Juniper SSG20 unable to connect with Cloud (IPSec)

book

Article ID: 166679

calendar_today

Updated On:

Products

CDP Integration Server

Issue/Introduction

Juniper SSG20 unable to connect with Cloud service, using IPSec (Cloud Access Method).
Phase 1 (IKE SA negotiation) is successful.
Phase 2 (IPSEC SA negotiation) fails with an error " NO-PROPOSAL-CHOSEN".
Juniper SSG event logs show the following events:
IKE 199.19.248.164 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
IKE 199.19.248.164 Phase 2: Initiated negotiations.
IKE 199.19.248.164: Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN.

Resolution

The "NO-PROPOSAL-CHOSEN" message is generated because the Phase 2 Proposal that the SSG sent the Cloud was an INVALID Phase 2 Proposal.  The Phase 2 Proposal that FAILED was: nopfs-esp-des-md5.  According to the online documentation, that proposal is not supported.  The documentation states the following as acceptable proposals:  PRE-{G2 | G5}-{3DES | AES128 | AES256}-{MD5 | SHA1}.
 
 
HOW TO CHANGE THE PROPOSAL ON THE JUNIPER SSG
 
In the Juniper SSG admin interface, go to: 
 
VPNs > AutoKey IKE
 
...click the "Edit" link (for the VPN in question)
 
...click the "Advanced" button
 
...under "Security Level" make sure that the "Phase 2 Proposal" is one of the Cloud-supported Phase 2 Proposals.
 
 
EXAMPLE of valid Phase 2 Proposal: g2-esp-aes128-sha
 
 
Make sure that you verify this for each of the VPN's in the VPN Group.
 
 
TROUBLESHOOTING:

Review the Juniper SSG logs in the SSG admin interface by going to:  

Reports > System Log > Event
 
Look for events such as these:
 
IKE 199.19.248.164 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
IKE 199.19.248.164 Phase 2: Initiated negotiations.
IKE 199.19.248.164: Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN.