I am trying to establish a successful VPN connection between my Palo Alto firewall and a Check Point firewall. The VPN tunnel on the Palo Alto side shows all green for phase 1 and 2, however on the Check Point side I keep getting a failure per the log "IKE failure no response from peer".
In the "Monitor" > "System" log of the Palo Alto the message I am seeing is "ike-nego-p2-proxy-id-bad" "IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local ID 10.30.30.0/24 type IPv_4_subnet protocol 0 port 0, received remote id: 10.10.10.0/24 type IPv4_subnet protocol 0 port 0.
On the Check Point side the local network is the 10.10.10.0/24. I am using a "encryption domain" on the Check Point.
I do not have any Proxy ID's configured on the Palo Alto side. I am under the impression that routing the traffic for destination 10.10.10.0/24 to the tunnel interface as a static route is all that is needed to identify the remote private network.
On the Palo Alto for the IKE crypto profile I am using Suite-B-GCM-128, and IPSec Crypto Profile Suite-B-GCM-128.
I have tried a proxy ID on the palo alto side with local being 10.30.30.0/24 (the local Palo Alto private network) and remote 10.10.10.0/24 (the Check Point side private network) and that brought the tunnel on the Palo Alto side down. After this I only have a green light for IKE Info under status of the IPsec Tunnels area.
Double check your phase1 and 2 match.
And troubleshooting guide.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!