This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec site2site with PaloAlto device

Anyone have experience setting up a vpn connection between a UTM (9.1) and a Palo Alto device?

I've got about 40 site-to-site tunnels up to a variety of other devices (Cisco, Checkpoint, etc) but can not get this connection working.  It's entirely possible that the problem is with the config at the other end (client site) but if anyone knows of any special handling needed for PaloAlto, I'd appreciate any hints.

for what it's worth, here's a snippet of what I'm seeing in the ipsec log:

2014:05:15-14:52:28 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153711: starting keying attempt 13 of an unlimited number
2014:05:15-14:52:28 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: initiating Main Mode to replace #153711
2014:05:15-14:52:28 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: received Vendor ID payload [XAUTH]
2014:05:15-14:52:28 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: ignoring Vendor ID payload [Cisco-Unity]
2014:05:15-14:52:28 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: received Vendor ID payload [Dead Peer Detection]
2014:05:15-14:52:28 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: ignoring Vendor ID payload [a9b9b1034f7e50a2513b47b100bb85a9]
2014:05:15-14:52:30 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: discarding duplicate packet; already STATE_MAIN_I3
2014:05:15-14:52:33 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: discarding duplicate packet; already STATE_MAIN_I3
2014:05:15-14:52:38 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: discarding duplicate packet; already STATE_MAIN_I3
2014:05:15-14:52:46 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: discarding duplicate packet; already STATE_MAIN_I3
2014:05:15-14:52:59 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: discarding duplicate packet; already STATE_MAIN_I3
2014:05:15-14:53:38 qcpfw pluto[18134]: "S_REF_IpsSitREMOVE_SITE_0" #153717: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

we're using a PSK but have checked and double-checked that... that's not the issue
thanks!

This thread was automatically locked due to age.

Parents

0 Siarom over 11 years ago

Sophos seems to have some bugs with some vendors for VPN connections.
Seeing: https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/55236
Cancel
Vote Up 0 Vote Down

Cancel
0 lprikockis_01 over 10 years ago in reply to Siarom

Sophos seems to have some bugs with some vendors for VPN connections.
Seeing: https://www.astaro.org/gateway-products/vpn-site-site-remote-access/51771-vpn-ipsec-sophos-x-sonicwall.html

yeah... saw that... That's why I'm hoping to find someone else who can confirm or deny issues with PaloAlto devices. I'm hoping the partner will dig up some info from the PaloAlto side that will help us understand where the disconnect is.

I'll post what I find if I learn anything.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lprikockis_01 over 10 years ago in reply to Siarom

Sophos seems to have some bugs with some vendors for VPN connections.
Seeing: https://www.astaro.org/gateway-products/vpn-site-site-remote-access/51771-vpn-ipsec-sophos-x-sonicwall.html

yeah... saw that... That's why I'm hoping to find someone else who can confirm or deny issues with PaloAlto devices. I'm hoping the partner will dig up some info from the PaloAlto side that will help us understand where the disconnect is.

I'll post what I find if I learn anything.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data