i'm trying a couple of days to establish an IPsec-tunnel to my amazon VPC with our PA-500.
I can do what ever i want the tunnel will not get up. The log file said:
2011-10-31 14:11:06 [DEBUG]: ikev1.c:1427:isakmp_ph1resend(): resend phase1 packet 3a1053711a202504:0000000000000000
2011-10-31 14:11:27 [PROTO_NOTIFY]: ikev1.c:2168:log_ph1negofailed(): ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
====> Failed SA: 82.xx.xx.xx-87.xx.xx.xx cookie:3a1053711a202504:0000000000000000 <==== Due to timeout.
2011-10-31 14:11:27 [INFO]: ikev1.c:2216:log_ph1deleted(): ====> PHASE-1 SA DELETED <====
====> Deleted SA: 82.xx.xx.xx-87.xx.xx.xx cookie:3a1053711a202504:0000000000000000i <====
Could anyone help me or send me a valid example configuration for Amazon VPC.
Thanks in Advance
If you have an explicit deny rule in your rulebase, you will need an explicit allow rule for untrust zone to untrust zone for ike and ipsec application. Otherwise, to get more verbose details in your syslog, have the remote peer initiate the traffic as your current syslog output is not descriptive enough to give us insight to your issue. Otherwise, share your ike/ipsec crypto for both PAN and remote peer to get you more assistance
the security policy is not blocking the port.
if i ping the ec2 instance the paloalto want to
establish the connecting, but always get the timeout failure.
Bad luck for me if nobody have a sample conf.... :smileysad:
It would behoove you to have the remote peer initiate the traffic so that you can get more precise information from the syslogs as to why phase 1 is failing. It's all about matching phase1/phase2 crypto maps and at this point, we don't have much to go on. Otherwise, please open a case with Support so we can provide further assistance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!