09-22-2015 11:26 AM
Hello
I'm trying to connect PaloAlto PA200 PANOS 6.1.6 and Mikrotik RB951 6.32.2
Phase 1 is estabilished properly but I cant get phase 2 working.
Logs from Mikrotik says:
Sep/22/2015 20:09:34 ipsec,debug,packet HASH computed:
Sep/22/2015 20:09:34 ipsec,debug,packet f85f12d1 b77dc7a6 3690e85b ed9102d9 62f29649
Sep/22/2015 20:09:34 ipsec,debug,packet get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug,packet get dst address from ID payload 192.168.2.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep/22/2015 20:09:34 ipsec,debug failed to get proposal for responder.
Sep/22/2015 20:09:34 ipsec,error failed to pre-process ph2 packet.
Logs from PaloAlto:
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <====
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <==== Due to negotiation timeout.
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <==== Due to negotiation timeout.
2015-09-22 20:10:23 [PROTO_NOTIFY]: phase-2 negotiation failed. delete stale phase-1 SA.
2015-09-22 20:10:23 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: x.y.z..157[500]-x.y.z..158[500] cookie:bb97b04a7db888f8:402f8a7370dc2e35 <====
2015-09-22 20:10:23 [INFO]: IPsec-SA request for x.y.z..158 queued since no phase1 found
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:0000000000000000 <====
2015-09-22 20:10:23 [INFO]: received Vendor ID: DPD
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:fe7fe1dface0fb0b lifetime 28800 Sec <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0xCE9673F6 <====
My config:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h
/ip ipsec peer
add address=x.y.z..157/32 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret="passw0rd"
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add dst-address=192.168.1.0/24 src-address=192.168.2.0/24 template=yes
Does anyone sucessfully conected PA device with Mikrotik OS?
09-22-2015 01:52 PM
I have not but here are somethings to look for:
Make sure all the settings are identical, ciphers, timeouts both time and data, etc. Also make sure you are only using IKE version1.
09-22-2015 11:34 PM
Hi Otakar
I know this doc - new info is that in log I have
IKEv1 phase-2 negotiation request received when phase-1 SA is not act ive or expired
What does it mean? I have green bubble in IKE section also I see connected peers in Mikrotik.
Regards
Slawek
09-23-2015 07:48 AM
Try clearing the tunnel and reestablishing?
on the PAN cli clear vpn ike-sa gateway <name of gateway>
Also on the same on the other end. I had an issue with an ASA that was not bringing up a tunnel and it turned out that it was holding onto an old tunnel. Once i cleared it, everything came back up.
I know I would love to have a list and possible solutions to error messages, perhaps PAN is working on this for us? I only have an internal Cisco doc that some tech put together with common errors and why they are occuring.
09-24-2015 02:44 AM
We have many Mikrotik to PA VPN tunnels up. In fact we have some very complex VPN scenarios implemented between PA and Mikrotik (PA at central office, Mikrotiks at remote location, 2 ISPs on both sides, 4 VPN tunnels with automatic switchover for all combinations).
In your case I would say there is some setting missing on Mikrotik for phase 2:
"Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in"
I'm not a Mikrotik expert but I'd say you don't have correct encryption domains (Proxy IDs) set on Mikrotik.
09-25-2015 04:56 AM
Hi santonic
Could You share some configuration of Microtik?
I have few question:
- is DPD 5/5 OK?
- are You using tunnel monitoring?
- are You use in policy > action > level reguire or unique? according to manual should be unique but it not working for me
- I'm using RB951 - when passing 30Mb/s CPU of RB is 100%, I tryed with md5/sha1 aes/3des but I not get any change.
Mikrotic has one LAN 192.168.2.0/24, PA has few LANs: 192.168.1.0/24 and 192.168.x.0/24, Internet trafffic from Mikrotik must go by VPN tunnel.
My Mikrotik config (ipsec part)
Route:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 x.y.z.129 1
1 ADC x.y.z.128/26 x.y.z.158 WAN 0
2 A S 192.168.1.0/24 WAN 1
3 ADC 192.168.2.0/24 192.168.2.1 LAN bridge 0
Policy:
1 src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.158
sa-dst-address=x.y.z.157 proposal=proposal2 priority=0
2 src-address=192.168.2.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=x.y.z.158 sa-dst-address=x.y.z.157
proposal=proposal2 priority=0
Peer:
0 address=x.y.z.157/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="xxxxxx" generate-policy=no
policy-template-group=group1 exchange-mode=main mode-config=request-only
send-initial-contact=no nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h
lifebytes=0 dpd-interval=5s dpd-maximum-failures=5And - maybe stupid qustion - how to verify is it working properly? I'm new in ipsec VPN and I worry about problems. What I should verify? now everything is OK (in my opinion) but now devices are in LAN and I get about 5% loss of pings packet.
I'm worry how it will act in real scenario...
09-25-2015 05:09 AM
uhh I figured it out (I hope)
Now tunnel is up ... but I havent any misconfiguration - in GUI everything was OK but ...
I started veryfication from CLI and I realised that from CLI polisy is broken (missed part about SA). I deleted it and created again - and - surprice !!! its working ...
So lesson for me and You - use CLI
Regards
Slawek
09-25-2015 06:24 AM
Glad you got it working.
DPD doesn't matter when establishing IPSEC for the first time. Also don't use tunnel monitor before establishing VPN for the first time.
Yeah, CLI "test vpn" is very useful. It's also in WebUI from 7.0.0 but I haven't tried it yet.
The ultimate test for VPN is always to send some traffic through it.
09-25-2015 06:31 AM
I observed another strange behaviour ...
My workstation has IP 192.168.1.35 and its connected to PAN device
Laptop with 192.168.2.200 is connected to Mikrotik
If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get
Badanie 192.168.2.200 z 32 bajtami danych: Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania.
but ... when I stoped ping from laptop imiditellly ping from my workstation starting pinging OK
Has anyone idea whats going on? how to troubleshoot this problem?
I tryed to copy big files in both direction and everything is OK ...
Reagrds
Slawek
09-25-2015 06:40 AM
Check logs if your VPN is going up and down. Pings would get lost while TCP connections would survive in such case.
09-25-2015 10:11 AM
I observed another strange behaviour ...
Sit down - take a deep breath .... and read
My workstation has IP 192.168.1.35 and its connected to PAN device
Laptop with 192.168.2.200 is connected to Mikrotik
If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get
Badanie 192.168.2.200 z 32 bajtami danych: Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania.
but ... when I stoped ping from laptop imiditellly ping from my workstation starting pinging OK
Has anyone idea whats going on? how to troubleshoot this problem?
I tryed to copy big files in both direction and everything is OK ...
Reagrds
Slawek
09-25-2015 11:26 AM
Do the traffic logs show anything?
09-26-2015 03:04 AM
Of course Yes. some details - maybe it will be useful lto find some odds
details of "1"
details of "2"
the same from CLI
Is it normal to have such many session during one "ping" session?
Why the session aged out so quicky?
Regards
SLawek
09-26-2015 05:58 AM
heh I GOT it 🙂
problem with ping was related to firwall rule on Mikrotik. This rule make limitations - afer diabling - ping working perfectly.
Regards
Slawek
09-28-2015 09:12 AM
Glad to hear you got it working properly! If you have a basic writeup perhaps consider posting it for other users to reference?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
