Getting crazy with Ipsec-tunnel

Reply
Highlighted
Not applicable

Getting crazy with Ipsec-tunnel

Hello everyone,

i'm trying a couple of days to establish an IPsec-tunnel to my amazon VPC with our PA-500.

I can do what ever i want the tunnel will not get up. The log file said:

2011-10-31 14:11:06 [DEBUG]: ikev1.c:1427:isakmp_ph1resend(): resend phase1 packet 3a1053711a202504:0000000000000000
2011-10-31 14:11:27 [PROTO_NOTIFY]: ikev1.c:2168:log_ph1negofailed(): ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
====> Failed SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000 <==== Due to timeout.
2011-10-31 14:11:27 [INFO]: ikev1.c:2216:log_ph1deleted(): ====> PHASE-1 SA DELETED <====
====> Deleted SA: 82.xx.xx.xx[500]-87.xx.xx.xx[500] cookie:3a1053711a202504:0000000000000000i <====

Could anyone help me or send me a valid example configuration for Amazon VPC.

Thanks in Advance

Highlighted
L3 Networker

Checked if your security policy is blocking port 500.

Highlighted
L6 Presenter

If you have an explicit deny rule in your rulebase, you will need an explicit allow rule for untrust zone to untrust zone for ike and ipsec application. Otherwise, to get more verbose details in your syslog, have the remote peer initiate the traffic as your current syslog output is not descriptive enough to give us insight to your issue. Otherwise, share your ike/ipsec crypto for both PAN and remote peer to get you more assistance

-Renato    

Highlighted
Not applicable

the security policy is not blocking the port.

if i ping the ec2 instance the paloalto want to

establish the connecting, but always get the timeout failure.

Bad luck for me if nobody have a sample conf.... :smileysad:

Highlighted
L3 Networker

I would revisit ike config as it looks like you are failing on p1. If all else fail open ticket to support, they can help you.

Highlighted
L6 Presenter

It would behoove you to have the remote peer initiate the traffic so that you can get more precise information from the syslogs as to why phase 1 is failing. It's all about matching phase1/phase2 crypto maps and at this point, we don't have much to go on. Otherwise, please open a case with Support so we can provide further assistance.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!