Community discussions

 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

VPN s2s with PaloAlto - proxy id problem during phase2 ipsec

Tue Sep 22, 2015 9:21 pm

Hello

I'm trying to connect PaloAlto PA200 PANOS 6.1.6 and Mikrotik RB951 6.32.2

Phase 1 is estabilished properly but I cant get phase 2 working.

Logs from Mikrotik says:
Sep/22/2015 20:09:34 ipsec,debug,packet HASH computed:
Sep/22/2015 20:09:34 ipsec,debug,packet f85f12d1 b77dc7a6 3690e85b ed9102d9 62f29649
Sep/22/2015 20:09:34 ipsec,debug,packet get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug,packet get dst address from ID payload 192.168.2.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep/22/2015 20:09:34 ipsec,debug failed to get proposal for responder.
Sep/22/2015 20:09:34 ipsec,error failed to pre-process ph2 packet.
Logs from PaloAlto:
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <====
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <==== Due to negotiation timeout.
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <==== Due to negotiation timeout.
2015-09-22 20:10:23 [PROTO_NOTIFY]: phase-2 negotiation failed. delete stale phase-1 SA.
2015-09-22 20:10:23 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: x.y.z..157[500]-x.y.z..158[500] cookie:bb97b04a7db888f8:402f8a7370dc2e35 <====
2015-09-22 20:10:23 [INFO]: IPsec-SA request for x.y.z..158 queued since no phase1 found
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:0000000000000000 <====
2015-09-22 20:10:23 [INFO]: received Vendor ID: DPD
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:fe7fe1dface0fb0b lifetime 28800 Sec <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0xCE9673F6 <====

My config:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h
/ip ipsec peer
add address=x.y.z..157/32 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret="passw0rd"
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add dst-address=192.168.1.0/24 src-address=192.168.2.0/24 template=yes


Does anyone sucessfully conected PA device with Mikrotik OS?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: VPN s2s with PaloAlto - proxy id problem during phase2 ipsec

Wed Dec 02, 2015 11:46 pm

Hello

I'm trying to connect PaloAlto PA200 PANOS 6.1.6 and Mikrotik RB951 6.32.2

Phase 1 is estabilished properly but I cant get phase 2 working.

Logs from Mikrotik says:
Sep/22/2015 20:09:34 ipsec,debug,packet HASH computed:
Sep/22/2015 20:09:34 ipsec,debug,packet f85f12d1 b77dc7a6 3690e85b ed9102d9 62f29649
Sep/22/2015 20:09:34 ipsec,debug,packet get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug,packet get dst address from ID payload 192.168.2.0[0] prefixlen=24 ul_proto=255
Sep/22/2015 20:09:34 ipsec,debug no policy found: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep/22/2015 20:09:34 ipsec,debug failed to get proposal for responder.
Sep/22/2015 20:09:34 ipsec,error failed to pre-process ph2 packet.
Logs from PaloAlto:
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <====
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x6BB04309 <==== Due to negotiation timeout.
2015-09-22 20:09:53 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: x.y.z..157[500]-x.y.z..158[500] message id:0x01365B68 <==== Due to negotiation timeout.
2015-09-22 20:10:23 [PROTO_NOTIFY]: phase-2 negotiation failed. delete stale phase-1 SA.
2015-09-22 20:10:23 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: x.y.z..157[500]-x.y.z..158[500] cookie:bb97b04a7db888f8:402f8a7370dc2e35 <====
2015-09-22 20:10:23 [INFO]: IPsec-SA request for x.y.z..158 queued since no phase1 found
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:0000000000000000 <====
2015-09-22 20:10:23 [INFO]: received Vendor ID: DPD
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: x.y.z..157[500]-x.y.z..158[500] cookie:5811ea271afc695f:fe7fe1dface0fb0b lifetime 28800 Sec <====
2015-09-22 20:10:23 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: x.y.z..157[500]-x.y.z..158[500] message id:0xCE9673F6 <====

My config:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h
/ip ipsec peer
add address=x.y.z..157/32 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret="passw0rd"
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add dst-address=192.168.1.0/24 src-address=192.168.2.0/24 template=yes


Does anyone sucessfully conected PA device with Mikrotik OS?
have you found the solution?
 
tjdressel
just joined
Posts: 4
Joined: Mon Dec 07, 2015 10:12 pm

Re: VPN s2s with PaloAlto - proxy id problem during phase2 ipsec

Tue Dec 08, 2015 2:25 am

I'm having the same problem. PAN OS 6.1.7, Router OS 6.3.33.

Phase 1 starts shockingly fast, I got all excited there for a bit. :)

I've got several pfSense boxes connected to this PA unit, and one Cisco ASA, so I'm reasonably comfortable with IPSec setup. The terminology on the RouterOS is a bit foreign to me, so I'm not sure what is considered P1 and P2 on this side. The other thing is I thought, maybe incorrectly, that the Proxy ID's were what actually did the matching on both sides. So for example, if your proxy id on the PAN side is called "BUSINESS", you have to call the same on the remote side. But I don't see a relevant field on the RouterOS side to put in this proxy ID of "BUSINESS".

Would appreciate any help.

With regards,
 
tjdressel
just joined
Posts: 4
Joined: Mon Dec 07, 2015 10:12 pm

Re: VPN s2s with PaloAlto - proxy id problem during phase2 ipsec

Tue Dec 08, 2015 2:39 am

FYI, my code is:

/ip ipsec policy group
add name=default
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=8h
/ip ipsec peer
add address=<publicip>/32 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret=<strongpw>
/ip ipsec policy
set 0 dst-address=<palo alto remote subnet>/23 group=default src-address=<mikrotik local subnet>/24
 
tjdressel
just joined
Posts: 4
Joined: Mon Dec 07, 2015 10:12 pm

Re: VPN s2s with PaloAlto - proxy id problem during phase2 ipsec

Wed Dec 16, 2015 1:55 am

If anyone is still following this thread, I figured it out with support from Mikrotik and Palo Alto support.

Everything was fine on the Palo Alto side. On the Mikrotik side I had modified the default policy. The solution was to create a new policy (not live with the modified default one). Settings were identical, SA's got installed within seconds (I had a continuous ping across the tunnel). Nice!

I did find though that the tunnel goes down without any traffic over it, so I need to find some way to keep the tunnel alive, like a ping across it once in a while or something like that. If anyone has clue that would be great!

With regards,

Tim

Who is online

Users browsing this forum: Google [Bot] and 96 guests