I've followed the instructions to configure a VPN between a netscreen device and a Cisco PIX as directed by Cisco's [netscreen to PIX VPN]http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml article.
The only differences are that I'm running PIX 6.3(5) and Juniper Netscreen 6.1.0r2.0 (Firewall+VPN). I followed both configurations exactly, and when I try to connect, the Juniper returns with:
2010-02-21 12:54:28 information IKE: Removed Phase 2 SAs after receiving a notification message.
2010-02-21 12:54:28 information IKE pix_public_IP: Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN.
2010-02-21 12:54:28 information IKE pix_public_IP Phase 2: Initiated negotiations.
On the Netscreen, I've created a Phase 2 Proposal called ToCorpOffice using DH Group#2, 3DES-CBC, and SHA-1, and when configuring the AutoKey IKE, I chose ToCorpOffice and removed all other transforms. I believe I've configured the same on the PIX with:
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address nonat
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer netscreen_public_ip
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside
Saved that and rebooted, so here's the cryptomap info:
PIX-FW1# show crypto map
Crypto Map: "mymap" interfaces: { outside }
Crypto Map "mymap" 10 ipsec-isakmp
Peer = netscreen_public_ip
access-list nonat; 1 elements
access-list nonat line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0)
Current peer: netscreen_public_ip
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ mytrans, }
PIX-FW1#
Any idea why I'm getting a NO-PROPOSAL-CHOSEN error?
Best Answer
Most times I've seen this problem, it was due to encryption domain (proxy ID) mismatch. Because you're using a policy-based VPN on the Juniper side and not a route-based VPN, you're going to see the Juniper side try to set up IPSec SAs that match the policies. For example, if your Juniper policy looks like:
The policy-based VPN config will expect the ASA to try to establish a host-to-host IPSec SA that goes from 192.168.1.50 to 192.168.2.50, while the ASA is trying to establish a tunnel that goes from 192.168.2.0/24 to 192.168.1.0/24.
I can't know for sure that this is the case with your configuration because you don't post the policies from the Juniper side, but this is the problem I've seen most often with symptoms similar to yours. The easiest solution would be to modify the access-list on the ASA to match the policies on the Juniper firewall (with the caveat that it still needs to be "permit ip" instead of specifying L4+ protocols, since you're specifying just the proxy ID).