IPSec Authentication with IOS 5.0 or Shrew Soft VPN (XAuth)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSec Authentication with IOS 5.0 or Shrew Soft VPN (XAuth)

L0 Member

I can complete phase 1 but then the tunnel terminates without a message witch would help me to find the problem.

2011-11-09 13:20:51 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 77.73.243.180[500]-178.83.248.50[55010] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7 <====
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-11-09 13:20:51 [INFO]: received Vendor ID: RFC 3947
2011-11-09 13:20:51 [INFO]: received Vendor ID: FRAGMENTATION
2011-11-09 13:20:51 [INFO]: received Vendor ID: DPD
2011-11-09 13:20:51 [INFO]: received Vendor ID: CISCO-UNITY
2011-11-09 13:20:51 [INFO]: Selected NAT-T version: RFC 3947
2011-11-09 13:20:51 [INFO]: Adding remote and local NAT-D payloads.
2011-11-09 13:20:51 [INFO]: Hashing 178.83.248.50[55010] with algo #2
2011-11-09 13:20:51 [INFO]: Hashing 77.73.243.180[500] with algo #2
2011-11-09 13:20:51 [PROTO_ERR]: ignore information because ISAKMP-SA has not been established yet.
2011-11-09 13:20:51 [INFO]: Hashing 77.73.243.180[4500] with algo #2
2011-11-09 13:20:51 [INFO]: NAT-D payload #0 doesn't match
2011-11-09 13:20:51 [INFO]: Hashing 178.83.248.50[55060] with algo #2
2011-11-09 13:20:51 [INFO]: NAT-D payload #1 doesn't match
2011-11-09 13:20:51 [INFO]: NAT detected: ME PEER
2011-11-09 13:20:51 [INFO]: Sending Xauth request
2011-11-09 13:20:51 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
====> Established SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7 lifetime 3600 Sec <====
2011-11-09 13:21:51 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7i <====
2011-11-09 13:21:51 [INTERNAL_ERR]: ASSERT FAILED: (iph1->status == PHASE1ST_ESTABLISHED)
2011-11-09 13:21:51 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7i <====

The clients terminates after the Established SA with vpn error. What could be the problem?

1 accepted solution

Accepted Solutions

unbelievable!!!

The New PANIOS 4.1.2 Fixed my Problems finaly!

View solution in original post

19 REPLIES 19

L3 Networker

Have you got a tick in the "skip auth on IKE rekey" option? if its selected try unselecting it and retry your connection. This is under the GP gateway screen general tab and belpw the group password fields.

Rod

Dosn't make a difference...same problem.

What means this error?

[INTERNAL_ERR]: ASSERT FAILED: (iph1->status == PHASE1ST_ESTABLISHED)

On my pa500 everything is working on the pa2050 nothing works out of the box. The Portal dosn't work on the external interface...had to use loopback plus nat rules...and now xauth dosn't work too...getting pretty frustated.

L3 Networker

I never got Shrew working, (didn't put that much effort in to it either). VPNC works like a charm though. I actually prefer VPNC as it is integrated with NetworkManager (I'm on a Ubuntu box).

Simply put in the following in the client:

Gateway: globlaprotect.company.com

Username (Most cases your LDAP/AD user account authenticating with Kerberos/LDAP)

Group name: sharedusername (xauth shared user in Palo)

Group Passwd:

Encryption Standard

NATT: Enabled

xAuth enabled, IPsec enabled, Skip Ike rekey = Palo Alto side of things.

@mccue:

question: are you using NAT-T? If so can you turn it off and try again?

Thanks,

Benjamin

Yes I use Nat-t and the funny thing again is, it works with my other customer. He is using a PA500..everything works on that pa500 where nothing seems to work on the pa2050.

I realy don't get it..the only difference in the config is that the customer on the pa500 has no inside nat on the external ip, where the customer on the pa2050 has inside nat on the ip..but not on port 80.443. 500, 4500. So it should not conflict...but then still i can't setup the gateway on the external interface directly (well i can but it is not reachable). And over a loopback interface it dosn't work somehow....

Mcue,

This issue is targeted to be fixed in 4.1.1.

Thanks

Is this a problem on the pa2050?

Globalprotect and everything works but from a ipad the ike phase1 goes trough but then no authentication starts.

@gsteiner:

my team and I did some testing in our lab last night running 4.1.0 PAN-OS on a 2050. We had no trouble connecting an iPad2 running iOS version 4.3.5 (8L1) to our 2050 Global Protect Gateway, authenticating and accessing resources behind the 2050. iPad was using WiFi (not 3G mobile/cellular).

-Benjamin

any idea where the problem could be? Ike Phase1 completes but then phase2 dosn't start, it just stays there till timeout.

Globalprotect and even Shrew Soft VPN is now working.

is there a log which i could monitor? i used

tail follow yes mp-log ikemgr.log

and

tail follow yes mp-log authd.log

but in the authd.log nothing comes up.

ipad version 5.0.1 (9a405)

btw. I use PSK

could this be a problem?

Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile Auth-Seq not found in sequence or profile db.
Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:441): Auth Seq __dummy_%_admin_%_profile__ found. Max attempts=0, lockseconds=0.
Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.
Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.
Nov 24 13:00:25 cfgagent_opcmd_callback(pan_cfgagent.c:344): authd: cfg agent received op command from server
Nov 24 13:00:25 cfgagent_doop_callback(pan_cfgagent.c:378): received sigal to execute <operations xml="yes" type="union" handler="show_lockedusers_handler"><show type="union"><authentication type="union"><locked-users type="sequence"><is-seq type="enum">yes</is-seq></locked-users></authentication></show></operations>
Nov 24 13:00:52 cfgagent_opcmd_callback(pan_cfgagent.c:344): authd: cfg agent received op command from server
Nov 24 13:00:52 cfgagent_doop_callback(pan_cfgagent.c:378): received sigal to execute <request cmd="op" complete="/operations/set/management-server/unlock/admin" cookie="4985870072261854" handler="admin_unlock_complete_handler"/>
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile Auth-Seq not found in sequence or profile db.
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:441): Auth Seq __dummy_%_admin_%_profile__ found. Max attempts=0, lockseconds=0.
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.

Could it be that the Problem is Nat-t ? When I use Shrewsoft vpn client and turn off nat-t it is working, when i turn it on it dosn't work.

Hi,

We have one issue related to NAT-T which will be fixed in 4.1.1. For your issue I would suggest you to open up a support case so that we can review the log/debug information to determine if the issue you are seeing is the one which is going to be fixed or if this issue is a different one.

Thanks

Still the same issue, I can connect with the same IPAD to a PA500 running 4.1.0 but not to the PA2050 with 4.1.1

Shrew Soft VPN work with Nat-T or not on the PA500, but it dosn't work with Nat-T Port 4500 on the PA2050. It works only without Nat-t on the PA2050

Please this issue is bugging now for to long, i opened two ticket and they told me this is fixed in 4.1.1 and now the problem is still there..Am I realy the only one with this issue?

  • 1 accepted solution
  • 8612 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!