I have set up a number of policy-based vpn's today and all are having issues with one particular subnet behind the Palo Alto's. The Cisco routers are pretty old 800 series running 12.x, and ive been asked to keep them policy-based (note even sure if this version of ios will support tunnel interfaces tbh).
There are 3 subnets behind the Palo Alto FW, 2 of which succesfully come up, but one that does not.
Cisco Config:
crypto isakmp key KEY123 address 1.1.1.1
crypto ipsec transform-set OFFICE esp-3des esp-sha-hmac
crypto map MAP 8 ipsec-isakmp
set peer 1.1.1.1
set transform-set OFFICE
match address 120
access-list 120 remark OFFICE
access-list 120 permit ip 10.8.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 120 permit ip 10.8.0.0 0.0.0.255 10.4.60.0 0.0.0.255
access-list 120 permit ip 10.8.0.0 0.0.0.255 10.2.60.0 0.0.0.255
ip access-list extended 102
153 deny ip 10.8.0.0 0.0.0.255 172.16.0.0 0.15.255.255
154 deny ip 10.8.0.0 0.0.0.255 10.4.0.0 0.0.0.255
155 deny ip 10.8.0.0 0.0.0.255 10.2.0.0
0.0.0.255
ACL 102 is just being used as part of a route-map to include/exclude NAT. The entries for 10.2.0.0 do not establish, i get an as below on the Palo:
IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer\'s SA payload
On Palo Side of things the IKE and IPSEC crypto's include every option available, just as a test, but i still get this issue with the one subnet
No comments:
Post a Comment