If you get NO_PROPOSAL_CHOSEN error when set up IPsec.
Please check external-interface in your ike configuration.

Error status on Initiator side;

 [edit security ike]
regress@vsrx2# run show security ipsec inactive-tunnels
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID Port Gateway Pending SAs Tunnel Down Reason
67108871 500 2001:db8:0:1001::1 1
Negotiation failed with error code NO_PROPOSAL_CHOSEN received from peer (173 times)

 Error of ike traceoption on Initiator side;

[Dec 4 20:21:44]---------> Received from 2001:db8:0:1001::1:500 to 2001:db8:0:1002::2:0, VR 0, length 36 on IF
[Dec 4 20:21:44]ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
[Dec 4 20:21:44]ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_verify
[Dec 4 20:21:44]ikev2_packet_st_input_get_or_create_sa: Received packet with zero responder IKE SPI I 1176655e 18156f37 - R 00000000 00000000
[Dec 4 20:21:44]ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
[Dec 4 20:21:44]ikev2_list_packet_payloads: Receiving packet: HDR, N(NO_PROPOSAL_CHOSEN)
[Dec 4 20:21:44]IKEv2 packet R(<none>:500 <- 2001:db8:0:1001::1:500): len= 36, mID=0, HDR, N(NO_PROPOSAL_CHOSEN)
[Dec 4 20:21:44]ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_init_initiator_in
[Dec 4 20:21:44]ikev2_state_dispatch: [8fb3e00/8da6c00] Initiator side IKE_SA_INIT
[Dec 4 20:21:44]ikev2_state_init_initiator_in: FSM_SET_NEXT:ikev2_state_init_initiator_in_notify
[Dec 4 20:21:44]ikev2_state_init_initiator_in_notify: [8fb3e00/8da6c00] N(14) error found
[Dec 4 20:21:44]ikev2_state_error: [8fb3e00/8da6c00] Negotiation failed because of error No proposal chosen (14)
[Dec 4 20:21:44]IKE negotiation fail for local:2001:db8:0:1002::2, remote:2001:db8:0:1001::1 IKEv2 with status: No proposal chosen
[Dec 4 20:21:44]IPSec negotiation failed for SA-CFG GT-ADVPN-advpn-67108870 for local:2001:db8:0:1002::2, remote:2001:db8:0:1001::1 IKEv2. status: No proposal chosen
[Dec 4 20:21:44] P2 ed info: flags 0x8842, P2 error: Error ok
[Dec 4 20:21:44]IKE SA delete called for p1 sa 1781917 (ref cnt 2) local:2001:db8:0:1002::2, remote:2001:db8:0:1001::1, IKEv2
[Dec 4 20:21:44]Freeing all P2 SAs for IKEv2 p1 SA 1781917 

 IKE & Interface Configuration

 

[edit security ike]
regress@vsrx2# show
traceoptions {
file ike-vsrx2.txt;
flag all;
}
proposal P1-Proposal {
authentication-method ecdsa-signatures-384;
dh-group group2;
authentication-algorithm sha-384;
encryption-algorithm aes-256-cbc;
}
policy ike-pol-advpn {
mode main;
proposals P1-Proposal;
certificate {
local-certificate SPOKE1-VSRX2;
}
}
gateway advpn {
ike-policy ike-pol-advpn;
address 2001:db8:0:1001::1;
local-identity distinguished-name;
remote-identity distinguished-name container OU=SE;
external-interface ge-0/0/0.0;
local-address 2001:db8:0:1002::2;
advpn {
suggester {
disable;
}
partner;
}
version v2-only;
}

[edit security ike]

 

[edit]
regress@vsrx2# show interfaces ge-0/0/0
description to-internet;
unit 0 {
family inet6 {
address 2001:db8:0:1002::2/64;
}
}

 Error status on Responder side;

 [edit]
regress@vsrx1# run show security ipsec inactive-tunnels
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 0
ID Port Gateway Pending SAs Tunnel Down Reason
131073 500 1 External interface's IP address is not available (1 times)

Error of IKE traceoption on Responder;

[Dec 4 20:23:44]---------> Received from 2001:db8:0:1002::2:500 to 2001:db8:0:1001::1:0, VR 0, length 334 on IF
[Dec 4 20:23:44]ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
[Dec 4 20:23:44]ikev2_packet_st_input_get_or_create_sa: [8fb3500/0] No IKE SA for packet; requesting permission to create one.
[Dec 4 20:23:44]ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_connect_decision
[Dec 4 20:23:44]ikev2_packet_st_connect_decision: FSM_SET_NEXT:ikev2_packet_st_allocated
[Dec 4 20:23:44]ikev2_packet_st_allocated: FSM_SET_NEXT:ikev2_packet_st_verify
[Dec 4 20:23:44]ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
[Dec 4 20:23:44]ikev2_list_packet_payloads: Receiving packet: HDR, SA, KE, Nonce, N(RESERVED), N(FRAGMENTATION_SUPPORTED), Vid, Vid, Vid
[Dec 4 20:23:44]IKEv2 packet R(<none>:500 <- 2001:db8:0:1002::2:500): len= 334, mID=0, HDR, SA, KE, Nonce, N(RESERVED), N(FRAGMENTATION_SUPPORTED), Vid, Vid, Vid
[Dec 4 20:23:44]ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_init_responder_in
[Dec 4 20:23:44]ikev2_state_dispatch: [8fb3500/8da7100] Responder side IKE_SA_INIT
[Dec 4 20:23:44]ikev2_state_init_responder_in: FSM_SET_NEXT:ikev2_state_init_responder_in_cookie
[Dec 4 20:23:44]ikev2_state_init_responder_in_cookie: FSM_SET_NEXT:ikev2_state_init_responder_in_sa
[Dec 4 20:23:44]ikev2_state_init_responder_in_sa: FSM_SET_NEXT:ikev2_state_init_responder_in_ke
[Dec 4 20:23:44]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Dec 4 20:23:44]ikev2_select_sa_reply: [8fb3500/8da7100] Error: SA select failed: 14
[Dec 4 20:23:44]ikev2_state_error: [8fb3500/8da7100] Negotiation failed because of error No proposal chosen (14)
[Dec 4 20:23:44]IKE negotiation fail for local:2001:db8:0:1001::1, remote:2001:db8:0:1002::2 IKEv2 with status: No proposal chosen
[Dec 4 20:23:44]ikev2_list_packet_payloads: Sending packet: HDR, N(NO_PROPOSAL_CHOSEN)
[Dec 4 20:23:44]IKEv2 packet S(<none>:500 -> 2001:db8:0:1002::2:500): len= 36, mID=0, HDR, N(NO_PROPOSAL_CHOSEN)
[Dec 4 20:23:44]ikev2_state_send_unprotected_error: FSM_SET_NEXT:ikev2_state_send
[Dec 4 20:23:44]ikev2_packet_st_send_request_address: FSM_SET_NEXT:ikev2_packet_st_send

IKE & Interface configuration;

regress@vsrx1# show security ike
traceoptions {
file ike-vsrx1.txt;
flag all;
}
proposal P1-Proposal {
authentication-method ecdsa-signatures-384;
dh-group group2;
authentication-algorithm sha-384;
encryption-algorithm aes-256-cbc;
}
policy ike-pol-advpn {
mode main;
proposals P1-Proposal;
certificate {
local-certificate HUB-VSRX1;
}
}
gateway advpn {
ike-policy ike-pol-advpn;
dynamic {
distinguished-name {
wildcard OU=SE;
}
ike-user-type group-ike-id;
}
local-identity distinguished-name;
external-interface ge-0/0/0.0;
local-address 2001:db8:0:1001::1;
advpn {
suggester;
partner {
disable;
}
}
version v2-only;
}

[edit]
regress@vsrx1# show interfaces ge-0/0/0
description to-internet;
unit 0 {
family inet6 {
address 2001:db8:0:1001::1/64;
}
}

 

How to fix this issue

Let's set external-interface as "ge-0/0/0" not "ge-0/0/0.0"!!

Below sample is Initiator side.

gateway advpn {
ike-policy ike-pol-advpn;
address 2001:db8:0:1001::1;
local-identity distinguished-name;
remote-identity distinguished-name container OU=SE;
external-interface ge-0/0/0;
local-address 2001:db8:0:1002::2;
advpn {
suggester {
disable;
}
partner;
}
version v2-only;
}

You can check IPsec tunnel info. as follows.

[edit]
regress@vsrx2# run show security ipsec next-hop-tunnels
Next-hop gateway interface IPSec VPN name Flag IKE-ID XAUTH username
2001:db8:0:2000::1 st0.0 instance-GT-ADVPN-advpn-67108872_67108873 Auto C=JP, ST=Tokyo, O=JuniperJapan, OU=SE, CN=hub-vsrx1 Not-Available
fe80::5668:a30f:fc54:c05 st0.0 instance-GT-ADVPN-advpn-67108872_67108873 Auto C=JP, ST=Tokyo, O=JuniperJapan, OU=SE, CN=hub-vsrx1 Not-Available

 If you may be familiar with JUNOS, you would set an interface name including a logical unit number... (I was, too)