using vpnc with Palo Alto 4.1 IPSEC/Xauth

Reply
Highlighted
Not applicable

using vpnc with Palo Alto 4.1 IPSEC/Xauth

It seems like the freely and widely available vpnc client should work just fine with the palo alto ipsec/xauth setup, however I must be missing something. I have it working with IPAD with the shared secret + XAUTH with group/password, but with vpnc on linux I get this in the system log:

IKE phase-1 negotiation is failed. Couldn't find configuration for failed IKE phase-1 request for peer IP $IP_ADDRESS[500], ID  keyid:646473726573

Tags (3)

Accepted Solutions
Highlighted
Not applicable

Here are the instructions for debian:

  1. as root apt-get install vpnc
  2. And add the following to /etc/vpnc.conf

IPSec gateway <your gateway>

IPSec ID <group name>

IKE Authmode psk

NAT Traversal Mode natt

IPSec secret <your secret>

Xauth interactive

I don't know if it will work with AnyConnect, but it works fine with vpnc and StrongSwan, modulo linux kernel bugs with forced re-keying and disconnects.

Ubuntu:

  1. as root apt-get install network-manager-strongswan
  2. Then, add a new VPN connection from the NetworkManager GUI and select the IPsec/IKE type.
  3. Configuration options are the same as for VPNC

Fedora, Centos, RHEL and other rpm based distros

  1. as root yum install vpnc
  2. and add the following to /etc/vpnc/<policy>.conf

sudo vpnc <policy>

replace <policy> with whatever you want to call your vpn connection.

-----

the following may be useful to help with disconnects:

/etc/vpnc/desres.conf: DPD idle timeout (our side) 0

View solution in original post


All Replies
Highlighted
Not applicable

one thing of note. I see the udp 500 isakmp queries going to the palo alto, but no replies coming back. This may be normal given the message.

Highlighted
Not applicable

I got it working with vpnc. It seems like it may have been a case sensitivity or other issue in the group password that was hidden by the opacity of the log message.

Highlighted
L4 Transporter

Any chance you can post how? Think this would work with Anyconnect?

Highlighted
Not applicable

Here are the instructions for debian:

  1. as root apt-get install vpnc
  2. And add the following to /etc/vpnc.conf

IPSec gateway <your gateway>

IPSec ID <group name>

IKE Authmode psk

NAT Traversal Mode natt

IPSec secret <your secret>

Xauth interactive

I don't know if it will work with AnyConnect, but it works fine with vpnc and StrongSwan, modulo linux kernel bugs with forced re-keying and disconnects.

Ubuntu:

  1. as root apt-get install network-manager-strongswan
  2. Then, add a new VPN connection from the NetworkManager GUI and select the IPsec/IKE type.
  3. Configuration options are the same as for VPNC

Fedora, Centos, RHEL and other rpm based distros

  1. as root yum install vpnc
  2. and add the following to /etc/vpnc/<policy>.conf

sudo vpnc <policy>

replace <policy> with whatever you want to call your vpn connection.

-----

the following may be useful to help with disconnects:

/etc/vpnc/desres.conf: DPD idle timeout (our side) 0

View solution in original post

Highlighted
L4 Transporter

Just FYI I was able to get vpnc working on both Linux and Mac... XAUTH works great.

Highlighted
L4 Transporter

Great suggestion, there is a VPNC for Windows and MAC. 

Highlighted
L4 Transporter

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!