11-15-2015 10:32 AM
In this set up, I'm trying to configure a site-to-site VPN between a PA and a Cisco 3G router (whose IP address will be dynamic). I'm unable to get the tunnel working. When I run the command 'show vpn ike-sa gateway <gatewayname>', I get no information about the tunnel. It doesn't even seem to know about the tunnel.
Any ideas please?
11-15-2015 01:53 PM
Initiate traffic towards Palo.
Go to system log.
What error do you see there?
11-16-2015 02:36 AM
Hi,
I've tried initiating traffic to the Palo. In the system logs, I get: 'IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP '
I've not configured a static peer IP as this is a 3G router so I'm not sure of what the problem here would be
11-16-2015 03:23 AM
I think your problem is ID for phase 1 for remote peer. Instead of IP address being used as ID select for example User FQDN as peer identification, then configure same settings on Cisco as well. I also set PA in such case to be in 'passive mode' as it cannot be initiator anyway (as the remote peer has dynamic IP).
11-16-2015 04:39 AM
Hi Santonic,
Thanks for your contribution. As it is a 3G router, can a User FQDN be configured? And what would it resolve to?
11-16-2015 05:30 AM
Don't know anything about the router you have there. You have to check what it supports as IPSec ID.
User FQDN can be an email address. Basicaly it doesn't check anything, just the strings on both sides have to match. So think of it as a second password of sorts.
11-25-2015 01:24 AM
I have now been able to get Phase 1 of the VPN working. Instead of using a Policy-based VPN, i have configured a Route-based VPN using Tunnel interfaces at both sides.
I am still having a problem with Phase 2. I get the below error when pinging from one side to the other:
'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID'
I've defined the address ranges I expect to communicate between both sides in the Proxy ID but still get this error.
Any thoughts anyone?
11-25-2015 02:09 AM
Is this full error you get?
Proxy id error in system log should tell exactly what other end sends.
So you can configure your Phase 2 accordingly.
Can you paste full proxy id error here?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
