Thursday, June 13, 2019

Lancom to Palo Alto VPN

Hello :)

I currently have some troubles setting up a site-to-site vpn between a Lancom 1783va-4g and a Palo Alto PA-220 to connect the two local networks (192.168.100.0/24 on the lancom and 192.168.4.0/24 on the PA). The PA is behind another firewall (192.168.0.0/24) which has the public IP address and routes ports 500 and 4500 to the PA, the NAT and routing are not a problem tho. Both sides have a static IP adress Pretty. I am pretts new to Palo Alto so sorry if i forget something.

The outgoing connection on the PA to the other firewall is at ethernet 1/1 (192.168.0.1) and my local net which i want to connect with the vpn is on ethernet 1/3 (192.168.4.254). I have set up the IKE Gateway for 1/1, configured the IKE Crypto and IPSec Crypto, configured the IPsec Tunnel with a Proxy (since Lancom is policy-based VPN) and configured a tunnel for the vpn security zone.

The Lancom connects with the PA and IKE phase-1 works fine as far as i can tell from the logs.

With IKE phase-2 there seems to be a problem with the SA payload from the lancom:

IKE phase-1 negotiation is started as responder, aggressive mode. Initiated SA: 192.168.0.1[4500]-x.x.x.x[4500] cookie: ******************************.

IKE phase-1 negotiation is succeeded as responder, aggressive mode. Established SA: 192.168.0.1[4500]-x.x.x.x[4500] cookie: ****************************** lifetime 2800 Sec.

IKE phase-2 negotiation is started as responder, quick mode. Initiated SA: 192.168.0.1[4500]-x.x.x.x[4500] message id: *********.

IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer's SA payload.

IKE protocol notification message sent: NO-PROPOSAL-CHOSEN (14).

The Lancom doesn't offer much help:

VPN: Error for peer PPA-220: IPSEC-I-No-proposal-matched

Disconnected from peer PA-220: VPN-no-channel

The problem seems to be with my PA config, maybe someone has an idea how to fix that. It's probably something kinda obvious but my mind is kinda stuck atm.

the PA config:

https://imgur.com/a/Nqx2UHw

any help appreciated



No comments:

Post a Comment