topic Re: VPN Proxy ID nightmare in General Topics

VPN Proxy ID nightmare

Bocsa — Mon, 07 Dec 2015 11:01:15 GMT

Hi All,

I can't seem to resolve proxy-id mismatch on a Route-based VPN i have configured between the PAN Firewall and a Cisco 3G router.

On the PAN side, I have configured 10.5.0.0/16 as my local proxy-id and 0.0.0.0 as proxy-id of remote side. I still get a mismatch error as follows:

IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: X.X.X.X/32 type IPv4_address protocol 47 port 0, received remote id: Y.Y.Y.Y/32 type IPv4_address protocol 47 port 0

where X is outside interface address of the Palo and Y is the interface address of the peer.

I have also tried to configure Proxy ID of 0.0.0.0/0 for both local and remote on the Palo. No luck

Please can anyone assist?

Re: VPN Proxy ID nightmare

pankaku — Mon, 07 Dec 2015 12:30:39 GMT

The proxy ID have to match on both side. It should match means there local become our remote and there remote becomes our local. I think the configured proxy ID on the CISCO is local x.x.x.x/32 remote y.y.y.y/32

So on the PA sside you have to configure local y.y.y.y/32 and remote x.x.x.x/32

Some thing like this will be on the cisco side

access-list extended PA_Proxy permit x.x.x.x 0.0.0.0 y.y.y.y 0.0.0.0

So there local will become our remote and vice versa.

Hope this helps.

Re: VPN Proxy ID nightmare

santonic — Mon, 07 Dec 2015 14:34:57 GMT

I had the same problem. After some debugging and magic touch I saw a GRE packet come out of the tunnel 🙂

Or in other words; check if Cisco is trying to establish GRE tunnel instead of IPsec tunnel. If it is, reconfigure Cisco to start IPsec tunnel as GRE is not supported on PA.

Re: VPN Proxy ID nightmare

santonic — Mon, 07 Dec 2015 14:38:39 GMT

Ok, I read your post again: Cisco is definitelly configured to start GRE tunnel instead of IPsec (hint: protocol 47)

Re: VPN Proxy ID nightmare

pankaku — Mon, 07 Dec 2015 15:14:48 GMT

GRE is not supported on PA.

Re: VPN Proxy ID nightmare

Bocsa — Mon, 07 Dec 2015 15:24:24 GMT

hi Pakumar,

I don't have any access-list on the Cisco side because I'm using a tunnel-based VPN on the Cisco side as well. I only have a static route

Re: VPN Proxy ID nightmare

pankaku — Mon, 07 Dec 2015 15:54:04 GMT

Could you please paste some config of cisco device.

Re: VPN Proxy ID nightmare

Bocsa — Mon, 07 Dec 2015 16:31:23 GMT

That worked....Thanks a whole lot.