How to Configure IPSec VPNs
Content
How to Configure an IPSec VPN
This procedure assumes the Palo Alto firewall has at least two interfaces operating in Layer3
mode, with IP addresses assigned, and routes added to a virtual router. The other end of the
VPN tunnel can be any vendor’s firewall: Juniper, Cisco, Checkpoint, etc.
Topology:
Part 1: Configure tunnel endpoint on the PAN device
1. Go to the Network tab -> Interfaces screen. Create a new tunnel interface. Assign the
following parameters:
• Name: tunnel.1
• Virtual router: (select the existing virtual router)
• Zone: (select the layer 3 internal zone from which the traffic will originate) 1
Shown below is an example tunnel interface, tunnel.1:
1
If you put the tunnel interface in a zone that is different from the zone that the traffic will originate/depart, then you
will need to create a policy to allow the traffic to flow from the source zone to the zone containing the tunnel
interface.
PANOS 2.1.3
1
2. Go to Network tab -> Network Profiles -> IKE Gateways screen. You will configure
the IKE phase 1 gateway on this screen. Click New, and enter the following parameters:
• IKE gateway: gw-to-siteX (or any name of your choosing)
• Local IP address: (select the firewall interface that is closest to the other vpn
endpoint. This is called the “public” interface of the firewall.)
• Peer IP address: (enter the IP address of the “public” interface on the other vpn
endpoint)
• Pre-shared key: (enter a key of your choosing, and remember it so you can enter it
in the other firewall’s VPN configuration)
Here is an example of an IKE gateway configuration:
3. To configure the IKE phase 2 VPN, go to Network tab -> IPSec Tunnels screen. Create
a new VPN with the following parameters:
• Name: vpn-to-siteX (or any name of your choosing)
• Tunnel interface: (pull down to select tunnel.1)
• IKE gateway: (pull down to select the IKE gateway you created in the previous
step)
• If the other side of the tunnel is configured as a policy-based VPN, then:
• Click “Show advanced options”
PANOS 2.1.3
2
• Enter the local proxy ID and remote proxy ID to match the other side: 2
Once you click OK, the IPSec tunnel will appear in the list, with the status circles colored
red to indicate the tunnel is down. Here is an example:
4. Go to Network tab -> Virtual Routers screen. Edit your existing virtual router. Add a
new route for the network that is behind the other VPN endpoint. For interface, select
“tunnel.1”. There is no need to enter a value for next hop. Click Add to add the static
route.
new route
5. Commit the configuration.
Part 2: Configure the tunnel on the other firewall
6. Configure the other end of the tunnel for a route based VPN. By default, the Palo Alto
device uses 3des/aes128 with sha1, PFS with DH group 2. (Note: If you want to change
the PAN settings for IKE phase1 or phase2, go to Network -> Network Profiles and edit
2
Refer to Appendix A for a network diagram.
PANOS 2.1.3
3
either IKE Crypto ->default for phase 1 proposals or IPSec Crypto ->default for
phase 2 proposals.)
Part 3: Testing the VPN
7. Ping from a device on the far network, through the VPN, and to a target PC on the local
network protected by the PAN firewall. The first ping will fail, but the rest should be
successful. Examine the system log on the PAN firewall, either via:
•
Monitor tab -> Logs-> System, or
•
show log system subtype equal vpn direction equal backward
You want to see messages that look like the following—this is a successful VPN startup:
If either IKE phase 1 or phase 2 does not complete successfully, refer to Appendix B:
Troubleshooting IPSec VPNs.
Part 4: Confirmation
8. When the tunnel is up, the Network tab -> IPSec Tunnels page should show the phase 1
and 2 status in green:
PANOS 2.1.3
4
IKE phase 2
is up or down
IKE phase 1
is up or down
9. You can use the following command to verify that the tunnel is active:
10. To confirm that the data truly is going over the tunnel, do the following:
show vpn flow tunnel-id ____ (enter id from the step above)
At the bottom of the results you will see a count of encrypted and decrypted packets and
bytes in the tunnel. This value will change as you send more data over the tunnel.
11. To view details on the active IKE phase 1 SAs:
show vpn ike-sa gateway <gw_name>
PANOS 2.1.3
5
12. To view details on the active IKE phase 2 SAs:
show vpn ipsec-sa tunnel <vpn_name>
PANOS 2.1.3
6
Part 5: Configuring Tunnel Monitor (Optional)
VPN monitor sends a heartbeat (ICMP messages) over the VPN to determine if it is up or down.
It can be enabled on either or both sides of the VPN. To enable tunnel monitoring, you must 1)
configure the tunnel interface with an IP address, and 2) enable tunnel monitoring on the phase 2
configuration.
13. Go to Network tab -> Interfaces screen. Edit the tunnel interface. Assign an IP address
to the tunnel interface that is appropriate for the zone that the tunnel is in.
14. Go to the Network tab -> IPSec Tunnels screen. Edit the VPN, and click “show
advanced options”. At the bottom of the screen, look for the Tunnel Monitor
configuration:
15. In that portion of the screen, do the following:
•
Check the box to enable tunnel monitoring
•
For destination IP, enter an IP address of a machine on the other side of the
tunnel. This should be an internal (private) IP address. This is the machine that
will answer the ICMP echo request.
•
Either use the default profile (shown below), or create a new profile.
PANOS 2.1.3
7
Action: choose one of the following:
•
wait recover- if the remote IP is not reachable, the firewall will
continuously send ICMP messages over the tunnel in an attempt to bring
the VPN back up.
•
fail-over - traffic will fail over to a backup path, if one is available.
Note: in either case, the phase 1 & 2 SAs are not torn down by the tunnel
monitor feature.
Interval: how often to send an ICMP echo request over the tunnel
Threshold: after this number of missed ICMP replies, the VPN will be declared
down
16. Once the configuration change is committed, the tunnel will come up.
17. Now that tunnel monitoring is enabled, if the IP on the remote side is not reachable, you
will get this error message in your system log:
Once the problem is fixed, this message will appear in the system log:
PANOS 2.1.3
8
Part 6: Configuring Proposals (Optional)
The default proposals on the PAN firewall are:
• Phase 1: Diffie Helman group 2, sha1, aes128 or 3des
• Phase 2: PFS enabled with DH group 2, sha1, ESP with aes128 or 3des
If these proposals will not work for the other firewall, you can configure different proposals
as follows:
18. To configure phase 1 proposals, go to Network tab -> Network Profiles -> IKE Crypto
screen. Click New. Give the profile a name (no spaces allowed). Put a checkmark next to
all the algorithms that you want the PAN firewall to be able to use. Here is an example
profile that will use DH group 2, either md5 or sha1, and either aes128 or aes256:
19. Assign that profile by going to Network tab -> Network Profiles -> IKE Gateways
screen. Edit your existing phase 1 configuration. Click on “Show advanced Phase1
options”. In the IKE Crypto Profile pulldown menu, select the profile you just created:
PANOS 2.1.3
9
20. To configure phase 2 proposals, go to Network tab -> Network Profiles -> IPSec
Crypto screen. Click New. Give the profile a name (no spaces allowed), and put a
checkmark next to all the algorithms that you want the PAN firewall to be able to use. If
you do NOT want to enable Perfect Forward Secrecy (PFS), go to DH Group pulldown,
and select “no-pfs”.
21. To use this new profile, go to Network tab -> IPSec Tunnels screen. Edit your existing
tunnel configuration. Click on “Show advanced options”. In the IPSec Crypto Profile
pulldown menu, select the profile you just created:
22. Once you commit the configuration, the new proposals will be used for this tunnel.
PANOS 2.1.3
10
Appendix A: Network Diagram
This is the diagram of the network from which the screenshots in this document were taken.
PC A
10.1.1.9
tunnel.1
E1/1
Internet
VPN tunnel
Routing table on PAN fw:
192.168.1.0/24 -> tunnel.1
PANOS 2.1.3
untrust trust
zone zone
E?/?
E?/?
192.168.1.1
E1/2
200.1.1.1
trust untrust
zone zone
Firewall B
100.1.1.1
10.1.1.1
PAN firewall
tunnel.1
Routing table on fw B:
10.1.1.0/24 -> tunnel.1
11
PC B
192.168.1.9
Appendix B: Troubleshooting IPSec VPNs
If you have configured both sides of the VPN, and the tunnel does not come up, use the
following steps to troubleshoot.
Test Network Connectivity
1. Confirm the network is up between the two firewalls:
a) On fwA, ping out its public interface to public interface of fwB.
ping source x.x.x.x host y.y.y.y
where x.x.x.x is the public IP of fwA, and y.y.y.y is the public IP of fwB
b) Do the reverse of the previous step- ping from fwB public interface to fwA
public interface.
2. Confirm LAN connectivity between the firewalls and the local PCs:
a) On fwA, ping from internal interface to PCA
ping source z.z.z.z host <IP_of_PCA>
where z.z.z.z is the internal IP of fwA
b) On fwB, ping from internal interface to PCB
PANOS 2.1.3
12
Initiate IKE phase 1
You will now attempt to bring up IKE phase 1. You can initiate the tunnel from either side.
To initiate from network B:
3. Ping from PCB to PCA 3. Examine the system log on the PAN firewall 4. Compare the
messages to the error message table in Appendix C: PANOS Error Messages for VPNs,
and take the action listed there.
To initiate from network A:
4. If you are more familiar with the error messages in the other vendor’s firewall (firewall
B), you can initiate IKE phase 1 by either:
o Pinging from PCA to PCB; or
o On fwA, run this command:
test vpn ike-sa gateway <gw_name>
To see if phase 1 is up, run this command on the PAN firewall:
show vpn ike-sa gateway <gw_name>
If the output shows an SA, that means that IKE phase 1 is up. If the output does NOT
show an SA, look at the system log of the target firewall and use those messages to
troubleshoot.
3
If PCA does not exist, you may be able to initiate the tunnel by pinging firewall A’s internal
interface. But be careful—check the management profile on the firewallinternal interface to
ensure it allows ping, and that it does not restrict permitted IP addresses.
4
You can view the system log either using the GUI (Monitor tab -> Logs -> System) or using the
CLI (show log system subtype equal vpn direction equal backward)
PANOS 2.1.3
13
Initiate IKE phase 2
5. You can initiate IKE phase 2 by either:
a) Pinging from PCB to PCA; or
b) Pinging from PCA to PCB; or
c) On fwA, run this command:
test vpn ipsec-sa tunnel <vpn_name>
6. To see if phase 2 is up, run this command on the PAN firewall:
show vpn ipsec-sa tunnel <vpn_name>
If the output does NOT show an SA, phase 2 did not complete successfully. Therefore,
look at the event logs of both firewalls for clues. Refer to Appendix C: PANOS Error
Messages for VPNs to determine how to interpret VPN error messages you see in the
PAN system log.
Tunnel is up, still cannot ping end to end
7. Once both IKE phase 1 and phase 2 are up, if you cannot ping from PCA to PCB (or vice
versa), examine the following items:
o Routing table on the PAN firewall. Are the proper routes listed there? To see what
route will match a packet going to <target_IP>, use this command:
test routing fib-lookup virtual-router <vr_name> ip <target_IP>
To see the intermediate network path, use traceroute on PC A.
o Policies on the PAN firewall. Is the traffic arriving in a zone different than the
zone that contains the tunnel interface? If yes, you must create a policy to allow
that traffic to traverse zones.
o Routing table and policies on firewall B. Use traceroute on firewall B to see the
route the packets are taking.
PANOS 2.1.3
14
Appendix C: PANOS Error Messages for VPNs
Look in the system log for these messages.
If you see this error message:
then do this:
IKE phase-1 negotiation is failed as initiator,
main mode. Failed SA: x.x.x.x[500]y.y.y.y[500]
cookie:84222f276c2fa2e9:0000000000000000.
Due to timeout
Make sure that the public IP addresses for
both VPN endpoints are entered correctly in
the IKE phase 1 configuration. Also make
sure the public IPs can ping each other, that
there is no routing or other network issue
between them. (refer to Part 1 step 2 of this
document)
IKE phase-1 negotiation is failed. Couldn't
find configuration for IKE phase-1 request for
peer IP x.x.x.x[1929].
Same as above
received unencrypted Notify payload (NOPROPOSAL-CHOSEN) from IP x.x.x.x[500]
to y.y.y.y[500], ignored..
Check the IKE phase 1 proposals on both
sides (refer to Part 6 of this document)
IKE phase-1 negotiation is failed. unable to
process peer's SA payload.
Check the IKE phase 1 proposals on both
sides (refer to Part 6 of this document)
pfs group mismatched: my:2 peer:0.
Check the IKE phase 2 proposals on both
sides. Either:
• one side has PFS enabled, the other side
does not
• the Diffie Hellman groups do not match
(refer to Part 6 of this document)
IKE phase-2 negotiation failed when
processing SA payload. no suitable proposal
found in peer's SA payload.
Check the IKE phase 2 proposals on both
sides (refer to Part 6 of this document)
IKE phase-2 negotiation failed when
processing proxy ID. cannot find matching
phase-2 tunnel for received proxy ID. received
local id: x.x.x.x/x type IPv4_address protocol 0
port 0, received remote id: y.y.y.y/y type
IPv4_address protocol 0 port 0.
The other side is using a policy-based VPN.
On the PAN firewall, go to Network -> IPSec
tunnels, and edit the tunnel configuration.
Click on “show advanced options.” Configure
a local proxy ID and remote proxy ID to
match the other side. (refer to Part 1 step 3 of
this document)
PANOS 2.1.3
15
Miscellaneous commands
To bring down phase 1
clear vpn ike-sa
To bring down phase 2
clear vpn ipsec-sa
To bring down both phase 1 & 2
clear vpn flow
Debugging IKE
Step 1 To turn on debugging of IKE
debug ike global on debug
Step 2 Try to bring up tunnel
Step 3 View the debug log
tail follow yes mp-log ikemgr.log
When finished
Step 4 troubleshooting, make sure to
set debug level to normal
debug ike global on normal
PANOS 2.1.3
16
This procedure assumes the Palo Alto firewall has at least two interfaces operating in Layer3
mode, with IP addresses assigned, and routes added to a virtual router. The other end of the
VPN tunnel can be any vendor’s firewall: Juniper, Cisco, Checkpoint, etc.
Topology:
Part 1: Configure tunnel endpoint on the PAN device
1. Go to the Network tab -> Interfaces screen. Create a new tunnel interface. Assign the
following parameters:
• Name: tunnel.1
• Virtual router: (select the existing virtual router)
• Zone: (select the layer 3 internal zone from which the traffic will originate) 1
Shown below is an example tunnel interface, tunnel.1:
1
If you put the tunnel interface in a zone that is different from the zone that the traffic will originate/depart, then you
will need to create a policy to allow the traffic to flow from the source zone to the zone containing the tunnel
interface.
PANOS 2.1.3
1
2. Go to Network tab -> Network Profiles -> IKE Gateways screen. You will configure
the IKE phase 1 gateway on this screen. Click New, and enter the following parameters:
• IKE gateway: gw-to-siteX (or any name of your choosing)
• Local IP address: (select the firewall interface that is closest to the other vpn
endpoint. This is called the “public” interface of the firewall.)
• Peer IP address: (enter the IP address of the “public” interface on the other vpn
endpoint)
• Pre-shared key: (enter a key of your choosing, and remember it so you can enter it
in the other firewall’s VPN configuration)
Here is an example of an IKE gateway configuration:
3. To configure the IKE phase 2 VPN, go to Network tab -> IPSec Tunnels screen. Create
a new VPN with the following parameters:
• Name: vpn-to-siteX (or any name of your choosing)
• Tunnel interface: (pull down to select tunnel.1)
• IKE gateway: (pull down to select the IKE gateway you created in the previous
step)
• If the other side of the tunnel is configured as a policy-based VPN, then:
• Click “Show advanced options”
PANOS 2.1.3
2
• Enter the local proxy ID and remote proxy ID to match the other side: 2
Once you click OK, the IPSec tunnel will appear in the list, with the status circles colored
red to indicate the tunnel is down. Here is an example:
4. Go to Network tab -> Virtual Routers screen. Edit your existing virtual router. Add a
new route for the network that is behind the other VPN endpoint. For interface, select
“tunnel.1”. There is no need to enter a value for next hop. Click Add to add the static
route.
new route
5. Commit the configuration.
Part 2: Configure the tunnel on the other firewall
6. Configure the other end of the tunnel for a route based VPN. By default, the Palo Alto
device uses 3des/aes128 with sha1, PFS with DH group 2. (Note: If you want to change
the PAN settings for IKE phase1 or phase2, go to Network -> Network Profiles and edit
2
Refer to Appendix A for a network diagram.
PANOS 2.1.3
3
either IKE Crypto ->default for phase 1 proposals or IPSec Crypto ->default for
phase 2 proposals.)
Part 3: Testing the VPN
7. Ping from a device on the far network, through the VPN, and to a target PC on the local
network protected by the PAN firewall. The first ping will fail, but the rest should be
successful. Examine the system log on the PAN firewall, either via:
•
Monitor tab -> Logs-> System, or
•
show log system subtype equal vpn direction equal backward
You want to see messages that look like the following—this is a successful VPN startup:
If either IKE phase 1 or phase 2 does not complete successfully, refer to Appendix B:
Troubleshooting IPSec VPNs.
Part 4: Confirmation
8. When the tunnel is up, the Network tab -> IPSec Tunnels page should show the phase 1
and 2 status in green:
PANOS 2.1.3
4
IKE phase 2
is up or down
IKE phase 1
is up or down
9. You can use the following command to verify that the tunnel is active:
10. To confirm that the data truly is going over the tunnel, do the following:
show vpn flow tunnel-id ____ (enter id from the step above)
At the bottom of the results you will see a count of encrypted and decrypted packets and
bytes in the tunnel. This value will change as you send more data over the tunnel.
11. To view details on the active IKE phase 1 SAs:
show vpn ike-sa gateway <gw_name>
PANOS 2.1.3
5
12. To view details on the active IKE phase 2 SAs:
show vpn ipsec-sa tunnel <vpn_name>
PANOS 2.1.3
6
Part 5: Configuring Tunnel Monitor (Optional)
VPN monitor sends a heartbeat (ICMP messages) over the VPN to determine if it is up or down.
It can be enabled on either or both sides of the VPN. To enable tunnel monitoring, you must 1)
configure the tunnel interface with an IP address, and 2) enable tunnel monitoring on the phase 2
configuration.
13. Go to Network tab -> Interfaces screen. Edit the tunnel interface. Assign an IP address
to the tunnel interface that is appropriate for the zone that the tunnel is in.
14. Go to the Network tab -> IPSec Tunnels screen. Edit the VPN, and click “show
advanced options”. At the bottom of the screen, look for the Tunnel Monitor
configuration:
15. In that portion of the screen, do the following:
•
Check the box to enable tunnel monitoring
•
For destination IP, enter an IP address of a machine on the other side of the
tunnel. This should be an internal (private) IP address. This is the machine that
will answer the ICMP echo request.
•
Either use the default profile (shown below), or create a new profile.
PANOS 2.1.3
7
Action: choose one of the following:
•
wait recover- if the remote IP is not reachable, the firewall will
continuously send ICMP messages over the tunnel in an attempt to bring
the VPN back up.
•
fail-over - traffic will fail over to a backup path, if one is available.
Note: in either case, the phase 1 & 2 SAs are not torn down by the tunnel
monitor feature.
Interval: how often to send an ICMP echo request over the tunnel
Threshold: after this number of missed ICMP replies, the VPN will be declared
down
16. Once the configuration change is committed, the tunnel will come up.
17. Now that tunnel monitoring is enabled, if the IP on the remote side is not reachable, you
will get this error message in your system log:
Once the problem is fixed, this message will appear in the system log:
PANOS 2.1.3
8
Part 6: Configuring Proposals (Optional)
The default proposals on the PAN firewall are:
• Phase 1: Diffie Helman group 2, sha1, aes128 or 3des
• Phase 2: PFS enabled with DH group 2, sha1, ESP with aes128 or 3des
If these proposals will not work for the other firewall, you can configure different proposals
as follows:
18. To configure phase 1 proposals, go to Network tab -> Network Profiles -> IKE Crypto
screen. Click New. Give the profile a name (no spaces allowed). Put a checkmark next to
all the algorithms that you want the PAN firewall to be able to use. Here is an example
profile that will use DH group 2, either md5 or sha1, and either aes128 or aes256:
19. Assign that profile by going to Network tab -> Network Profiles -> IKE Gateways
screen. Edit your existing phase 1 configuration. Click on “Show advanced Phase1
options”. In the IKE Crypto Profile pulldown menu, select the profile you just created:
PANOS 2.1.3
9
20. To configure phase 2 proposals, go to Network tab -> Network Profiles -> IPSec
Crypto screen. Click New. Give the profile a name (no spaces allowed), and put a
checkmark next to all the algorithms that you want the PAN firewall to be able to use. If
you do NOT want to enable Perfect Forward Secrecy (PFS), go to DH Group pulldown,
and select “no-pfs”.
21. To use this new profile, go to Network tab -> IPSec Tunnels screen. Edit your existing
tunnel configuration. Click on “Show advanced options”. In the IPSec Crypto Profile
pulldown menu, select the profile you just created:
22. Once you commit the configuration, the new proposals will be used for this tunnel.
PANOS 2.1.3
10
Appendix A: Network Diagram
This is the diagram of the network from which the screenshots in this document were taken.
PC A
10.1.1.9
tunnel.1
E1/1
Internet
VPN tunnel
Routing table on PAN fw:
192.168.1.0/24 -> tunnel.1
PANOS 2.1.3
untrust trust
zone zone
E?/?
E?/?
192.168.1.1
E1/2
200.1.1.1
trust untrust
zone zone
Firewall B
100.1.1.1
10.1.1.1
PAN firewall
tunnel.1
Routing table on fw B:
10.1.1.0/24 -> tunnel.1
11
PC B
192.168.1.9
Appendix B: Troubleshooting IPSec VPNs
If you have configured both sides of the VPN, and the tunnel does not come up, use the
following steps to troubleshoot.
Test Network Connectivity
1. Confirm the network is up between the two firewalls:
a) On fwA, ping out its public interface to public interface of fwB.
ping source x.x.x.x host y.y.y.y
where x.x.x.x is the public IP of fwA, and y.y.y.y is the public IP of fwB
b) Do the reverse of the previous step- ping from fwB public interface to fwA
public interface.
2. Confirm LAN connectivity between the firewalls and the local PCs:
a) On fwA, ping from internal interface to PCA
ping source z.z.z.z host <IP_of_PCA>
where z.z.z.z is the internal IP of fwA
b) On fwB, ping from internal interface to PCB
PANOS 2.1.3
12
Initiate IKE phase 1
You will now attempt to bring up IKE phase 1. You can initiate the tunnel from either side.
To initiate from network B:
3. Ping from PCB to PCA 3. Examine the system log on the PAN firewall 4. Compare the
messages to the error message table in Appendix C: PANOS Error Messages for VPNs,
and take the action listed there.
To initiate from network A:
4. If you are more familiar with the error messages in the other vendor’s firewall (firewall
B), you can initiate IKE phase 1 by either:
o Pinging from PCA to PCB; or
o On fwA, run this command:
test vpn ike-sa gateway <gw_name>
To see if phase 1 is up, run this command on the PAN firewall:
show vpn ike-sa gateway <gw_name>
If the output shows an SA, that means that IKE phase 1 is up. If the output does NOT
show an SA, look at the system log of the target firewall and use those messages to
troubleshoot.
3
If PCA does not exist, you may be able to initiate the tunnel by pinging firewall A’s internal
interface. But be careful—check the management profile on the firewallinternal interface to
ensure it allows ping, and that it does not restrict permitted IP addresses.
4
You can view the system log either using the GUI (Monitor tab -> Logs -> System) or using the
CLI (show log system subtype equal vpn direction equal backward)
PANOS 2.1.3
13
Initiate IKE phase 2
5. You can initiate IKE phase 2 by either:
a) Pinging from PCB to PCA; or
b) Pinging from PCA to PCB; or
c) On fwA, run this command:
test vpn ipsec-sa tunnel <vpn_name>
6. To see if phase 2 is up, run this command on the PAN firewall:
show vpn ipsec-sa tunnel <vpn_name>
If the output does NOT show an SA, phase 2 did not complete successfully. Therefore,
look at the event logs of both firewalls for clues. Refer to Appendix C: PANOS Error
Messages for VPNs to determine how to interpret VPN error messages you see in the
PAN system log.
Tunnel is up, still cannot ping end to end
7. Once both IKE phase 1 and phase 2 are up, if you cannot ping from PCA to PCB (or vice
versa), examine the following items:
o Routing table on the PAN firewall. Are the proper routes listed there? To see what
route will match a packet going to <target_IP>, use this command:
test routing fib-lookup virtual-router <vr_name> ip <target_IP>
To see the intermediate network path, use traceroute on PC A.
o Policies on the PAN firewall. Is the traffic arriving in a zone different than the
zone that contains the tunnel interface? If yes, you must create a policy to allow
that traffic to traverse zones.
o Routing table and policies on firewall B. Use traceroute on firewall B to see the
route the packets are taking.
PANOS 2.1.3
14
Appendix C: PANOS Error Messages for VPNs
Look in the system log for these messages.
If you see this error message:
then do this:
IKE phase-1 negotiation is failed as initiator,
main mode. Failed SA: x.x.x.x[500]y.y.y.y[500]
cookie:84222f276c2fa2e9:0000000000000000.
Due to timeout
Make sure that the public IP addresses for
both VPN endpoints are entered correctly in
the IKE phase 1 configuration. Also make
sure the public IPs can ping each other, that
there is no routing or other network issue
between them. (refer to Part 1 step 2 of this
document)
IKE phase-1 negotiation is failed. Couldn't
find configuration for IKE phase-1 request for
peer IP x.x.x.x[1929].
Same as above
received unencrypted Notify payload (NOPROPOSAL-CHOSEN) from IP x.x.x.x[500]
to y.y.y.y[500], ignored..
Check the IKE phase 1 proposals on both
sides (refer to Part 6 of this document)
IKE phase-1 negotiation is failed. unable to
process peer's SA payload.
Check the IKE phase 1 proposals on both
sides (refer to Part 6 of this document)
pfs group mismatched: my:2 peer:0.
Check the IKE phase 2 proposals on both
sides. Either:
• one side has PFS enabled, the other side
does not
• the Diffie Hellman groups do not match
(refer to Part 6 of this document)
IKE phase-2 negotiation failed when
processing SA payload. no suitable proposal
found in peer's SA payload.
Check the IKE phase 2 proposals on both
sides (refer to Part 6 of this document)
IKE phase-2 negotiation failed when
processing proxy ID. cannot find matching
phase-2 tunnel for received proxy ID. received
local id: x.x.x.x/x type IPv4_address protocol 0
port 0, received remote id: y.y.y.y/y type
IPv4_address protocol 0 port 0.
The other side is using a policy-based VPN.
On the PAN firewall, go to Network -> IPSec
tunnels, and edit the tunnel configuration.
Click on “show advanced options.” Configure
a local proxy ID and remote proxy ID to
match the other side. (refer to Part 1 step 3 of
this document)
PANOS 2.1.3
15
Miscellaneous commands
To bring down phase 1
clear vpn ike-sa
To bring down phase 2
clear vpn ipsec-sa
To bring down both phase 1 & 2
clear vpn flow
Debugging IKE
Step 1 To turn on debugging of IKE
debug ike global on debug
Step 2 Try to bring up tunnel
Step 3 View the debug log
tail follow yes mp-log ikemgr.log
When finished
Step 4 troubleshooting, make sure to
set debug level to normal
debug ike global on normal
PANOS 2.1.3
16
