This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Getting crazy with Ipsec-tunnel

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Getting crazy with Ipsec-tunnel

clinit_owner
Not applicable

‎10-31-2011 06:22 AM

Hello everyone,

i'm trying a couple of days to establish an IPsec-tunnel to my amazon VPC with our PA-500.

I can do what ever i want the tunnel will not get up. The log file said:

2011-10-31 14:11:06 [DEBUG]: ikev1.c:1427:isakmp_ph1resend(): resend phase1 packet 3a1053711a202504:0000000000000000
2011-10-31 14:11:27 [PROTO_NOTIFY]: ikev1.c:2168:log_ph1negofailed(): ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
====> Failed SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000 <==== Due to timeout.
2011-10-31 14:11:27 [INFO]: ikev1.c:2216:log_ph1deleted(): ====> PHASE-1 SA DELETED <====
====> Deleted SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000i <====

Could anyone help me or send me a valid example configuration for Amazon VPC.

Thanks in Advance

0 Likes Likes
5 REPLIES 5

friento
L3 Networker

‎10-31-2011 07:25 AM

Checked if your security policy is blocking port 500.

0 Likes Likes

gswcowboy
L6 Presenter

‎10-31-2011 07:29 AM

If you have an explicit deny rule in your rulebase, you will need an explicit allow rule for untrust zone to untrust zone for ike and ipsec application. Otherwise, to get more verbose details in your syslog, have the remote peer initiate the traffic as your current syslog output is not descriptive enough to give us insight to your issue. Otherwise, share your ike/ipsec crypto for both PAN and remote peer to get you more assistance

-Renato    

0 Likes Likes

clinit_owner
Not applicable
In response to friento

‎11-02-2011 06:07 AM

the security policy is not blocking the port.

if i ping the ec2 instance the paloalto want to

establish the connecting, but always get the timeout failure.

Bad luck for me if nobody have a sample conf.... Smiley Sad

0 Likes Likes

friento
L3 Networker
In response to clinit_owner

‎11-02-2011 07:03 AM

I would revisit ike config as it looks like you are failing on p1. If all else fail open ticket to support, they can help you.

0 Likes Likes

gswcowboy
L6 Presenter
In response to clinit_owner

‎11-02-2011 07:09 AM

It would behoove you to have the remote peer initiate the traffic so that you can get more precise information from the syslogs as to why phase 1 is failing. It's all about matching phase1/phase2 crypto maps and at this point, we don't have much to go on. Otherwise, please open a case with Support so we can provide further assistance.

0 Likes Likes
  • 2810 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks