using vpnc with Palo Alto 4.1 IPSEC/Xauth

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

using vpnc with Palo Alto 4.1 IPSEC/Xauth

Not applicable

It seems like the freely and widely available vpnc client should work just fine with the palo alto ipsec/xauth setup, however I must be missing something. I have it working with IPAD with the shared secret + XAUTH with group/password, but with vpnc on linux I get this in the system log:

IKE phase-1 negotiation is failed. Couldn't find configuration for failed IKE phase-1 request for peer IP $IP_ADDRESS[500], ID  keyid:646473726573

1 accepted solution

Accepted Solutions

Here are the instructions for debian:

  1. as root apt-get install vpnc
  2. And add the following to /etc/vpnc.conf

IPSec gateway <your gateway>

IPSec ID <group name>

IKE Authmode psk

NAT Traversal Mode natt

IPSec secret <your secret>

Xauth interactive

I don't know if it will work with AnyConnect, but it works fine with vpnc and StrongSwan, modulo linux kernel bugs with forced re-keying and disconnects.

Ubuntu:

  1. as root apt-get install network-manager-strongswan
  2. Then, add a new VPN connection from the NetworkManager GUI and select the IPsec/IKE type.
  3. Configuration options are the same as for VPNC

Fedora, Centos, RHEL and other rpm based distros

  1. as root yum install vpnc
  2. and add the following to /etc/vpnc/<policy>.conf

sudo vpnc <policy>

replace <policy> with whatever you want to call your vpn connection.

-----

the following may be useful to help with disconnects:

/etc/vpnc/desres.conf: DPD idle timeout (our side) 0

View solution in original post

7 REPLIES 7

Not applicable

one thing of note. I see the udp 500 isakmp queries going to the palo alto, but no replies coming back. This may be normal given the message.

I got it working with vpnc. It seems like it may have been a case sensitivity or other issue in the group password that was hidden by the opacity of the log message.

L4 Transporter

Any chance you can post how? Think this would work with Anyconnect?

Here are the instructions for debian:

  1. as root apt-get install vpnc
  2. And add the following to /etc/vpnc.conf

IPSec gateway <your gateway>

IPSec ID <group name>

IKE Authmode psk

NAT Traversal Mode natt

IPSec secret <your secret>

Xauth interactive

I don't know if it will work with AnyConnect, but it works fine with vpnc and StrongSwan, modulo linux kernel bugs with forced re-keying and disconnects.

Ubuntu:

  1. as root apt-get install network-manager-strongswan
  2. Then, add a new VPN connection from the NetworkManager GUI and select the IPsec/IKE type.
  3. Configuration options are the same as for VPNC

Fedora, Centos, RHEL and other rpm based distros

  1. as root yum install vpnc
  2. and add the following to /etc/vpnc/<policy>.conf

sudo vpnc <policy>

replace <policy> with whatever you want to call your vpn connection.

-----

the following may be useful to help with disconnects:

/etc/vpnc/desres.conf: DPD idle timeout (our side) 0

Just FYI I was able to get vpnc working on both Linux and Mac... XAUTH works great.

Great suggestion, there is a VPNC for Windows and MAC. 

  • 1 accepted solution
  • 8009 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!