About _slv_

_slv_ · ‎10-12-2015

Could You give full comnand example for "follow" from my finding another usefull command is: tail lines 200 mp-log ikemgr.log - shows last 200 lines. Regards SLawek

_slv_ · ‎10-12-2015

Hello I spend a lot of time playing with logs, ie. less mp-log ikemgr.log How to: - go to end of this file? - search forward/backward keyword - scrool up/down and you problably know many other userfull keywords. Please share with us who are not well trained 😉 - yet Regards SLawek

_slv_ · ‎10-12-2015

Hi Santonic I did as You wrote and tunnel is working for LANs, now problem is with internet access only. Now my routing table looks like: IPv4 Dest-Routes for <trust-vr> (7 entries) -------------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys -------------------------------------------------------------------------------------- * 3 0.0.0.0/0 untrust x.y.z.129 C 0 1 Root * 5 192.168.5.1/32 trust 0.0.0.0 H 0 0 Root * 4 192.168.5.0/24 trust 0.0.0.0 C 0 0 Root * 1 x.y.z.128/26 untrust 0.0.0.0 C 0 0 Root * 6 192.168.1.0/24 tun.1 0.0.0.0 S 20 1 Root * 7 192.168.50.0/24 tun.1 0.0.0.0 S 20 1 Root * 2 x.y.z.158/32 untrust 0.0.0.0 H 0 0 Root x.y.z.129 is a default gateway for NS device. My untrust interface of NS is in route mode. My security policies loks like: Are they policy nessesary? How do I change it according to proxy_id change? Help me please

_slv_ · ‎10-12-2015

Hello I have to connect by ipsec vpn PA200 PANOS6.1.6 with NS5GT 6.2.0r15 ScreenOS. Problem that I have is that clients behind NS must have access to two LANs on PA and to internet throuth tunnel. LAN_A——— LAN_B——— PaloAlto……….tunel_IPSec………………Netscreen———LAN_M Internet —— How to do it? At the moment I have working config like https://www.corelan.be/index.php/2007/11/17/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device/ but I really don't know how to set up tunnel for internet traffic - how to setup "VPN>AutoKey IKE ". As I remember on this forum are ScreenOS experts so I ask You for help. Regards SLawek

_slv_ · ‎10-12-2015

Hi After few weeks of testings in real networks (not in my lab) I have to say - it doesnt wroking stable ... I have to leave it now as it is. I will back to it later.

_slv_ · ‎09-26-2015

heh I GOT it 🙂 problem with ping was related to firwall rule on Mikrotik. This rule make limitations - afer diabling - ping working perfectly. Regards Slawek

_slv_ · ‎09-26-2015

Of course Yes. some details - maybe it will be useful lto find some odds details of "1" details of "2" the same from CLI Is it normal to have such many session during one "ping" session? Why the session aged out so quicky? Regards SLawek

_slv_ · ‎09-25-2015

I observed another strange behaviour ... Sit down - take a deep breath .... and read My workstation has IP 192.168.1.35 and its connected to PAN device Laptop with 192.168.2.200 is connected to Mikrotik If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get Badanie 192.168.2.200 z 32 bajtami danych: Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. but ... when I stoped ping from laptop imiditellly ping from my workstation starting pinging OK Has anyone idea whats going on? how to troubleshoot this problem? I tryed to copy big files in both direction and everything is OK ... Reagrds Slawek

_slv_ · ‎09-25-2015

I observed another strange behaviour ... My workstation has IP 192.168.1.35 and its connected to PAN device Laptop with 192.168.2.200 is connected to Mikrotik If is lunched ping from laptop to 192.168.1.1 and I try to start pinging from my workstation to laptop IP after few packet I get Badanie 192.168.2.200 z 32 bajtami danych: Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=1ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Odpowiedź z 192.168.2.200: bajtów=32 czas=2ms TTL=126 Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. Upłynął limit czasu żądania. but ... when I stoped ping from laptop imiditellly ping from my workstation starting pinging OK Has anyone idea whats going on? how to troubleshoot this problem? I tryed to copy big files in both direction and everything is OK ... Reagrds Slawek

_slv_ · ‎09-25-2015

uhh I figured it out (I hope) Now tunnel is up ... but I havent any misconfiguration - in GUI everything was OK but ... I started veryfication from CLI and I realised that from CLI polisy is broken (missed part about SA). I deleted it and created again - and - surprice !!! its working ... So lesson for me and You - use CLI Regards Slawek

_slv_ · ‎09-25-2015

Hi santonic Could You share some configuration of Microtik? I have few question: - is DPD 5/5 OK? - are You using tunnel monitoring? - are You use in policy > action > level reguire or unique? according to manual should be unique but it not working for me - I'm using RB951 - when passing 30Mb/s CPU of RB is 100%, I tryed with md5/sha1 aes/3des but I not get any change. Mikrotic has one LAN 192.168.2.0/24, PA has few LANs: 192.168.1.0/24 and 192.168.x.0/24, Internet trafffic from Mikrotik must go by VPN tunnel. My Mikrotik config (ipsec part) Route: Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 x.y.z.129 1 1 ADC x.y.z.128/26 x.y.z.158 WAN 0 2 A S 192.168.1.0/24 WAN 1 3 ADC 192.168.2.0/24 192.168.2.1 LAN bridge 0 Policy: 1 src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.158 sa-dst-address=x.y.z.157 proposal=proposal2 priority=0 2 src-address=192.168.2.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.158 sa-dst-address=x.y.z.157 proposal=proposal2 priority=0 Peer: 0 address=x.y.z.157/32 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="xxxxxx" generate-policy=no policy-template-group=group1 exchange-mode=main mode-config=request-only send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=5s dpd-maximum-failures=5 And - maybe stupid qustion - how to verify is it working properly? I'm new in ipsec VPN and I worry about problems. What I should verify? now everything is OK (in my opinion) but now devices are in LAN and I get about 5% loss of pings packet. I'm worry how it will act in real scenario...

_slv_ · ‎09-23-2015

Hi Bcance Please follow this doc https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitoring/ta-p/61371 In my opinion You can use any two private IP's. Regards Slawek

_slv_ · ‎09-22-2015

Hi Otakar I know this doc - new info is that in log I have IKEv1 phase-2 negotiation request received when phase-1 SA is not act ive or expired What does it mean? I have green bubble in IKE section also I see connected peers in Mikrotik. Regards Slawek

_slv_ · ‎09-22-2015

Hello I'm trying to connect PaloAlto PA200 PANOS 6.1.6 and Mikrotik RB951 6.32.2 Phase 1 is estabilished properly but I cant get phase 2 working. Logs from Mikrotik says: Sep/22/2015 20:09:34 ipsec,debug,packet HASH computed: Sep/22/2015 20:09:34 ipsec,debug,packet f85f12d1 b77dc7a6 3690e85b ed9102d9 62f29649 Sep/22/2015 20:09:34 ipsec,debug,packet get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255 Sep/22/2015 20:09:34 ipsec,debug,packet get dst address from ID payload 192.168.2.0[0] prefixlen=24 ul_proto=255 Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in Sep/22/2015 20:09:34 ipsec,debug failed to get proposal for responder. Sep/22/2015 20:09:34 ipsec,error failed to pre-process ph2 packet. Logs from PaloAlto: ====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <==== 2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <==== ====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <==== Due to negotiation timeout. 2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <==== ====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <==== 2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <==== ====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <==== Due to negotiation timeout. 2015-09-22 20:10:23 [PROTO_NOTIFY]: phase-2 negotiation failed. delete stale phase-1 SA. 2015-09-22 20:10:23 [INFO]: ====> PHASE-1 SA DELETED <==== ====> Deleted SA: x.y.z..157[500]-x.y.z..158[500] cookie:bb97b04a7db888f8:402f8a7370dc2e35 <==== 2015-09-22 20:10:23 [INFO]: IPsec-SA request for x.y.z..158 queued since no phase1 found 2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <==== ====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:0000000000000000 <==== 2015-09-22 20:10:23 [INFO]: received Vendor ID: DPD 2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <==== ====> Established SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:fe7fe1dface0fb0b lifetime 28800 Sec <==== 2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <==== ====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0xCE9673F6 <==== My config: /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h /ip ipsec peer add address=x.y.z..157/32 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret="passw0rd" /ip ipsec policy set 0 disabled=yes dst-address=192.168.1.0/24 src-address=192.168.2.0/24 add dst-address=192.168.1.0/24 src-address=192.168.2.0/24 template=yes Does anyone sucessfully conected PA device with Mikrotik OS?

_slv_ · ‎08-31-2015

Hi I guess that You havent properly installed ssl cert with intermidiate cert Please verify it by https://www.sslshopper.com/ssl-checker.html You can read about Intermediate Certificate Authority (CA): https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15690 Regards Slawek

Member Since	‎06-13-2012 08:35 AM
Date Last Visited
Posts	658
Total Likes Received	97

About _slv_

Re: Captive Portal - Terms of Service

Re: Captive Portal - Terms of Service

Re: Captive Portal NTLM and responce page

Re: Captive Portal - Terms of Service

Captive Portal NTLM and responce page

Re: Captive Portal - Terms of Service

Re: Captive Portal - Terms of Service

Re: Captive Portal - Terms of Service

Re: Captive Portal - Terms of Service

Re: Captive Portal - Terms of Service

Re: Unauthorized DHCP offers

Re: Fragroute Evasion Attack - how to find source process/application?

Captive Portal with Radius and groups of users

Re: How to list url filtering profile using CLI

Re: Unable to download 8.0.6 on PA500

Palo Alto Networks SuperFan Program

Re: ROBOT attack - some advice needed

Re: strange order in definition updates view - PANOS 8.x

Re: AD trouble after installing content version 729

New Global Protect 3.0 is not good enough

Re: Usefull CLI commands to work with logs

Usefull CLI commands to work with logs

Re: VPN s2s with Juniper ScreenOS with multiple networks on PA side

VPN s2s with Juniper ScreenOS with multiple networks on PA side

Re: vpn s2s with Mikrotik router - proxy id problem

Re: vpn s2s with Mikrotik router - proxy id problem

Re: vpn s2s with Mikrotik router - proxy id problem

Re: vpn s2s with Mikrotik router - proxy id problem

Re: vpn s2s with Mikrotik router - proxy id problem

Re: vpn s2s with Mikrotik router - proxy id problem

Re: vpn s2s with Mikrotik router - proxy id problem

Re: Site-to-Site VPN question

Re: vpn s2s with Mikrotik router - proxy id problem

vpn s2s with Mikrotik router - proxy id problem

Re: Diferences between Global protect 1.2 and 2.3 clients?

Unlock your full community experience!

About _slv_