using vpnc with Palo Alto 4.1 IPSEC/Xauth

DougHughes1 · ‎02-18-2012

It seems like the freely and widely available vpnc client should work just fine with the palo alto ipsec/xauth setup, however I must be missing something. I have it working with IPAD with the shared secret + XAUTH with group/password, but with vpnc on linux I get this in the system log:

IKE phase-1 negotiation is failed. Couldn't find configuration for failed IKE phase-1 request for peer IP $IP_ADDRESS[500], ID keyid:646473726573

DougHughes1 · ‎03-04-2013

Here are the instructions for debian:

as root apt-get install vpnc
And add the following to /etc/vpnc.conf

IPSec gateway <your gateway>

IPSec ID <group name>

IKE Authmode psk

NAT Traversal Mode natt

IPSec secret <your secret>

Xauth interactive

I don't know if it will work with AnyConnect, but it works fine with vpnc and StrongSwan, modulo linux kernel bugs with forced re-keying and disconnects.

Ubuntu:

as root apt-get install network-manager-strongswan
Then, add a new VPN connection from the NetworkManager GUI and select the IPsec/IKE type.
Configuration options are the same as for VPNC

Fedora, Centos, RHEL and other rpm based distros

as root yum install vpnc
and add the following to /etc/vpnc/<policy>.conf

sudo vpnc <policy>

replace <policy> with whatever you want to call your vpn connection.

-----

the following may be useful to help with disconnects:

/etc/vpnc/desres.conf: DPD idle timeout (our side) 0

View solution in original post

DougHughes1 · ‎02-18-2012

one thing of note. I see the udp 500 isakmp queries going to the palo alto, but no replies coming back. This may be normal given the message.

DougHughes1 · ‎02-18-2012

I got it working with vpnc. It seems like it may have been a case sensitivity or other issue in the group password that was hidden by the opacity of the log message.

amansour · ‎03-04-2013

Any chance you can post how? Think this would work with Anyconnect?

DougHughes1 · ‎03-04-2013