topic Re: VPN not working in General Topics

VPN not working

BigPalo — Wed, 11 Jul 2018 08:00:36 GMT

Hi,

we are configuring a VPn between Palo Alto and PFsense. The VPN is configured properly but its nos getting up. No phase 1 up. We have treid to change all values proposals and lifetime.

This is the log. We tried to change lifetime with no success. Whats happening?

====> Initiated SA: 1.1.1.1[500]-2.2.2.2[500] cookie:4ff9f28d21a8b446:cc5af7ee92b1eb65 <====
2018-07-11 09:51:42 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2018-07-11 09:51:42 [INFO]: received Vendor ID: DPD
2018-07-11 09:51:42 [INFO]: received Vendor ID: FRAGMENTATION
2018-07-11 09:51:42 [INFO]: received Vendor ID: RFC 3947
2018-07-11 09:51:42 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2018-07-11 09:51:42 [INFO]: Selected NAT-T version: RFC 3947
2018-07-11 09:51:42 [PROTO_ERR]: invalid life duration.
2018-07-11 09:51:42 [PROTO_ERR]: invalid life duration.
2018-07-11 09:51:42 [PROTO_ERR]: no suitable proposal found.
2018-07-11 09:51:42 [PROTO_ERR]: 0:? - 2.2.2.2[500]:(nil):failed to get valid proposal.
2018-07-11 09:51:42 [PROTO_ERR]: failed to process packet.
2018-07-11 09:51:42 [INFO]: ====> PHASE-1 SA DELETED <====

Re: VPN not working

reaper — Wed, 11 Jul 2018 16:43:51 GMT

your crypto map needs to be synced

both ends expect to talk different protocols:

018-07-11 09:51:42 [PROTO_ERR]: no suitable proposal found.
2018-07-11 09:51:42 [PROTO_ERR]: 0:? - 2.2.2.2[500]:(nil):failed to get valid proposal.

this means they could not decide if they want (for example) sha256 and aes1024, or md5+3des

Re: VPN not working

BigPalo — Wed, 11 Jul 2018 18:26:43 GMT

Hi,

We chnaged the proposal several times with no success. It seems like issue is in the life time. But we also change this paramether. We will try tomorrow.

Thanks

Re: VPN not working

BPry — Wed, 11 Jul 2018 21:07:47 GMT

@BigPalo,

As @reaper stated that's kind of what this type of error message means. Can you verify that you are actually offering up the correct protocols that you wish to utilize and try again.

Re: VPN not working

LukeBullimore — Wed, 11 Jul 2018 21:14:50 GMT

Hi @BigPalo

Turn on debugging for the ike process (debug ike global on debug) then take a look at the ikemgr logs. This will then show you exactly what the peer and the remote end is proposing and where the mismatch lies.

The log format will be for example aes256:aes512, where 256 is local and 512 is remote.

P.S - don't forget to turn off debugging afterwards!

Thanks,

Luke.