / 0xed27062e } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
[Jan 11 09:50:43]ike_st_i_private: Start
[Jan 11 09:50:43]ike_send_notify: Connected, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}, nego = 0
[Jan 11 09:50:43]ike_delete_negotiation: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}, nego = 0
[Jan 11 09:50:43]ike_free_negotiation_info: Start, nego = 0
[Jan 11 09:50:43]ike_free_negotiation: Start, nego = 0
[Jan 11 09:50:43]ike_remove_callback: Start, delete SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}, nego = -1
[Jan 11 09:50:43]192.168.11.11:500 (Initiator) <-> 192.168.13.13:500 { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c [-1] / 0x00000000 } IP; Connection got error = 14, calling callback
[Jan 11 09:50:43]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Jan 11 09:50:43]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Jan 11 09:50:43]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Jan 11 09:50:43] IKEv1 Error : No proposal chosen
[Jan 11 09:50:43]ike_delete_negotiation: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}, nego = -1
[Jan 11 09:50:43]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 11 09:50:43]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 11 09:50:43]ike_sa_delete: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c }
[Jan 11 09:50:43]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 09:50:43]ike_free_negotiation: Start, nego = -1
[Jan 11 09:50:43]ike_free_id_payload: Start, id type = 1
[Jan 11 09:50:43]ike_free_sa: Start
Examining the IKE trace on SRX-13, we find that it is recieving IKE requests from the reflexive IP address now, 172.18.2.12, but doesn't have any peers configured to talk with this host. So no proposal is chosen.
ike trace on SRX-13
[Jan 11 09:50:34]ikev2_packet_allocate: Allocated packet 8c23000 from freelist
[Jan 11 09:50:34]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:50:34]ike_get_sa: Start, SA = { e421c356 9493d275 - 00000000 00000000 } / 00000000, remote = 172.18.2.12:13381
[Jan 11 09:50:34]ike_sa_allocate: Start, SA = { e421c356 9493d275 - 084f0612 39498932 }
[Jan 11 09:50:34]ike_init_isakmp_sa: Start, remote = 172.18.2.12:13381, initiator = 0
[Jan 11 09:50:34]ike_decode_packet: Start
[Jan 11 09:50:34]ike_decode_packet: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0} / 00000000, nego = -1
[Jan 11 09:50:34]ike_decode_payload_sa: Start
[Jan 11 09:50:34]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 09:50:34]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 09:50:34]ike_st_i_sa_proposal: Start
[Jan 11 09:50:34]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8c78800)
[Jan 11 09:50:34]ike_isakmp_sa_reply: Start
[Jan 11 09:50:34]ike_state_restart_packet: Start, restart packet SA = { e421c356 9493d275 - 658d7a4a 151532a0}, nego = -1
[Jan 11 09:50:34]ike_st_i_sa_proposal: Start
[Jan 11 09:50:34]ike_st_i_cr: Start
[Jan 11 09:50:34]ike_st_i_cert: Start
[Jan 11 09:50:34]ike_st_i_private: Start
[Jan 11 09:50:34]ike_st_o_sa_values: Start
[Jan 11 09:50:34]192.168.13.13:500 (Responder) <-> 172.18.2.12:13381 { e421c356 9493d275 - 658d7a4a 151532a0 [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Jan 11 09:50:34]ike_alloc_negotiation: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0}
[Jan 11 09:50:34]ike_encode_packet: Start, SA = { 0xe421c356 9493d275 - 658d7a4a 151532a0 } / fe429800, nego = 0
[Jan 11 09:50:34]ike_send_packet: Start, send SA = { e421c356 9493d275 - 658d7a4a 151532a0}, nego = 0, dst = 172.18.2.12:13381, routing table id = 0
[Jan 11 09:50:34]ike_delete_negotiation: Start, SA = { e421c356 9493d275 - 658d7a4a 151532a0}, nego = 0
[Jan 11 09:50:34]ike_free_negotiation_info: Start, nego = 0
[Jan 11 09:50:34]ike_free_negotiation: Start, nego = 0
[Jan 11 09:50:34] IKEv1 Error : No proposal chosen
[Jan 11 09:50:38]ikev2_packet_allocate: Allocated packet 8c23400 from freelist
[Jan 11 09:50:38]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:50:38]ike_get_sa: Start, SA = { 13e721e9 a85bb191 - 00000000 00000000 } / 00000000, remote = 172.18.2.12:13381
[Jan 11 09:50:38]ike_sa_allocate: Start, SA = { 13e721e9 a85bb191 - e73a849c 01d88cc2 }
[Jan 11 09:50:38]ike_init_isakmp_sa: Start, remote = 172.18.2.12:13381, initiator = 0
[Jan 11 09:50:38]ike_decode_packet: Start
[Jan 11 09:50:38]ike_decode_packet: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f} / 00000000, nego = -1
[Jan 11 09:50:38]ike_decode_payload_sa: Start
[Jan 11 09:50:38]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 09:50:38]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 09:50:38]ike_st_i_sa_proposal: Start
[Jan 11 09:50:38]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8c78800)
[Jan 11 09:50:38]ike_isakmp_sa_reply: Start
[Jan 11 09:50:38]ike_state_restart_packet: Start, restart packet SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}, nego = -1
[Jan 11 09:50:38]ike_st_i_sa_proposal: Start
[Jan 11 09:50:38]ike_st_i_cr: Start
[Jan 11 09:50:38]ike_st_i_cert: Start
[Jan 11 09:50:38]ike_st_i_private: Start
[Jan 11 09:50:38]ike_st_o_sa_values: Start
[Jan 11 09:50:38]192.168.13.13:500 (Responder) <-> 172.18.2.12:13381 { 13e721e9 a85bb191 - 97bfa64c 604bac3f [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Jan 11 09:50:38]ike_alloc_negotiation: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}
[Jan 11 09:50:38]ike_encode_packet: Start, SA = { 0x13e721e9 a85bb191 - 97bfa64c 604bac3f } / 524d6607, nego = 0
[Jan 11 09:50:38]ike_send_packet: Start, send SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}, nego = 0, dst = 172.18.2.12:13381, routing table id = 0
[Jan 11 09:50:38]ike_delete_negotiation: Start, SA = { 13e721e9 a85bb191 - 97bfa64c 604bac3f}, nego = 0
[Jan 11 09:50:38]ike_free_negotiation_info: Start, nego = 0
[Jan 11 09:50:38]ike_free_negotiation: Start, nego = 0
[Jan 11 09:50:38] IKEv1 Error : No proposal chosen
[Jan 11 09:50:42]ikev2_packet_allocate: Allocated packet 8c23800 from freelist
[Jan 11 09:50:42]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:50:42]ike_get_sa: Start, SA = { 1e43c8f5 a7c32dde - 00000000 00000000 } / 00000000, remote = 172.18.2.12:13381
[Jan 11 09:50:42]ike_sa_allocate: Start, SA = { 1e43c8f5 a7c32dde - 725513c5 c6336aef }
[Jan 11 09:50:42]ike_init_isakmp_sa: Start, remote = 172.18.2.12:13381, initiator = 0
[Jan 11 09:50:42]ike_decode_packet: Start
[Jan 11 09:50:42]ike_decode_packet: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c} / 00000000, nego = -1
[Jan 11 09:50:42]ike_decode_payload_sa: Start
[Jan 11 09:50:42]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 09:50:42]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 09:50:42]ike_st_i_sa_proposal: Start
[Jan 11 09:50:42]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8c78800)
[Jan 11 09:50:42]ike_isakmp_sa_reply: Start
[Jan 11 09:50:42]ike_state_restart_packet: Start, restart packet SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}, nego = -1
[Jan 11 09:50:42]ike_st_i_sa_proposal: Start
[Jan 11 09:50:42]ike_st_i_cr: Start
[Jan 11 09:50:42]ike_st_i_cert: Start
[Jan 11 09:50:42]ike_st_i_private: Start
[Jan 11 09:50:42]ike_st_o_sa_values: Start
[Jan 11 09:50:42]192.168.13.13:500 (Responder) <-> 172.18.2.12:13381 { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Jan 11 09:50:42]ike_alloc_negotiation: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}
[Jan 11 09:50:42]ike_encode_packet: Start, SA = { 0x1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c } / ed27062e, nego = 0
[Jan 11 09:50:42]ike_send_packet: Start, send SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}, nego = 0, dst = 172.18.2.12:13381, routing table id = 0
[Jan 11 09:50:42]ike_delete_negotiation: Start, SA = { 1e43c8f5 a7c32dde - cc1e1a0c 5c50c18c}, nego = 0
[Jan 11 09:50:42]ike_free_negotiation_info: Start, nego = 0
[Jan 11 09:50:42]ike_free_negotiation: Start, nego = 0
[Jan 11 09:50:42] IKEv1 Error : No proposal chosen
[Jan 11 09:50:46]ikev2_packet_allocate: Allocated packet 8c23c00 from freelist
[Jan 11 09:50:46]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:50:46]ike_get_sa: Start, SA = { 40d8144b 395a44e2 - 00000000 00000000 } / 00000000, remote = 172.18.2.12:13381
[Jan 11 09:50:46]ike_sa_allocate: Start, SA = { 40d8144b 395a44e2 - 89bcc7a3 7e0186ae }
[Jan 11 09:50:46]ike_init_isakmp_sa: Start, remote = 172.18.2.12:13381, initiator = 0
[Jan 11 09:50:46]ike_decode_packet: Start
[Jan 11 09:50:46]ike_decode_packet: Start, SA = { 40d8144b 395a44e2 - 5bb4acb6 653d01f3} / 00000000, nego = -1
[Jan 11 09:50:46]ike_decode_payload_sa: Start
[Jan 11 09:50:46]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 09:50:46]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 09:50:46]ike_st_i_sa_proposal: Start
[Jan 11 09:50:46]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8c78800)
[Jan 11 09:50:46]ike_isakmp_sa_reply: Start
[Jan 11 09:50:46]ike_state_restart_packet: Start, restart packet SA = { 40d8144b 395a44e2 - 5bb4acb6 653d01f3}, nego = -1
[Jan 11 09:50:46]ike_st_i_sa_proposal: Start
[Jan 11 09:50:46]ike_st_i_cr: Start
[Jan 11 09:50:46]ike_st_i_cert: Start
[Jan 11 09:50:46]ike_st_i_private: Start
[Jan 11 09:50:46]ike_st_o_sa_values: Start
[Jan 11 09:50:46]192.168.13.13:500 (Responder) <-> 172.18.2.12:13381 { 40d8144b 395a44e2 - 5bb4acb6 653d01f3 [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Jan 11 09:50:46]ike_alloc_negotiation: Start, SA = { 40d8144b 395a44e2 - 5bb4acb6 653d01f3}
[Jan 11 09:50:46]ike_encode_packet: Start, SA = { 0x40d8144b 395a44e2 - 5bb4acb6 653d01f3 } / f11da604, nego = 0
[Jan 11 09:50:46]ike_send_packet: Start, send SA = { 40d8144b 395a44e2 - 5bb4acb6 653d01f3}, nego = 0, dst = 172.18.2.12:13381, routing table id = 0
[Jan 11 09:50:46]ike_delete_negotiation: Start, SA = { 40d8144b 395a44e2 - 5bb4acb6 653d01f3}, nego = 0
[Jan 11 09:50:46]ike_free_negotiation_info: Start, nego = 0
[Jan 11 09:50:46]ike_free_negotiation: Start, nego = 0
[Jan 11 09:50:46] IKEv1 Error : No proposal chosen
A tcpdump -nv of the whole issue, again on the link between SRX-11 and SRX-12 shows the IKE sessions failing.
TCPDUMP of NAT'ed IKE Session Failing
10:48:56.912589 IP (tos 0xc0, ttl 64, id 5427, offset 0, flags [none], proto UDP (17), length 104)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 61a69740 cookie 4165a4240d2ccb93->4a49d523b96f8633: phase 2/others ? inf[E]: [encrypted hash]
10:50:08.887978 IP (tos 0xc0, ttl 64, id 5528, offset 0, flags [none], proto UDP (17), length 120)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 4e871ede cookie 4165a4240d2ccb93->4a49d523b96f8633: phase 2/others ? inf[E]: [encrypted hash]
10:50:35.913316 IP (tos 0xc0, ttl 64, id 5594, offset 0, flags [none], proto UDP (17), length 316)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie e421c3569493d275->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=e421c3569493d275
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=28)
10:50:35.927323 IP (tos 0xc0, ttl 63, id 6650, offset 0, flags [none], proto UDP (17), length 130)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid fe429800 cookie e421c3569493d275->658d7a4a151532a0: phase 2/others R inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN spi=e421c3569493d275658d7a4a151532a0 orig=(
())
10:50:39.923253 IP (tos 0xc0, ttl 64, id 5620, offset 0, flags [none], proto UDP (17), length 316)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 13e721e9a85bb191->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=13e721e9a85bb191
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=28)
10:50:39.937344 IP (tos 0xc0, ttl 63, id 6659, offset 0, flags [none], proto UDP (17), length 130)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 524d6607 cookie 13e721e9a85bb191->97bfa64c604bac3f: phase 2/others R inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN spi=13e721e9a85bb19197bfa64c604bac3f orig=(
())
10:50:43.933266 IP (tos 0xc0, ttl 64, id 5634, offset 0, flags [none], proto UDP (17), length 316)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 1e43c8f5a7c32dde->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=1e43c8f5a7c32dde
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=28)
And worst of all from the client's perspective, the VPN is now broken. The user on the client describes the situation as "Pingy no worky!"
loss of connectivity over IPSEC VPN from client
juniper@client:~$ ping -c 100 10.80.80.80 PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data. --- 10.80.80.80 ping statistics --- 100 packets transmitted, 0 received, 100% packet loss, time 99790ms juniper@client:~$