- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-18-2016 09:34 AM
Hi all,
I try to configure an IPSec tunnel between PA-500 (version 7.1.4) and vyatta.
Config seem to be ok, phase 1 is ok but nego for phase 2 is block in "No Proposal chosen". I select in phase 2 all possibility given by the palo.
Any body already succeed to do that ?
help .. please 🙂
Vincent
08-19-2016 01:36 AM
Hi,
Confirmed 🙂
Change config from MD5 to SHA1 ... and now, IT WORKS 🙂
Hope this info can be usefull for all.
V.
08-18-2016 09:46 AM
Hi Vince,
Please could you post output of this command:
> tail lines 50 mp-log ikemgr.log
I believe your security policy permit IPSec traffic both directions.
Thx,
Myky
08-18-2016 09:51 AM
Hi,
Thx in advance for your help.
Here the requested log.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.08.18 18:48:36 =~=~=~=~=~=~=~=~=~=~=~=
tail [Kadmin@PADC(active)> tail lines [Kadmin@PADC(active)> tail lines 50 [Kadmin@PADC(active)> tail lines 50 mp-log [Kadmin@PADC(active)> tail lines 50 mp-log ikemgr.log
2016-08-18 18:46:42 [PROTO_ERR]: not matched
2016-08-18 18:46:42 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:46:42 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:46:52 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0xEE340F87 <====
2016-08-18 18:46:52 [PROTO_ERR]: not matched
2016-08-18 18:46:52 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:46:52 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:47:12 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0xEE340F87 <====
2016-08-18 18:47:12 [PROTO_ERR]: not matched
2016-08-18 18:47:12 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:47:12 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:47:12.795 +0200 ikemgr: panike_daemon phase 1 started, config size 33890
2016-08-18 18:47:12.828 +0200 ikemgr: panike_daemon phase 1 step 2 finished
2016-08-18 18:47:13.114 +0200 ikemgr: panike_daemon phase 1 step 4 finished
2016-08-18 18:47:13.114 +0200 pan IKE cfg phase-1 triggered.
2016-08-18 18:47:13 [INFO]: loading new config from /tmp/.njHLK5
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 step 5 finished
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 config change detected
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 finished with status 1
2016-08-18 18:47:44.823 +0200 ikemgr: panike_daemon phase 2 started
2016-08-18 18:47:44.823 +0200 pan IKE cfg phase-2 triggered.
2016-08-18 18:47:44 [INFO]: IKE gateway EOLAS changed, deleting SA
2016-08-18 18:47:44 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:e30ae825f46753b9:9b520bc54bb0cad0 <====
2016-08-18 18:47:44.826 +0200 ikemgr: panike_daemon phase 2 finished
2016-08-18 18:47:44 [PROTO_ERR]: Informational exchange received from unknown peer.
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:b751989c866b52b4:7a4c9758629b8b91 <====
2016-08-18 18:47:52 [INFO]: received Vendor ID: CISCO-UNITY
2016-08-18 18:47:52 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2016-08-18 18:47:52 [INFO]: received Vendor ID: DPD
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====
====> Established SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:b751989c866b52b4:7a4c9758629b8b91 lifetime 28800 Sec <====
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:47:52 [PROTO_ERR]: not matched
2016-08-18 18:47:52 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:47:52 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:48:02 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:48:02 [PROTO_ERR]: not matched
2016-08-18 18:48:02 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:48:02 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:48:22 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:48:22 [PROTO_ERR]: not matched
2016-08-18 18:48:22 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:48:22 [INTERNAL_ERR]: failed to pre-process packet.
admin@PADC(active)>
Ipsec is permit.
V.
08-18-2016 11:06 AM
Hi V,
Thanks. Vyatta side policy or route base VPN?
Below an example for route base config:
http://vyos.net/wiki/VTI_with_Palo_Alto
Please can you make sure you do have application permitted in your policy: (ciscovpn, dtls, ipsec, ssl, open-vpn)
Thx,
Myky
08-19-2016 01:08 AM
Hi,
Thx for the template. The fact is f the VPN end on SonicWall, it works, on the palo it doesn't 😞
All protocol needed are allowed (other VPN are ok)
Maybe MD5 ??? I will ask to change from MD5 to sha1 or more ...
Keep you in touch.
V.
08-19-2016 01:28 AM
Hello V,
Sure try to tweak IPSec crypto. Deffenetly something is not matching with Phase 2. Proxy-ID etc.
let me know how it goes. Sorry but l have never configured VPN with Vyatta
08-19-2016 01:36 AM
Hi,
Confirmed 🙂
Change config from MD5 to SHA1 ... and now, IT WORKS 🙂
Hope this info can be usefull for all.
V.
08-19-2016 01:38 AM
Good stuff! Thx for sharing this info
03-29-2019 06:54 AM
Hi!
I had similar case between PA-3020 (PanOS 8.1.6) and Cyberoam firewall.
Tunnel actually showed to be up (so phase 2 established), but no traffic was flowing through tunnel. I noticed in ikemgr.log (in debug mode) file following lines which hinted that some proposal is not suitable for this connection:
[PERR]: { : 5}: not matched
[PERR]: { : 5}: no suitable policy found.
[ERR ]: { : 5}: failed to pre-process packet.
We had SHA256 in use for phase 2 and we changed this for SHA1- after this tunnel worked correctly and traffic went through it properly.
Märt
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!