This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

IpSec VPN Phase1 negotiation problem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IpSec VPN Phase1 negotiation problem

Lacrymae
L1 Bithead

‎02-10-2021 12:05 AM

Hi All,

 

I have two 4G router and two ipsec vpn tunnel. Routers are exactly same.

VPN configs are exactly same (except Ips) one tunnel up and running but other one failed at Phase1

 

It gives me "IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.225.100 (type ipaddr) does not match a configured IKE gateway." error.

 

I global search on Palo Alto for 192.168.225 nothing return. So i have not any 192.168.225.xxx ip configuration in palo alto.

 

So this ip coming from 4G router? But not possible i think. Becase i configure it and router LAN is 192.168.30.0/24 so connected machine ip is 192.168.30.100

 

I am realy stuck at this point. Any help is appreciated.

 

Thanks.

0 Likes Likes
4 REPLIES 4

kiwi
Community Team Member

‎02-10-2021 02:40 AM

Hi @Lacrymae ,

 

The log is saying that the peer device is sending 192.168.225.100 as it's Local ID.  This ID doesn't match the IKE Gateway's Peer Identification you have configured on the PA.

 

I'd check the peer's local ID configuration.

 

Cheers,

-Kiwi.

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Lacrymae
L1 Bithead
In response to kiwi

‎02-10-2021 06:02 AM

Hi @kiwi

 

I use Archer MR200 for ipsec VPN setup. Double check and device LAN setting details are;

 

Ip Address: 192.168.30.1

Subnet:255.255.255.0

DHCP: Enable

Ip Address Pool: 192.168.30.100 - 192.168.30.199

Default Gateway: 192.168.30.1

Primary DNS: 192.168.30.1

Secondary DNS: 8.8.8.8

 

How it could be?

 

Thanks.

0 Likes Likes

kiwi
Community Team Member
In response to Lacrymae

‎02-10-2021 07:01 AM

Hi @Lacrymae ,

 

I'm unfamiliar with Archer MR200 but I doubt that you'll find the local ID in your device LAN settings.

 

Try finding the VPN setting and search for IKE policy or IKE configuration which is where I would expect your local ID and remote/peer ID should be configured.

 

Hope it helps !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Lacrymae
L1 Bithead
In response to kiwi

‎02-10-2021 09:05 PM

Hi @kiwi 

 

I check the VPN Router side and it s ok. Let me share the details;

 

Remote IPSec Gateway: Palo Alto WAN Ip

 

Tunnel Access from Local IP address: Subnet Address

IP Address for VPN: 192.168.30.0

Subnet Mask: 255.255.255.0

 

Tunnel access from remote IP addresses: Subnet Address

IP Address for VPN: 20.1.0.0

Subnet Mask: 255.255.255.0

 

Phase 1 Configs

Mode: Main

Local Identifier Type: Local WAN IP

Remote Identifier Type: Remote WAN IP

 

Everythings look fine. I don't understand where came this 192.168.225.100 ip from 😞

 

0 Likes Likes
  • 5056 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks