vpn s2s with Mikrotik router - proxy id problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

vpn s2s with Mikrotik router - proxy id problem

L4 Transporter

Hello

I'm trying to connect PaloAlto PA200 PANOS 6.1.6 and Mikrotik RB951 6.32.2

Phase 1 is estabilished properly but I cant get phase 2 working.

Logs from Mikrotik says:

Sep/22/2015 20:09:34 ipsec,debug,packet HASH computed:
Sep/22/2015 20:09:34 ipsec,debug,packet f85f12d1 b77dc7a6 3690e85b ed9102d9 62f29649
Sep/22/2015 20:09:34 ipsec,debug,packet get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug,packet get dst address from ID payload 192.168.2.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep/22/2015 20:09:34 ipsec,debug failed to get proposal for responder.
Sep/22/2015 20:09:34 ipsec,error failed to pre-process ph2 packet.



Logs from PaloAlto:

====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <====
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <==== Due to negotiation timeout.
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <==== Due to negotiation timeout.
2015-09-22 20:10:23 [PROTO_NOTIFY]: phase-2 negotiation failed. delete stale phase-1 SA.
2015-09-22 20:10:23 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: x.y.z..157[500]-x.y.z..158[500] cookie:bb97b04a7db888f8:402f8a7370dc2e35 <====
2015-09-22 20:10:23 [INFO]: IPsec-SA request for x.y.z..158 queued since no phase1 found
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:0000000000000000 <====
2015-09-22 20:10:23 [INFO]: received Vendor ID: DPD
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:fe7fe1dface0fb0b lifetime 28800 Sec <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0xCE9673F6 <====




My config:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h
/ip ipsec peer
add address=x.y.z..157/32 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret="passw0rd"
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add dst-address=192.168.1.0/24 src-address=192.168.2.0/24 template=yes


Does anyone sucessfully conected PA device with Mikrotik OS?

 

 

15 REPLIES 15

Cyber Elite
Cyber Elite

I have not but here are somethings to look for:

 

Make sure all the settings are identical, ciphers, timeouts both time and data, etc. Also make sure you are only using IKE version1.

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-VPN-Connectivity-Issues...

 

 

Hi Otakar

 

I know this doc - new info is that in log I have

 IKEv1 phase-2 negotiation request received when phase-1 SA is not act
ive or expired

What does it mean? I have green bubble in IKE section also I see connected peers in Mikrotik.

 

 

Regards

Slawek

Try clearing the tunnel and reestablishing?

 

on the PAN cli clear vpn ike-sa gateway <name of gateway>

 

Also on the same on the other end. I had an issue with an ASA that was not bringing up a tunnel and it turned out that it was holding onto an old tunnel. Once i cleared it, everything came back up.

 

I know I would love to have a list and possible solutions to error messages, perhaps PAN is working on this for us? I only have an internal Cisco doc that some tech put together with common errors and why they are occuring.

L6 Presenter

We have many Mikrotik to PA VPN tunnels up. In fact we have some very complex VPN scenarios implemented between PA and Mikrotik (PA at central office, Mikrotiks at remote location, 2 ISPs on both sides, 4 VPN tunnels with automatic switchover for all combinations).

 

In your case I would say there is some setting missing on Mikrotik for phase 2:

"Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in"

I'm not a Mikrotik expert but I'd say you don't have correct encryption domains (Proxy IDs) set on Mikrotik.

 

 

Hi santonic

 

Could You share some configuration of Microtik?

 

I have few question:

- is DPD 5/5  OK?

- are You using tunnel monitoring?

- are You use in policy > action > level reguire or unique? according to manual should be unique but it not working for me

- I'm using RB951 - when passing 30Mb/s CPU of RB is 100%, I tryed with md5/sha1 aes/3des but I not get any change.

 

Mikrotic has one LAN 192.168.2.0/24, PA has few LANs: 192.168.1.0/24 and 192.168.x.0/24, Internet trafffic from Mikrotik must go by VPN tunnel.

 

My Mikrotik config (ipsec part)

 

Route:
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          x.y.z.129             1
 1 ADC  x.y.z.128/26   x.y.z.158   WAN                       0
 2 A S  192.168.1.0/24                     WAN                       1
 3 ADC  192.168.2.0/24     192.168.2.1     LAN bridge                0

Policy:
  1     src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.158 
       sa-dst-address=x.y.z.157 proposal=proposal2 priority=0 

 2     src-address=192.168.2.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any 
       protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
       sa-src-address=x.y.z.158 sa-dst-address=x.y.z.157 
       proposal=proposal2 priority=0 

Peer:
 0    address=x.y.z.157/32 local-address=:: passive=no port=500 
      auth-method=pre-shared-key secret="xxxxxx" generate-policy=no 
      policy-template-group=group1 exchange-mode=main mode-config=request-only 
      send-initial-contact=no nat-traversal=no proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h 
      lifebytes=0 dpd-interval=5s dpd-maximum-failures=5

And - maybe stupid qustion - how to verify is it working properly? I'm new in ipsec VPN and I worry about problems. What I should verify? now everything is OK (in my opinion) but now devices are in LAN and I get about 5% loss of pings packet.

I'm worry how it will act in real scenario...

uhh I figured it out (I hope)

Now tunnel is up ... but I havent any misconfiguration - in GUI everything was OK but ...

I started veryfication from CLI and I realised that from CLI polisy is broken (missed part about SA). I deleted it and created again - and - surprice !!! its working ...

 

So lesson for me and You - use CLI

 

 

Regards

Slawek

Glad you got it working.

DPD doesn't matter when establishing IPSEC for the first time. Also don't use tunnel monitor before establishing VPN for the first time.

Yeah, CLI "test vpn" is very useful. It's also in WebUI from 7.0.0 but I haven't tried it yet.

The ultimate test for VPN is always to send some traffic through it.

 

 

I observed another strange behaviour ...

My workstation has IP 192.168.1.35 and its connected to PAN device

Laptop with 192.168.2.200 is connected to Mikrotik

If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get

Badanie 192.168.2.200 z 32 bajtami danych:
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.

but ... when I stoped ping from laptop  imiditellly ping from my workstation starting pinging OK

 

Has anyone idea whats going on? how to troubleshoot this problem?

 

I tryed to copy big files in both direction and everything is OK ...

 

Reagrds

Slawek

Check logs if your VPN is going up and down. Pings would get lost while TCP connections would survive in such case.

 

 

I observed another strange behaviour ...

 

Sit down - take a deep breath .... and read

 

My workstation has IP 192.168.1.35 and its connected to PAN device

Laptop with 192.168.2.200 is connected to Mikrotik

If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get

Badanie 192.168.2.200 z 32 bajtami danych:
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.

but ... when I stoped ping from laptop  imiditellly ping from my workstation starting pinging OK

 

Has anyone idea whats going on? how to troubleshoot this problem?

 

I tryed to copy big files in both direction and everything is OK ...

 

Reagrds

Slawek

Do the traffic logs show anything?

Of course Yes. some details - maybe it will be useful lto find some odds

2015-09-26_115601.png

details of "1"

2015-09-26_115652.png

details of "2"

2015-09-26_115718.png

the same from CLI

2015-09-26_114954.png

Is it normal to have such many session during one "ping" session?

Why the session aged out so quicky?

 

Regards

SLawek

heh I GOT it 🙂

 

problem with ping was related to firwall rule on Mikrotik. This rule make limitations - afer diabling - ping working perfectly.

 

 

Regards

Slawek

Glad to hear you got it working properly! If you have a basic writeup perhaps consider posting it for other users to reference?

  • 7655 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!