I keep having issues with my IPSec sts VPN. Always have a No proposal chosen message on the Phase 2 proposal.
And then P2 proposal fails due to timeout.
I read that it could be IPSec crypto settings or proxy ID that don't match.
Proxy IDs are OK because when I put non-existing network, I don't have these messages.
Encryption settings seem also well configured.
Here is the Fortigate P2 that was working before :
Here is the Palo Alto config that i'm trying to make working :
Solved! Go to Solution.
Did you try without PFS or untick option 5 from the Fortigate site? We need a full log output?
Reading more, it looks like you don't have to use any proxy IDs as both devices support route-based VPN
I tried without PFS and the result is the same.
I don't have access to the remote firewall but as I remember, it is supposed to accept both proposals on DHGroup 5 and DHGroup 14.
Here is the full log output :
@TranceforLife is right we'll need the responder site logs to see why it isn't working. Initiatior isn't going to tell you anything. I would remove the proxy-id as already mentioned, you don't actually need this and having proxy-id on can cause issues in and of itself when you can't tell exactly how the other end is configured.
If I remove the Proxy IDs, the P2 Proposal fails due to a timeout, but without "no proposal chosen" message.
I don't have an easy access to the remote firewall but I'll post its logs as soon as I can.
Note that I don't know what is the remote firewall. The Fortigate was the firewall that I replaced by the Palo. Its configuration was workin though.
If you remove the configuration from one side, another side should do the same otherwise it is pointless as all P1 and P2 criteria must match.
I know that all parameters must match, that's why I'm trying to make the exact replica of my old Fortigate into the Palo.
The only thing that seems to be different for the P2 is that I can't select several DH groups.
What PAN-OS version do you have installed? What IKE version is configured?
You wrote that the tunnel was working already: did you do anything before it stopped working (may be a PAN-OS update)?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!