IPSec Phase 1 tunnel not connecting

ImtiyazKhot · ‎12-02-2023

Hello Everyone,

Need your support to fix a FW to FW PA IPSec Phase 1 tunnel not connecting.

I have checked the setting with the vendor and configuration is same at both the ends.

Below are the debug logs from PA

2023-11-30 14:30:40.000 +0400 [DEBG]: { 3: }: 180 bytes from 5.41.58.98[500] to 215.70.10.151[500]
2023-11-30 14:30:40.000 +0400 [DEBG]: 5.41.58.98[500] - 215.70.10.151[500]:(nil) 1 times of 180 bytes message will be sent over socket 1024
2023-11-30 14:30:40.000 +0400 [DEBG]: { 3: }: resend phase1 packet 440c0aafbf89757a:29c7baa57f364bfa, retry 1
2023-11-30 14:30:40.004 +0400 [DEBG]: processing isakmp packet
2023-11-30 14:30:40.004 +0400 [DEBG]: ===
2023-11-30 14:30:40.004 +0400 [DEBG]: 92 bytes message received from 215.70.10.151
2023-11-30 14:30:40.004 +0400 [DEBG]: chk packet 50089829:20 size 92, rcp 2, NF rc -1
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: begin decryption.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: IV was saved for next processing:
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: with key:
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: decrypted payload by IV:
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: decrypted payload, but not trimed.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: padding len=209
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: decrypted.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: begin.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: seen nptype=5(id)
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: succeed.
2023-11-30 14:30:40.004 +0400 [PERR]: { 3: }: 5.41.58.98[500] - 215.70.10.151[500]:(nil) few isakmp message received.
2023-11-30 14:30:41.594 +0400 [DEBG]: processing isakmp packet
2023-11-30 14:30:41.594 +0400 [DEBG]: ===
2023-11-30 14:30:41.594 +0400 [DEBG]: 92 bytes message received from 215.70.10.151
2023-11-30 14:30:41.594 +0400 [DEBG]: chk packet 50089829:20 size 92, rcp 2, NF rc -1
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: begin decryption.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: IV was saved for next processing:
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: with key:
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: decrypted payload by IV:
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: decrypted payload, but not trimed.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: padding len=209
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: decrypted.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: begin.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: seen nptype=5(id)
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: succeed.
2023-11-30 14:30:41.594 +0400 [PERR]: { 3: }: 5.41.58.98[500] - 215.70.10.151[500]:(nil) few isakmp message received.
2023-11-30 14:30:42.000 +0400 [DEBG]: { 3: }: 180 bytes from 5.41.58.98[500] to 215.70.10.151[500]
2023-11-30 14:30:42.000 +0400 [DEBG]: 5.41.58.98[500] - 215.70.10.151[500]:(nil) 1 times of 180 bytes message will be sent over socket 1024
2023-11-30 14:30:42.000 +0400 [DEBG]: { 3: }: resend phase1 packet 440c0aafbf89757a:29c7baa57f364bfa, retry 2
2023-11-30 14:30:42.004 +0400 [DEBG]: processing isakmp packet
2023-11-30 14:30:42.004 +0400 [DEBG]: ===
2023-11-30 14:30:42.004 +0400 [DEBG]: 92 bytes message received from 215.70.10.151
2023-11-30 14:30:42.004 +0400 [DEBG]: chk packet 50089829:20 size 92, rcp 2, NF rc -1
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: begin decryption.
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: IV was saved for next processing:
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: with key:
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: decrypted payload by IV:
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: decrypted payload, but not trimed.
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: padding len=209
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: decrypted.
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: begin.
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: seen nptype=5(id)
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: succeed.
2023-11-30 14:30:42.005 +0400 [PERR]: { 3: }: 5.41.58.98[500] - 215.70.10.151[500]:(nil) few isakmp message received.
2023-11-30 14:30:43.000 +0400 [PNTF]: { 3: }: ====> PHASE-1 NEGOTIATION FAILED AS RESPONDER, MAIN MODE <====
====> Failed SA: 5.41.58.98[500]-215.70.10.151[500] cookie:3f32b1eb6993ebe3:12554596cd819655 <==== Due to timeout.
2023-11-30 14:30:43.000 +0400 [INFO]: { 3: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 5.41.58.98[500]-215.70.10.151[500] cookie:3f32b1eb6993ebe3:12554596cd819655 <====
2023-11-30 14:30:43.000 +0400 [DEBG]: IV freed

Thanks

reaper · ‎12-04-2023

looks like an issue with either the local/peer ID, or maybe the preshared secret (or security policy)

is either of these devices behind a NAT gateway? if thats the case you'll need to enable NAT traversal and configure local and peer IDs for the device behind NAT

else try to reset your PSK

(also double check if both are set to the same IKE version

also check if ipsec is allowed via security policy on both sides

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Unlock your full community experience!

IPSec Phase 1 tunnel not connecting

IPSec Phase 1 tunnel not connecting

Show your appreciation!