VPN not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN not working

L4 Transporter

Hi,

 

we are configuring a VPn between Palo Alto and PFsense. The VPN is configured properly but its nos getting up. No phase 1 up. We have treid to change all values proposals and lifetime.

 

This is the log. We tried to change lifetime with no success. Whats happening?

 

 

====> Initiated SA: 1.1.1.1[500]-2.2.2.2[500] cookie:4ff9f28d21a8b446:cc5af7ee92b1eb65 <====
2018-07-11 09:51:42 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2018-07-11 09:51:42 [INFO]: received Vendor ID: DPD
2018-07-11 09:51:42 [INFO]: received Vendor ID: FRAGMENTATION
2018-07-11 09:51:42 [INFO]: received Vendor ID: RFC 3947
2018-07-11 09:51:42 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2018-07-11 09:51:42 [INFO]: Selected NAT-T version: RFC 3947
2018-07-11 09:51:42 [PROTO_ERR]: invalid life duration.
2018-07-11 09:51:42 [PROTO_ERR]: invalid life duration.
2018-07-11 09:51:42 [PROTO_ERR]: no suitable proposal found.
2018-07-11 09:51:42 [PROTO_ERR]: 0:? - 2.2.2.2[500]:(nil):failed to get valid proposal.
2018-07-11 09:51:42 [PROTO_ERR]: failed to process packet.
2018-07-11 09:51:42 [INFO]: ====> PHASE-1 SA DELETED <====

1 accepted solution

Accepted Solutions

Hi @BigPalo

 

Turn on debugging for the ike process (debug ike global on debug) then take a look at the ikemgr logs. This will then show you exactly what the peer and the remote end is proposing and where the mismatch lies.

 

The log format will be for example aes256:aes512, where 256 is local and 512 is remote.

 

P.S - don't forget to turn off debugging afterwards!

 

Thanks,

Luke.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

your crypto map needs to be synced

both ends expect to talk different protocols:

 

018-07-11 09:51:42 [PROTO_ERR]: no suitable proposal found.
2018-07-11 09:51:42 [PROTO_ERR]: 0:? - 2.2.2.2[500]:(nil):failed to get valid proposal.

 

this means they could not decide if they want (for example) sha256 and aes1024, or md5+3des

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

 

We chnaged the proposal several times with no success. It seems like issue is in the life time. But we also change this paramether. We will try tomorrow.

 

Thanks

@BigPalo,

As @reaper stated that's kind of what this type of error message means. Can you verify that you are actually offering up the correct protocols that you wish to utilize and try again. 

Hi @BigPalo

 

Turn on debugging for the ike process (debug ike global on debug) then take a look at the ikemgr logs. This will then show you exactly what the peer and the remote end is proposing and where the mismatch lies.

 

The log format will be for example aes256:aes512, where 256 is local and 512 is remote.

 

P.S - don't forget to turn off debugging afterwards!

 

Thanks,

Luke.

  • 1 accepted solution
  • 4021 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!