IpSec VPN between Palo and Vyatta

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IpSec VPN between Palo and Vyatta

L5 Sessionator

Hi all,

 

I try to configure an IPSec tunnel between PA-500 (version 7.1.4) and vyatta.

Config seem to be ok, phase 1 is ok but nego for phase 2 is block in "No Proposal chosen". I select in phase 2 all possibility given by the palo.

 

Any body already succeed to do that ?

help .. please 🙂

 

Vincent

1 accepted solution

Accepted Solutions

Hi,

 

Confirmed 🙂

Change config from MD5 to SHA1 ... and now, IT WORKS 🙂

 

Hope this info can be usefull for all.

 

V.

View solution in original post

8 REPLIES 8

L6 Presenter

Hi Vince,

 

Please could you post output of this command:

 

> tail lines 50 mp-log ikemgr.log

 

I believe your security policy permit IPSec traffic both directions.

 

Thx,

Myky

Hi,

 

Thx in advance for your help.

Here the requested log.

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.08.18 18:48:36 =~=~=~=~=~=~=~=~=~=~=~=
tail admin@PADC(active)> tail lines admin@PADC(active)> tail lines 50 admin@PADC(active)> tail lines 50 mp-log admin@PADC(active)> tail lines 50 mp-log ikemgr.log
2016-08-18 18:46:42 [PROTO_ERR]: not matched
2016-08-18 18:46:42 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:46:42 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:46:52 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0xEE340F87 <====
2016-08-18 18:46:52 [PROTO_ERR]: not matched
2016-08-18 18:46:52 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:46:52 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:47:12 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0xEE340F87 <====
2016-08-18 18:47:12 [PROTO_ERR]: not matched
2016-08-18 18:47:12 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:47:12 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:47:12.795 +0200 ikemgr: panike_daemon phase 1 started, config size 33890
2016-08-18 18:47:12.828 +0200 ikemgr: panike_daemon phase 1 step 2 finished
2016-08-18 18:47:13.114 +0200 ikemgr: panike_daemon phase 1 step 4 finished
2016-08-18 18:47:13.114 +0200 pan IKE cfg phase-1 triggered.
2016-08-18 18:47:13 [INFO]: loading new config from /tmp/.njHLK5
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 step 5 finished
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 config change detected
2016-08-18 18:47:15.541 +0200 ikemgr: panike_daemon phase 1 finished with status 1
2016-08-18 18:47:44.823 +0200 ikemgr: panike_daemon phase 2 started
2016-08-18 18:47:44.823 +0200 pan IKE cfg phase-2 triggered.
2016-08-18 18:47:44 [INFO]: IKE gateway EOLAS changed, deleting SA
2016-08-18 18:47:44 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:e30ae825f46753b9:9b520bc54bb0cad0 <====
2016-08-18 18:47:44.826 +0200 ikemgr: panike_daemon phase 2 finished
2016-08-18 18:47:44 [PROTO_ERR]: Informational exchange received from unknown peer.
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:b751989c866b52b4:7a4c9758629b8b91 <====
2016-08-18 18:47:52 [INFO]: received Vendor ID: CISCO-UNITY
2016-08-18 18:47:52 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2016-08-18 18:47:52 [INFO]: received Vendor ID: DPD
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====
====> Established SA: 185.42.31.XXX[500]-31.193.53.XX[500] cookie:b751989c866b52b4:7a4c9758629b8b91 lifetime 28800 Sec <====
2016-08-18 18:47:52 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:47:52 [PROTO_ERR]: not matched
2016-08-18 18:47:52 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:47:52 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:48:02 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:48:02 [PROTO_ERR]: not matched
2016-08-18 18:48:02 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:48:02 [INTERNAL_ERR]: failed to pre-process packet.
2016-08-18 18:48:22 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 185.42.31.XXX[500]-31.193.53.XX[500] message id:0x93765356 <====
2016-08-18 18:48:22 [PROTO_ERR]: not matched
2016-08-18 18:48:22 [PROTO_ERR]: no suitable policy found.
2016-08-18 18:48:22 [INTERNAL_ERR]: failed to pre-process packet.
admin@PADC(active)>

 

Ipsec is permit.

 

V.

Hi V,

 

Thanks. Vyatta side policy or route base VPN? 

 

Below an example for route base config:

 

http://vyos.net/wiki/VTI_with_Palo_Alto

 

Please can you make sure you do have application permitted in your policy:  (ciscovpn, dtls, ipsec, ssl, open-vpn)

 

Thx,

Myky

Hi,

 

Thx for the template. The fact is f the VPN end on SonicWall, it works, on the palo it doesn't 😞

All protocol needed are allowed (other VPN are ok)

 

Maybe MD5 ??? I will ask to change from MD5 to sha1 or more ...

 

Keep you in touch.

 

V.

Hello V,

 

Sure try to tweak IPSec crypto. Deffenetly something is not matching  with Phase 2. Proxy-ID etc. 

let me know how it goes. Sorry but l have never configured VPN with Vyatta

Hi,

 

Confirmed 🙂

Change config from MD5 to SHA1 ... and now, IT WORKS 🙂

 

Hope this info can be usefull for all.

 

V.

Good stuff! Thx for sharing this info

L2 Linker

Hi!

 

I had similar case between PA-3020 (PanOS 8.1.6) and Cyberoam firewall.

Tunnel actually showed to be up (so phase 2 established), but no traffic was flowing through tunnel. I noticed in ikemgr.log (in debug mode) file following lines which hinted that some proposal is not suitable for this connection:

[PERR]: { : 5}: not matched
[PERR]: { : 5}: no suitable policy found.
[ERR ]: { : 5}: failed to pre-process packet. 

 

We had SHA256 in use for phase 2 and we changed this for SHA1- after this tunnel worked correctly and traffic went through it properly.

 

 

Märt

  • 1 accepted solution
  • 8030 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!