10-21-2020 07:38 PM - edited 10-21-2020 07:41 PM
Hi,
I'm trying to set up a S2S between Palo Alto Sophos XG and so far it's been unsuccessful as Palo Alto is not able to find a suitable proposal for the connection.
I've also tried the following the KB here. (https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-...)
I'm supposed to be using IKEv1, AES256-SHA256, DH5 and I've checked to make sure the settings on both Firewalls are aligned (IKE, encryption keys, preshared keys).
Below is the logs from Palo Alto for a connection coming in from Sophos. Any insight to interpreting the logs would be helpful.
2020-10-21 01:29:05.195 +0000 [PNTF]: { 54: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
====> Initiated SA <====
[INFO]: { 54: }: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
[INFO]: { 54: }: received Vendor ID: DPD
[INFO]: { 54: }: received Vendor ID: CISCO-UNITY
[INFO]: { 54: }: received Vendor ID: FRAGMENTATION
[INFO]: { 54: }: received Vendor ID: RFC 3947
[INFO]: { 54: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#1) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#1) = DH2:DH5
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#1) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#1) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#1) = DH2:DH5
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#2) = SHA1:SHA256
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#2) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#2) = SHA1:SHA256
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#3) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#3) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#3) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#3) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#3) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#4) = AES:TBD
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#4) = SHA1:TBD
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#4) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#4) = 3DES:TBD
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#4) = SHA1:TBD
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#4) = DH2:DH19
[PERR]: { 54: }: no suitable proposal found.
[PERR]: { 54: }: (nil) failed to get valid proposal.
[PERR]: { 54: }: failed to process packet.
[INFO]: { 54: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA <====
10-22-2020 02:26 AM
is there a way for you to limit the proposals the Sophos is sending out, and could you post which config you have set on the PAN?
the log shows AES but no keysize, so maybe it's proposing 128 instead of 256
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
