Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-24-2017 06:27 AM
Hi,
I keep having issues with my IPSec sts VPN. Always have a No proposal chosen message on the Phase 2 proposal.
And then P2 proposal fails due to timeout.
I read that it could be IPSec crypto settings or proxy ID that don't match.
Proxy IDs are OK because when I put non-existing network, I don't have these messages.
Encryption settings seem also well configured.
Here is the Fortigate P2 that was working before :
Here is the Palo Alto config that i'm trying to make working :
08-25-2017 06:04 AM
Have you tried Group 5 for PFS? Just because the Fortigate had both groups 14 and 5 enabled doesn't mean the other side will accept both
08-24-2017 06:48 AM - edited 08-24-2017 07:01 AM
Did you try without PFS or untick option 5 from the Fortigate site? We need a full log output?
EDIT:
Reading more, it looks like you don't have to use any proxy IDs as both devices support route-based VPN
https://blog.webernetz.net/2015/01/26/ipsec-site-to-site-vpn-palo-alto-fortigate/
08-24-2017 07:00 AM
I tried without PFS and the result is the same.
I don't have access to the remote firewall but as I remember, it is supposed to accept both proposals on DHGroup 5 and DHGroup 14.
Here is the full log output :
08-24-2017 07:04 AM
Palo is an initiator. If you want more details we need responder site logs or configure Palo in passive mode.
08-24-2017 07:27 AM
@TranceforLife is right we'll need the responder site logs to see why it isn't working. Initiatior isn't going to tell you anything. I would remove the proxy-id as already mentioned, you don't actually need this and having proxy-id on can cause issues in and of itself when you can't tell exactly how the other end is configured.
08-24-2017 07:29 AM
If I remove the Proxy IDs, the P2 Proposal fails due to a timeout, but without "no proposal chosen" message.
I don't have an easy access to the remote firewall but I'll post its logs as soon as I can.
Note that I don't know what is the remote firewall. The Fortigate was the firewall that I replaced by the Palo. Its configuration was workin though.
08-24-2017 07:31 AM
If you remove the configuration from one side, another side should do the same otherwise it is pointless as all P1 and P2 criteria must match.
08-24-2017 07:34 AM
I know that all parameters must match, that's why I'm trying to make the exact replica of my old Fortigate into the Palo.
The only thing that seems to be different for the P2 is that I can't select several DH groups.
08-24-2017 10:40 AM
What PAN-OS version do you have installed? What IKE version is configured?
You wrote that the tunnel was working already: did you do anything before it stopped working (may be a PAN-OS update)?
08-25-2017 06:04 AM
Have you tried Group 5 for PFS? Just because the Fortigate had both groups 14 and 5 enabled doesn't mean the other side will accept both
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
