topic Re: IpSec VPN between Palo and Vyatta in General Topics

IpSec VPN between Palo and Vyatta

VinceM — Thu, 18 Aug 2016 16:34:54 GMT

Hi all,

I try to configure an IPSec tunnel between PA-500 (version 7.1.4) and vyatta.

Config seem to be ok, phase 1 is ok but nego for phase 2 is block in "No Proposal chosen". I select in phase 2 all possibility given by the palo.

Any body already succeed to do that ?

help .. please 🙂

Vincent

Re: IpSec VPN between Palo and Vyatta

TranceforLife — Thu, 18 Aug 2016 16:46:43 GMT

Hi Vince,

Please could you post output of this command:

> tail lines 50 mp-log ikemgr.log

I believe your security policy permit IPSec traffic both directions.

Thx,

Myky

Re: IpSec VPN between Palo and Vyatta

VinceM — Thu, 18 Aug 2016 16:51:17 GMT

Hi,

Thx in advance for your help.

Here the requested log.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.08.18 18:48:36 =~=~=~=~=~=~=~=~=~=~=~=
tail [Kadmin@PADC(active)> tail lines [Kadmin@PADC(active)> tail lines 50 [Kadmin@PADC(active)> tail lines 50 mp-log [Kadmin@PADC(active)> tail lines 50 mp-log ikemgr.log
2016-08-18 18:46:42 [PROTO_ERR]: not matched
2016-08-18 18:46:42 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:46:42 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:46:52 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0xEE340F87 <====
2016-08-18 18:46:52 [PROTO_ERR]: not matched
2016-08-18 18:46:52 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:46:52 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:47:12 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0xEE340F87 <====
2016-08-18 18:47:12 [PROTO_ERR]: not matched
2016-08-18 18:47:12 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:47:12 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:47:12.795 +0200 ikemgr: panike_daemon phase 1 started, config size 33890
2016-08-18 18:47:12.828 +0200 ikemgr: panike_daemon phase 1 step 2 finished
2016-08-18 18:47:13.114 +0200 ikemgr: panike_daemon phase 1 step 4 finished
2016-08-18 18:47:13.114 +0200 pan IKE cfg phase-1 triggered.
2016-08-18 18:47:13 [INFO]: loading new config from /tmp/.njHLK5
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 step 5 finished
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 config change detected
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 finished with status 1
2016-08-18 18:47:44.823 +0200 ikemgr: panike_daemon phase 2 started
2016-08-18 18:47:44.823 +0200 pan IKE cfg phase-2 triggered.
2016-08-18 18:47:44 [INFO]: IKE gateway EOLAS changed, deleting SA
2016-08-18 18:47:44 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:e30ae825f46753b9:9b520bc54bb0cad0 <====
2016-08-18 18:47:44.826 +0200 ikemgr: panike_daemon phase 2 finished
2016-08-18 18:47:44 [PROTO_ERR]: Informational exchange received from unknown peer.
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:b751989c866b52b4:7a4c9758629b8b91 <====
2016-08-18 18:47:52 [INFO]: received Vendor ID: CISCO-UNITY
2016-08-18 18:47:52 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2016-08-18 18:47:52 [INFO]: received Vendor ID: DPD
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====
====> Established SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:b751989c866b52b4:7a4c9758629b8b91 lifetime 28800 Sec <====
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:47:52 [PROTO_ERR]: not matched
2016-08-18 18:47:52 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:47:52 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:48:02 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:48:02 [PROTO_ERR]: not matched
2016-08-18 18:48:02 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:48:02 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:48:22 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:48:22 [PROTO_ERR]: not matched
2016-08-18 18:48:22 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:48:22 [INTERNAL_ERR]: failed to pre-process packet.
admin@PADC(active)>

Ipsec is permit.

Re: IpSec VPN between Palo and Vyatta

TranceforLife — Thu, 18 Aug 2016 18:06:52 GMT

Hi V,

Thanks. Vyatta side policy or route base VPN?

Below an example for route base config:

http://vyos.net/wiki/VTI_with_Palo_Alto

Please can you make sure you do have application permitted in your policy: (ciscovpn, dtls, ipsec, ssl, open-vpn)

Thx,

Myky

Re: IpSec VPN between Palo and Vyatta

VinceM — Fri, 19 Aug 2016 08:08:16 GMT

Hi,

Thx for the template. The fact is f the VPN end on SonicWall, it works, on the palo it doesn't 😞

All protocol needed are allowed (other VPN are ok)

Maybe MD5 ??? I will ask to change from MD5 to sha1 or more ...

Keep you in touch.

Re: IpSec VPN between Palo and Vyatta

TranceforLife — Fri, 19 Aug 2016 08:28:56 GMT

Hello V,

Sure try to tweak IPSec crypto. Deffenetly something is not matching with Phase 2. Proxy-ID etc.

let me know how it goes. Sorry but l have never configured VPN with Vyatta

Re: IpSec VPN between Palo and Vyatta

VinceM — Fri, 19 Aug 2016 08:36:08 GMT

Hi,

Confirmed 🙂

Change config from MD5 to SHA1 ... and now, IT WORKS 🙂

Hope this info can be usefull for all.

Re: IpSec VPN between Palo and Vyatta

TranceforLife — Fri, 19 Aug 2016 08:38:20 GMT

Good stuff! Thx for sharing this info

Re: IpSec VPN between Palo and Vyatta

mart_e — Fri, 29 Mar 2019 13:54:04 GMT

Hi!

I had similar case between PA-3020 (PanOS 8.1.6) and Cyberoam firewall.

Tunnel actually showed to be up (so phase 2 established), but no traffic was flowing through tunnel. I noticed in ikemgr.log (in debug mode) file following lines which hinted that some proposal is not suitable for this connection:

[PERR]: { : 5}: not matched
[PERR]: { : 5}: no suitable policy found.
[ERR ]: { : 5}: failed to pre-process packet.

We had SHA256 in use for phase 2 and we changed this for SHA1- after this tunnel worked correctly and traffic went through it properly.

Märt