https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22583#M16496 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P><BR />Can you try to set the proxy ID as a single host?</P><P><BR />Do you get the same error on the TMG side when the PA-500 initiates the tunnel?</P><P><BR />It may be worthwhile to gather packet captures and compare the proxy-ID that is being sent/received to see if there is difference.</P><P></P><P>- Stefan</P></BODY></HTML> Thu, 22 Mar 2012 21:55:30 GMT sspringer 2012-03-22T21:55:30Z https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22582#M16495 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I'm trying to set up a site to site vpn with TMG 2010 (SP2) on the other point and is failing at phase 2.</P><P>The systems logs in PA-500 shows 'Invalid ID information (18)'. This is subnet mismatch between the two end points but I am sure that it's correct as i have doublechecked everything.</P><P>In remote networks of TMG I enter 192.168.1.0 - 192.168.1.255 (as you define it only by ip range) and in proxy id of PA i type 192.168.1.0/24.</P><P></P><P>Has anyone succesfully setup an IPSec VPN with PA and TMG?</P><P></P><P>Any help would be greatly appreciated.</P><P></P><P>Thank you</P></BODY></HTML> Wed, 14 Mar 2012 13:09:16 GMT https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22582#M16495 cskodras 2012-03-14T13:09:16Z https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22583#M16496 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P><BR />Can you try to set the proxy ID as a single host?</P><P><BR />Do you get the same error on the TMG side when the PA-500 initiates the tunnel?</P><P><BR />It may be worthwhile to gather packet captures and compare the proxy-ID that is being sent/received to see if there is difference.</P><P></P><P>- Stefan</P></BODY></HTML> Thu, 22 Mar 2012 21:55:30 GMT https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22583#M16496 sspringer 2012-03-22T21:55:30Z https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22584#M16497 <HTML><HEAD></HEAD><BODY><P>Hello CSKodras ,</P><P><BR />I hade the same problem last week.</P><P>PAN Firewall allow proxy id`s just with IP/SUBNET</P><P>SO you need to change in your TMG to IP/SUBNET and you phase 2 will function,</P><P></P><P></P><P>CHANGE TMG to IP/SUBNET 192.168.0.1/24 in your TMG ,&nbsp; site-to-site VPN will function.</P><P></P><P></P><P>On Phase 2 IPSEC VPN , PAN and TMG switch yours networks and needs to be the same or Phase 2 will mismatch</P></BODY></HTML> Fri, 23 Mar 2012 23:43:30 GMT https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22584#M16497 Thiago 2012-03-23T23:43:30Z https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22585#M16498 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN>gruposeguranca,</SPAN></P><P></P><P><SPAN>Thank you for the info. It worked to me as well.<BR /></SPAN></P></BODY></HTML> Mon, 26 Mar 2012 08:05:16 GMT https://live.paloaltonetworks.com/t5/general-topics/tmg-2010-ipsec-vpn/m-p/22585#M16498 cskodras 2012-03-26T08:05:16Z