topic Re: vpn s2s with Mikrotik router - proxy id problem in General Topics

vpn s2s with Mikrotik router - proxy id problem

_slv_ — Tue, 22 Sep 2015 18:26:17 GMT

Hello

I'm trying to connect PaloAlto PA200 PANOS 6.1.6 and Mikrotik RB951 6.32.2

Phase 1 is estabilished properly but I cant get phase 2 working.

Logs from Mikrotik says:

Sep/22/2015 20:09:34 ipsec,debug,packet HASH computed:
Sep/22/2015 20:09:34 ipsec,debug,packet f85f12d1 b77dc7a6 3690e85b ed9102d9 62f29649
Sep/22/2015 20:09:34 ipsec,debug,packet get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug,packet get dst address from ID payload 192.168.2.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep/22/2015 20:09:34 ipsec,debug failed to get proposal for responder.
Sep/22/2015 20:09:34 ipsec,error failed to pre-process ph2 packet.

Logs from PaloAlto:

====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <====
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <==== Due to negotiation timeout.
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <==== Due to negotiation timeout.
2015-09-22 20:10:23 [PROTO_NOTIFY]: phase-2 negotiation failed. delete stale phase-1 SA.
2015-09-22 20:10:23 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: x.y.z..157[500]-x.y.z..158[500] cookie:bb97b04a7db888f8:402f8a7370dc2e35 <====
2015-09-22 20:10:23 [INFO]: IPsec-SA request for x.y.z..158 queued since no phase1 found
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:0000000000000000 <====
2015-09-22 20:10:23 [INFO]: received Vendor ID: DPD
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:fe7fe1dface0fb0b lifetime 28800 Sec <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0xCE9673F6 <====

My config:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h
/ip ipsec peer
add address=x.y.z..157/32 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret="passw0rd"
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add dst-address=192.168.1.0/24 src-address=192.168.2.0/24 template=yes

Does anyone sucessfully conected PA device with Mikrotik OS?

Re: vpn s2s with Mikrotik router - proxy id problem

OtakarKlier — Tue, 22 Sep 2015 20:52:15 GMT

I have not but here are somethings to look for:

Make sure all the settings are identical, ciphers, timeouts both time and data, etc. Also make sure you are only using IKE version1.

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-VPN-Connectivity-Issues/ta-p/59187

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Wed, 23 Sep 2015 06:34:19 GMT

Hi Otakar

I know this doc - new info is that in log I have

 IKEv1 phase-2 negotiation request received when phase-1 SA is not act
ive or expired

What does it mean? I have green bubble in IKE section also I see connected peers in Mikrotik.

Regards

Slawek

Re: vpn s2s with Mikrotik router - proxy id problem

OtakarKlier — Wed, 23 Sep 2015 14:48:20 GMT

Try clearing the tunnel and reestablishing?

on the PAN cli clear vpn ike-sa gateway <name of gateway>

Also on the same on the other end. I had an issue with an ASA that was not bringing up a tunnel and it turned out that it was holding onto an old tunnel. Once i cleared it, everything came back up.

I know I would love to have a list and possible solutions to error messages, perhaps PAN is working on this for us? I only have an internal Cisco doc that some tech put together with common errors and why they are occuring.

Re: vpn s2s with Mikrotik router - proxy id problem

santonic — Thu, 24 Sep 2015 09:44:10 GMT

We have many Mikrotik to PA VPN tunnels up. In fact we have some very complex VPN scenarios implemented between PA and Mikrotik (PA at central office, Mikrotiks at remote location, 2 ISPs on both sides, 4 VPN tunnels with automatic switchover for all combinations).

In your case I would say there is some setting missing on Mikrotik for phase 2:

"Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in"

I'm not a Mikrotik expert but I'd say you don't have correct encryption domains (Proxy IDs) set on Mikrotik.

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Fri, 25 Sep 2015 11:56:15 GMT

Hi santonic

Could You share some configuration of Microtik?

I have few question:

- is DPD 5/5 OK?

- are You using tunnel monitoring?

- are You use in policy > action > level reguire or unique? according to manual should be unique but it not working for me

- I'm using RB951 - when passing 30Mb/s CPU of RB is 100%, I tryed with md5/sha1 aes/3des but I not get any change.

Mikrotic has one LAN 192.168.2.0/24, PA has few LANs: 192.168.1.0/24 and 192.168.x.0/24, Internet trafffic from Mikrotik must go by VPN tunnel.

My Mikrotik config (ipsec part)

Route:
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          x.y.z.129             1
 1 ADC  x.y.z.128/26   x.y.z.158   WAN                       0
 2 A S  192.168.1.0/24                     WAN                       1
 3 ADC  192.168.2.0/24     192.168.2.1     LAN bridge                0

Policy:
  1     src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.158 
       sa-dst-address=x.y.z.157 proposal=proposal2 priority=0 

 2     src-address=192.168.2.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any 
       protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
       sa-src-address=x.y.z.158 sa-dst-address=x.y.z.157 
       proposal=proposal2 priority=0 

Peer:
 0    address=x.y.z.157/32 local-address=:: passive=no port=500 
      auth-method=pre-shared-key secret="xxxxxx" generate-policy=no 
      policy-template-group=group1 exchange-mode=main mode-config=request-only 
      send-initial-contact=no nat-traversal=no proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h 
      lifebytes=0 dpd-interval=5s dpd-maximum-failures=5

And - maybe stupid qustion - how to verify is it working properly? I'm new in ipsec VPN and I worry about problems. What I should verify? now everything is OK (in my opinion) but now devices are in LAN and I get about 5% loss of pings packet.

I'm worry how it will act in real scenario...

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Fri, 25 Sep 2015 12:09:09 GMT

uhh I figured it out (I hope)

Now tunnel is up ... but I havent any misconfiguration - in GUI everything was OK but ...

I started veryfication from CLI and I realised that from CLI polisy is broken (missed part about SA). I deleted it and created again - and - surprice !!! its working ...

So lesson for me and You - use CLI

Regards

Slawek

Re: vpn s2s with Mikrotik router - proxy id problem

santonic — Fri, 25 Sep 2015 13:24:29 GMT

Glad you got it working.

DPD doesn't matter when establishing IPSEC for the first time. Also don't use tunnel monitor before establishing VPN for the first time.

Yeah, CLI "test vpn" is very useful. It's also in WebUI from 7.0.0 but I haven't tried it yet.

The ultimate test for VPN is always to send some traffic through it.

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Fri, 25 Sep 2015 13:31:30 GMT

I observed another strange behaviour ...

My workstation has IP 192.168.1.35 and its connected to PAN device

Laptop with 192.168.2.200 is connected to Mikrotik

If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get

Badanie 192.168.2.200 z 32 bajtami danych:
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.

but ... when I stoped ping from laptop imiditellly ping from my workstation starting pinging OK

Has anyone idea whats going on? how to troubleshoot this problem?

I tryed to copy big files in both direction and everything is OK ...

Reagrds

Slawek

Re: vpn s2s with Mikrotik router - proxy id problem

santonic — Fri, 25 Sep 2015 13:40:06 GMT

Check logs if your VPN is going up and down. Pings would get lost while TCP connections would survive in such case.

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Fri, 25 Sep 2015 17:11:54 GMT

I observed another strange behaviour ...

Sit down - take a deep breath .... and read

My workstation has IP 192.168.1.35 and its connected to PAN device

Laptop with 192.168.2.200 is connected to Mikrotik

If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get

Badanie 192.168.2.200 z 32 bajtami danych:
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.

but ... when I stoped ping from laptop imiditellly ping from my workstation starting pinging OK

Has anyone idea whats going on? how to troubleshoot this problem?

I tryed to copy big files in both direction and everything is OK ...

Reagrds

Slawek

Re: vpn s2s with Mikrotik router - proxy id problem

OtakarKlier — Fri, 25 Sep 2015 18:26:11 GMT

Do the traffic logs show anything?

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Sat, 26 Sep 2015 10:04:43 GMT

Of course Yes. some details - maybe it will be useful lto find some odds

details of "1"

details of "2"

the same from CLI

Is it normal to have such many session during one "ping" session?

Why the session aged out so quicky?

Regards

SLawek

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Sat, 26 Sep 2015 12:58:32 GMT

heh I GOT it 🙂

problem with ping was related to firwall rule on Mikrotik. This rule make limitations - afer diabling - ping working perfectly.

Regards

Slawek

Re: vpn s2s with Mikrotik router - proxy id problem

OtakarKlier — Mon, 28 Sep 2015 16:12:11 GMT

Glad to hear you got it working properly! If you have a basic writeup perhaps consider posting it for other users to reference?

Re: vpn s2s with Mikrotik router - proxy id problem

_slv_ — Mon, 12 Oct 2015 08:08:48 GMT

After few weeks of testings in real networks (not in my lab) I have to say - it doesnt wroking stable ... I have to leave it now as it is. I will back to it later.