IpSec VPN Phase1 negotiation problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IpSec VPN Phase1 negotiation problem

L1 Bithead

Hi All,

 

I have two 4G router and two ipsec vpn tunnel. Routers are exactly same.

VPN configs are exactly same (except Ips) one tunnel up and running but other one failed at Phase1

 

It gives me "IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.225.100 (type ipaddr) does not match a configured IKE gateway." error.

 

I global search on Palo Alto for 192.168.225 nothing return. So i have not any 192.168.225.xxx ip configuration in palo alto.

 

So this ip coming from 4G router? But not possible i think. Becase i configure it and router LAN is 192.168.30.0/24 so connected machine ip is 192.168.30.100

 

I am realy stuck at this point. Any help is appreciated.

 

Thanks.

4 REPLIES 4

Community Team Member

Hi @Lacrymae ,

 

The log is saying that the peer device is sending 192.168.225.100 as it's Local ID.  This ID doesn't match the IKE Gateway's Peer Identification you have configured on the PA.

 

I'd check the peer's local ID configuration.

 

Cheers,

-Kiwi.

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi

 

I use Archer MR200 for ipsec VPN setup. Double check and device LAN setting details are;

 

Ip Address: 192.168.30.1

Subnet:255.255.255.0

DHCP: Enable

Ip Address Pool: 192.168.30.100 - 192.168.30.199

Default Gateway: 192.168.30.1

Primary DNS: 192.168.30.1

Secondary DNS: 8.8.8.8

 

How it could be?

 

Thanks.

Community Team Member

Hi @Lacrymae ,

 

I'm unfamiliar with Archer MR200 but I doubt that you'll find the local ID in your device LAN settings.

 

Try finding the VPN setting and search for IKE policy or IKE configuration which is where I would expect your local ID and remote/peer ID should be configured.

 

Hope it helps !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi 

 

I check the VPN Router side and it s ok. Let me share the details;

 

Remote IPSec Gateway: Palo Alto WAN Ip

 

Tunnel Access from Local IP address: Subnet Address

IP Address for VPN: 192.168.30.0

Subnet Mask: 255.255.255.0

 

Tunnel access from remote IP addresses: Subnet Address

IP Address for VPN: 20.1.0.0

Subnet Mask: 255.255.255.0

 

Phase 1 Configs

Mode: Main

Local Identifier Type: Local WAN IP

Remote Identifier Type: Remote WAN IP

 

Everythings look fine. I don't understand where came this 192.168.225.100 ip from 😞

 

  • 3638 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!