About Naelwan

@Remo  PAN-OS version is 8.0.3 IKE v1 only.    @9t89m8fu I've tried PFS 5 before but didn't work.  I've just tried again as a double check and ... it works.  I might have changed something else but can't remember what.   Thanks everyone for the help. BR.   ... View more

I know that all parameters must match, that's why I'm trying to make the exact replica of my old Fortigate into the Palo. The only thing that seems to be different for the P2 is that I can't select several DH groups. ... View more

If I remove the Proxy IDs, the P2 Proposal fails due to a timeout, but without "no proposal chosen" message.   I don't have an easy access to the remote firewall but I'll post its logs as soon as I can.   Note that I don't know what is the remote firewall. The Fortigate was the firewall that I replaced by the Palo. Its configuration was workin though. ... View more

I tried without PFS and the result is the same.   I don't have access to the remote firewall but as I remember, it is supposed to accept both proposals on DHGroup 5 and DHGroup 14.   Here is the full log output : 2017-08-24 15:52:58.828 +0200 [PNTF]: { 3: 12}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <==== ====> Initiated SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <==== 2017-08-24 15:52:58.845 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4). 2017-08-24 15:53:01.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4). 2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16). 2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4). 2017-08-24 15:53:05.884 +0200 [PERR]: packet (5) shorter than isakmp header size. 2017-08-24 15:53:09.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4). 2017-08-24 15:53:15.884 +0200 [PERR]: packet (5) shorter than isakmp header size. 2017-08-24 15:53:17.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4). 2017-08-24 15:53:25.884 +0200 [PERR]: packet (5) shorter than isakmp header size. 2017-08-24 15:53:29.002 +0200 [PNTF]: { : 12}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <==== ====> Failed SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <==== Due to negotiation timeout. 2017-08-24 15:53:34.015 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16).       ... View more

Well, @Remo, it worked only one time. from second try to now on : no more warning prompt but after network and config detection, i have the same error "gateway :  server certificate verification failed"    There has been no modification made to the PA220 config between 1st and 2nd tries.   EDIT :  All I can see in the logs are : Failed to connect to 192.168.7.1 on 443 (error: 0) So obviously, agent-side gateway was misconfigured as it was pointing the PA220 interface and not the Public IP Address.   ... View more

Hi @Remo   Self signed CA on the PA220, yes. Root CA cert is imported and specified in the portal conf.   I created the certificate with only the Wan IP in the Subject, just tried with the IP attribute with the WAN IP, It now works.   Thanks for your very reactive answers and your knowledge. Really appreciate it.   BR    Nael ... View more

Thanks @Raido_Rattameister & @Remo ! ... View more