https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33880#M24847 <HTML><HEAD></HEAD><BODY><P>Hello everyone,</P><P></P><P>i'm trying a couple of days to establish an IPsec-tunnel to my amazon VPC with our PA-500.</P><P></P><P>I can do what ever i want the tunnel will not get up. The log file said:</P><P>2011-10-31 14:11:06 [DEBUG]: ikev1.c:1427:isakmp_ph1resend(): resend phase1 packet 3a1053711a202504:0000000000000000<BR />2011-10-31 14:11:27 [PROTO_NOTIFY]: ikev1.c:2168:log_ph1negofailed(): ====&gt; PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE &lt;====<BR />====&gt; Failed SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000 &lt;==== Due to timeout.<BR />2011-10-31 14:11:27 [INFO]: ikev1.c:2216:log_ph1deleted(): ====&gt; PHASE-1 SA DELETED &lt;====<BR />====&gt; Deleted SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000i &lt;====</P><P></P><P>Could anyone help me or send me a valid example configuration for Amazon VPC.</P><P></P><P>Thanks in Advance</P></BODY></HTML> Mon, 31 Oct 2011 13:22:53 GMT clinit_owner 2011-10-31T13:22:53Z https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33880#M24847 <HTML><HEAD></HEAD><BODY><P>Hello everyone,</P><P></P><P>i'm trying a couple of days to establish an IPsec-tunnel to my amazon VPC with our PA-500.</P><P></P><P>I can do what ever i want the tunnel will not get up. The log file said:</P><P>2011-10-31 14:11:06 [DEBUG]: ikev1.c:1427:isakmp_ph1resend(): resend phase1 packet 3a1053711a202504:0000000000000000<BR />2011-10-31 14:11:27 [PROTO_NOTIFY]: ikev1.c:2168:log_ph1negofailed(): ====&gt; PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE &lt;====<BR />====&gt; Failed SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000 &lt;==== Due to timeout.<BR />2011-10-31 14:11:27 [INFO]: ikev1.c:2216:log_ph1deleted(): ====&gt; PHASE-1 SA DELETED &lt;====<BR />====&gt; Deleted SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000i &lt;====</P><P></P><P>Could anyone help me or send me a valid example configuration for Amazon VPC.</P><P></P><P>Thanks in Advance</P></BODY></HTML> Mon, 31 Oct 2011 13:22:53 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33880#M24847 clinit_owner 2011-10-31T13:22:53Z https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33881#M24848 <HTML><HEAD></HEAD><BODY><P>Checked if your security policy is blocking port 500.</P></BODY></HTML> Mon, 31 Oct 2011 14:25:58 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33881#M24848 friento 2011-10-31T14:25:58Z https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33882#M24849 <HTML><HEAD></HEAD><BODY><P>If you have an explicit deny rule in your rulebase, you will need an explicit allow rule for untrust zone to untrust zone for ike and ipsec application. Otherwise, to get more verbose details in your syslog, have the remote peer initiate the traffic as your current syslog output is not descriptive enough to give us insight to your issue. Otherwise, share your ike/ipsec crypto for both PAN and remote peer to get you more assistance</P><P></P><P>-Renato&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Mon, 31 Oct 2011 14:29:04 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33882#M24849 gswcowboy 2011-10-31T14:29:04Z https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33883#M24850 <HTML><HEAD></HEAD><BODY><P>the security policy is not blocking the port.</P><P>if i ping the ec2 instance the paloalto want to</P><P>establish the connecting, but always get the timeout failure.</P><P>Bad luck for me if nobody have a sample conf.... <img id="smileysad" class="emoticon emoticon-smileysad" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" /></P></BODY></HTML> Wed, 02 Nov 2011 13:07:36 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33883#M24850 clinit_owner 2011-11-02T13:07:36Z https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33884#M24851 <HTML><HEAD></HEAD><BODY><P>I would revisit ike config as it looks like you are failing on p1. If all else fail open ticket to support, they can help you.</P></BODY></HTML> Wed, 02 Nov 2011 14:03:29 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33884#M24851 friento 2011-11-02T14:03:29Z https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33885#M24852 <HTML><HEAD></HEAD><BODY><P>It would behoove you to have the remote peer initiate the traffic so that you can get more precise information from the syslogs as to why phase 1 is failing. It's all about matching phase1/phase2 crypto maps and at this point, we don't have much to go on. Otherwise, please open a case with Support so we can provide further assistance.</P></BODY></HTML> Wed, 02 Nov 2011 14:09:22 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-crazy-with-ipsec-tunnel/m-p/33885#M24852 gswcowboy 2011-11-02T14:09:22Z