ipsec phase 2 problems between RB1100AH and Juniper SRX3500

RouterOS General
1

I am having a problem establishing a ipsec connection to junper. Seems we get pass phase 1 ok but for phase 2 I am getting no proposal chosen.

The guy on the other end told me he does to see a proposal being sent.

log:admin@MikroTik] >
(140 messages discarded)
echo: ipsec,debug,packet 0004f4d4 43be
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet 3f8bb86c a7f70ab8 47cdd83c 24c07e90 b2e422d8
echo: ipsec,debug,packet hash validated.
echo: ipsec,debug,packet begin.
echo: ipsec,debug,packet seen nptype=8(hash)
echo: ipsec,debug,packet seen nptype=11(notify)
echo: ipsec,debug,packet succeed.
echo: ipsec,debug fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
echo: ipsec,debug,packet notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=2 spi=0dde067d(size=4).
echo: ipsec,debug Message: '“Could not find acceptable proposal C '.




[admin@MikroTik] /ip ipsec statistics> /ip ipsec peer print
Flags: X - disabled
0 address=x.x.x.x/32 port=500 auth-method=pre-shared-key secret=“MIGfMA0GCSqGSIb3” generate-policy=yes exchange-mode=main
send-initial-contact=yes nat-traversal=no my-id-user-fqdn=”" proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5



[admin@MikroTik] /ip ipsec statistics> /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=x.x.x.x/32 src-port=any dst-address=x.x.x.x/32 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=ah-esp tunnel=yes sa-src-address=x.x.x.x sa-dst-address=x.x.x.x proposal=limeproposal priority=0
[admin@MikroTik] /ip ipsec statistics>


[admin@MikroTik] /ip ipsec statistics> /ip ipsec proposal print
Flags: X - disabled
0 name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=modp1024

1 name=“limeproposal” auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=modp1024

2

What is the Phase 2 config on juniper router?

3

The guy on the other end told me he has the following. I don’t have access to the config on the other end:

authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;

4

If there is no pfs group specified on juniper then also in your proposal set it to pfs-group=none

5

We should be using pfs group 2. Did you see in the logs that he does not have one set on his end? The only thing I did not try is rebooting the router because I have live traffic.

6

Mikrotik settings

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=1h name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=1h name=LM pfs-group=modp1024


/ip ipsec peer
add address=x.x.x.180/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 enc-algorithm=
aes-256 exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn=“” nat-traversal=no port=500
proposal-check=obey secret=MIGfMA0GCSqGSIb3 send-initial-contact=yes


/ip ipsec policy
add action=encrypt disabled=no dst-address=x.x.x.50/32 dst-port=any ipsec-protocols=ah-esp level=require priority=0 proposal=LM protocol=all
sa-dst-address=x.x.x.180 sa-src-address=x.x.x.28 src-address=x.x.x.146/32 src-port=any tunnel=yes

add action=encrypt disabled=no dst-address=x.x.x.46/32 dst-port=any ipsec-protocols=ah-esp level=require priority=0 proposal=LM protocol=all
sa-dst-address=x.x.x.180 sa-src-address=x.x.x.28 src-address=x.x.x.146/32 src-port=any tunnel=yes

add action=encrypt disabled=no dst-address=x.x.x.50/32 dst-port=any ipsec-protocols=ah-esp level=require priority=0 proposal=LM protocol=all
sa-dst-address=x.x.x.180 sa-src-address=x.x.x.28 src-address=x.x.x.147/32 src-port=any tunnel=yes

add action=encrypt disabled=no dst-address=x.x.x.46/32 dst-port=any ipsec-protocols=ah-esp level=require priority=0 proposal=default protocol=all
sa-dst-address=x.x.x.180 sa-src-address=x.x.x.28 src-address=x.x.x.147/32 src-port=any tunnel=yes



Juniper setting

set security ike policy ACom mode main
set security ike policy ACom proposals sha-AES256-gr2-lf86
set security ike policy ACom pre-shared-key ascii-text “$9$FNd5nCpcSlXx-p0KWLXdVHq.5Q39CpBRc/C1EyrW8ws2oaUHqm”
set security ike gateway ACom-GATEWAY ike-policy ACom
set security ike gateway ACom-GATEWAY address x.x.x.28
set security ike gateway ACom-GATEWAY external-interface reth2.17
set security ipsec policy IPsec-ACom perfect-forward-secrecy keys group2
set security ipsec policy IPsec-ACom proposals 3des-sha1-lf36
set security ipsec vpn BAR-VPN-ACom ike gateway ACom-GATEWAY
set security ipsec vpn BAR-VPN-ACom ike ipsec-policy IPsec-ACom
set security ipsec vpn BAR-VPN-ACom establish-tunnels immediately
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM match source-address x.x.x.146/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM match destination-address x.x.x.50/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM match application any
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM then permit tunnel ipsec-vpn BAR-VPN-ACom
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM2 match source-address x.x.x.147/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM2 match destination-address x.x.x.50/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM2 match application any
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM2 then permit tunnel ipsec-vpn BAR-VPN-ACom
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM3 match source-address x.x.x.146/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM3 match destination-address x.x.x.46/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM3 match application any
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM3 then permit tunnel ipsec-vpn BAR-VPN-ACom
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM4 match source-address x.x.x.147/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM4 match destination-address x.x.x.46/32
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM4 match application any
set security policies from-zone BAR-CORP-VPN to-zone BAR-CORP policy ACom-LM4 then permit tunnel ipsec-vpn BAR-VPN-ACom
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom match source-address x.x.x.50/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom match destination-address x.x.x.146/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom match application any
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom then permit tunnel ipsec-vpn BAR-VPN-ACom
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom2 match source-address x.x.x.50/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom2 match destination-address x.x.x.147/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom2 match application any
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom2 then permit tunnel ipsec-vpn BAR-VPN-ACom
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom3 match source-address x.x.x.46/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom3 match destination-address x.x.x.146/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom3 match application any
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom3 then permit tunnel ipsec-vpn BAR-VPN-ACom
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom4 match source-address x.x.x.46/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom4 match destination-address x.x.x.147/32
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom4 match application any
set security policies from-zone BAR-CORP to-zone BAR-CORP-VPN policy LM-ACom4 then permit tunnel ipsec-vpn BAR-VPN-ACom

7

Try checking SA lifetime settings as well- they are part of proposals. Pay attention that, as far as I remember, there’s no way you can specify SA lifetime bytes for phase 2 on RouterOS.