07-11-2018 01:00 AM
Hi,
we are configuring a VPn between Palo Alto and PFsense. The VPN is configured properly but its nos getting up. No phase 1 up. We have treid to change all values proposals and lifetime.
This is the log. We tried to change lifetime with no success. Whats happening?
====> Initiated SA: 1.1.1.1[500]-2.2.2.2[500] cookie:4ff9f28d21a8b446:cc5af7ee92b1eb65 <====
2018-07-11 09:51:42 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2018-07-11 09:51:42 [INFO]: received Vendor ID: DPD
2018-07-11 09:51:42 [INFO]: received Vendor ID: FRAGMENTATION
2018-07-11 09:51:42 [INFO]: received Vendor ID: RFC 3947
2018-07-11 09:51:42 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2018-07-11 09:51:42 [INFO]: Selected NAT-T version: RFC 3947
2018-07-11 09:51:42 [PROTO_ERR]: invalid life duration.
2018-07-11 09:51:42 [PROTO_ERR]: invalid life duration.
2018-07-11 09:51:42 [PROTO_ERR]: no suitable proposal found.
2018-07-11 09:51:42 [PROTO_ERR]: 0:? - 2.2.2.2[500]:(nil):failed to get valid proposal.
2018-07-11 09:51:42 [PROTO_ERR]: failed to process packet.
2018-07-11 09:51:42 [INFO]: ====> PHASE-1 SA DELETED <====
07-11-2018 02:14 PM
Hi @BigPalo
Turn on debugging for the ike process (debug ike global on debug) then take a look at the ikemgr logs. This will then show you exactly what the peer and the remote end is proposing and where the mismatch lies.
The log format will be for example aes256:aes512, where 256 is local and 512 is remote.
P.S - don't forget to turn off debugging afterwards!
Thanks,
Luke.
07-11-2018 09:43 AM
your crypto map needs to be synced
both ends expect to talk different protocols:
018-07-11 09:51:42 [PROTO_ERR]: no suitable proposal found.
2018-07-11 09:51:42 [PROTO_ERR]: 0:? - 2.2.2.2[500]:(nil):failed to get valid proposal.
this means they could not decide if they want (for example) sha256 and aes1024, or md5+3des
07-11-2018 11:26 AM
Hi,
We chnaged the proposal several times with no success. It seems like issue is in the life time. But we also change this paramether. We will try tomorrow.
Thanks
07-11-2018 02:14 PM
Hi @BigPalo
Turn on debugging for the ike process (debug ike global on debug) then take a look at the ikemgr logs. This will then show you exactly what the peer and the remote end is proposing and where the mismatch lies.
The log format will be for example aes256:aes512, where 256 is local and 512 is remote.
P.S - don't forget to turn off debugging afterwards!
Thanks,
Luke.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
