https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350192#M86933 <P>Nobody will guess where the problem is without debugs.</P><P>If config is corect in general, then probably issue is about phae2 mismatch.</P><P>&nbsp;</P><P>Everything what you need to find a problem is there:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A></P> Thu, 17 Sep 2020 16:43:44 GMT pawelzwierz 2020-09-17T16:43:44Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350089#M86924 <P>Hello!</P><P><SPAN>I setup IPsec tunnel between palo alto and mikrotik.</SPAN><BR /><SPAN>I found an example <A href="https://grzegorzkowalik.com/mikrotik-site-to-site-vpn-z-palo-alto-networks/" target="_self">here</A>.</SPAN><BR /><SPAN>I did everything step by step 1-13(see below)</SPAN><BR /><BR /><SPAN>I have PAlo alto version 9.1.3-h and Router os ver. 6.43.13. </SPAN><BR /><SPAN>phase 2 doesn’t work. How to befriend these devices? Help me.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P data-unlink="true"><SPAN>Config PALO Alto<BR />1.Create a new interface and add address (gateway default for tunnel in Virtual Router).<BR />2.New&nbsp; Zone security<BR />3. Setup Phase 1 (it is IKE Crypto &amp; IKE Gateway)<BR />4. Phase 2 (profile incryption)<BR />5.setup Ipsec Tunnels<BR />6.In&nbsp; virtual gateway we need add network.<BR />7.Rules of security. first of allow connect and second rule allow traffic throw tunnel.<BR /><BR />Config Mikrotik.<BR />8.Access to network throw tunnel (without NAT)<BR />9.Allow ports 500 and 4500.<BR />10.Politics IPSec<BR />11.Peer profile<BR />12.Politics.<BR />13.Setup Peer.</SPAN></P> Thu, 17 Sep 2020 13:08:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350089#M86924 melnikov 2020-09-17T13:08:10Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350192#M86933 <P>Nobody will guess where the problem is without debugs.</P><P>If config is corect in general, then probably issue is about phae2 mismatch.</P><P>&nbsp;</P><P>Everything what you need to find a problem is there:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A></P> Thu, 17 Sep 2020 16:43:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350192#M86933 pawelzwierz 2020-09-17T16:43:44Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350199#M86937 <P>Hi,</P><P>I also suggest to update your routeros.</P><P>6.43.x is a little bit too old. 6.47.3 is stable at the moment.</P><P>And if you have a running phase 1 ipsec vpn, check your phase2 settings.</P><P>Most of the time you have no matching SAs.</P><P>Which device is passive?</P><P>&nbsp;</P><P>&nbsp;</P><P>Best</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 17 Sep 2020 18:12:34 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350199#M86937 LANtecGmbH 2020-09-17T18:12:34Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350254#M86945 <P>Hi,</P><P>&nbsp;</P><P>i would check first if the parameters are identical on both sides. Also check the Proxy-IDs.</P><P>&nbsp;</P><P>run this command on cli to show logs</P><PRE><SPAN>less mp-log ikemgr.log</SPAN></PRE> Thu, 17 Sep 2020 23:20:59 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/350254#M86945 Abdul-Fattah 2020-09-17T23:20:59Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/352072#M87133 <P>There is a problem with local networks behind tunnels ipsec<BR />The tunnel went up.<BR />I allowed on Palo Alto:<BR />in property Ipsec tunnel: Proxy id remote and Local address<BR />in Virtual Router static route to network behind Mikrotik throw interface tunnel with nexthop(address tunnel.80)<BR />I allowed in rules:<BR />All traffic from local lan to ipsec tunnel<BR />From address Palo alto to Mikrotik (round trip) added application gre,ike,ipsec</P><P>The Mikrotik have done tunnel in logs all good<BR />In setting of ipsec policy I pointed out local networks (throw Mikrotik and Palo Alto)<BR />Added NAT rules allowing traffic from Microtik network to LAN Palo Alto.<BR />Added Firewall rules for Protocols 17,51,50,47</P><P>Local Networks are not available between each other.</P> Fri, 25 Sep 2020 08:38:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/352072#M87133 melnikov 2020-09-25T08:38:41Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/357817#M87815 <P><SPAN>Site 2 site allows only two networks to be pulled inside the tunnel (one of them behind the mikrotik and the other one behind the palo alto).I’ve tried different settings and it doesn't help.</SPAN><BR /><SPAN>Has anyone had experience building a tunnel between them based on GRE tunnel over IPsec or IPIP + IPSEC?</SPAN><BR /><SPAN>Several networks need to be passed through the tunnel.</SPAN></P> Wed, 21 Oct 2020 15:23:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-palo-alto-mikrotik-phase-2/m-p/357817#M87815 melnikov 2020-10-21T15:23:13Z