Hello,

I have task to configure vpn tunnel from mikrotik router to juniper SRX. Mikrotik will have dynamic ip address.
Now I've ended configruation of IPsec Tunnel with static IP on both sides of tunnel. It works fine.
Then I configured with dinamic ip, provider give domain name instead IP address like D4CA6D168723.domain.ru.
Then juniper now have:
set security ike gateway branch-ike-gate dynamic hostname D4CA6D168723.domain.ru
On mikrotik I tested working config with My FQDN = D4CA6D168723.domain.ru, didn't working.
Then I used this config:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=3des name=juniper
/ip ipsec peer

Unsafe configuration, suggestion to use certificates

add address=srx_address dpd-interval=disable-dpd
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=aggressive
hash-algorithm=md5 lifetime=30m secret=12345
/ip ipsec policy
add comment="dynamic ip" dst-address=172.16.10.0/24 proposal=juniper
sa-dst-address=srx_address sa-src-address=0.0.0.0 src-address=\

192.168.88.0/24 tunnel=yes

Configs are added to this post.
Tunnel now is down, error in IKE phase1.
Help me please with this task.

Enable ipsec debug logs and see where the error is.

Fatal NO-PROPOSL_CHOSEN notify message, phase 1
Couldn’t find acceptable proposal.


And it begin to start new negotioantion. There is no match information to understatnd the problem.

You should look at the logs on responder- that’s where proposal matching takes place. And since you Mikrotik has dynamic IP address the SRX box is probably a responder in your case.