05-09-2018 09:56 PM
Dear All
I'm facing one issue relate to VPN between PA and WG.
I am using 3DES/SHA1/PFS2, it is not working till i disable PFS-2 on Phase-2.
2018-05-10 10:44:10.483 +0700 [DEBG]: { : 40}: keyacquire received: x.x.x.x[0] => y.y.y.y[0]
2018-05-10 10:44:10.483 +0700 [DEBG]: { 14: 40}: processing acquire for IKEv1
2018-05-10 10:44:10.483 +0700 [PNTF]: { 14: 40}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.x.x.x[500]-y.y.y.y[500] message id:0xAE96BAB5 <====
2018-05-10 10:44:10.484 +0700 [DEBG]: { 14: 40}: pfkey getspi sent.
2018-05-10 10:44:10.484 +0700 [DEBG]: { : 40}: call pfkey_send_getspi
2018-05-10 10:44:10.484 +0700 [DEBG]: { : 40}: pfkey GETSPI succeeded: ESP/Tunnel y.y.y.y[500]->x.x.x.x[500] spi=3802391947(0xe2a3e58b)
2018-05-10 10:44:10.485 +0700 [DEBG]: { : 40}: use local ID type IPv4_address
2018-05-10 10:44:10.485 +0700 [DEBG]: { : 40}: use remote ID type IPv4_address
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: IDci:
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: IDcr:
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: add payload of len 80, next type 10(nonce)
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: add payload of len 16, next type 4(ke)
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: add payload of len 192, next type 5(id)
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: add payload of len 8, next type 5(id)
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: add payload of len 8, next type 0(none)
2018-05-10 10:44:10.485 +0700 [DEBG]: { 14: 40}: add payload of len 20, next type 1(sa)
2018-05-10 10:44:10.485 +0700 [DEBG]: { : 40}: resend phase2 packet 3f136292a552ea1b:8a8daede0c283c92:AE96BAB5
2018-05-10 10:44:10.485 +0700 [DEBG]: { : 40}: pfkey GETSPI sent: ESP/Tunnel 202.79.25.202[500]->103.78.128.66[500]
2018-05-10 10:44:12.000 +0700 [DEBG]: { : 40}: resend phase2 packet 3f136292a552ea1b:8a8daede0c283c92:AE96BAB5
2018-05-10 10:44:15.000 +0700 [DEBG]: { : 40}: resend phase2 packet 3f136292a552ea1b:8a8daede0c283c92:AE96BAB5
2018-05-10 10:44:20.000 +0700 [DEBG]: { : 40}: resend phase2 packet 3f136292a552ea1b:8a8daede0c283c92:AE96BAB5
2018-05-10 10:44:28.000 +0700 [DEBG]: { : 40}: resend phase2 packet 3f136292a552ea1b:8a8daede0c283c92:AE96BAB5
2018-05-10 10:44:40.000 +0700 [PNTF]: { : 40}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.x.x.x[500]-y.y.y.y[500] message id:0xAE96BAB5 <==== Due to negotiation timeout.
Please help advice me.
Best Regards,
Simon
05-10-2018 08:05 AM
Hello,
I guess we can assume that phase 1 completes and is up? If yes, double check the settings on both device for phase 2 settings. Since the PAN is the initiator, check the Watchguard logs as to why the tunnel fails to establish.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
