Show Posts
1
Virtual private networks / Palo Alto and OPNSense IKEv1 tunnel keeps returning timeout
« on: March 03, 2023, 03:28:53 am »
Hello all,
Please help me to understand this behavior:
I need to establish a Ikev1 tunnel between Palo Alto and OPNSense FW, but the connections keeps retransmiting until the timeouts.
Follow the logs while tunnel is trying to connect:
OPNSense side:
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="1"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="2"] 07[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V V ]
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="3"] 07[IKE] <3> received NAT-T (RFC 3947) vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="4"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="5"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="6"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="7"] 07[IKE] <3> received DPD vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="8"] 07[ENC] <3> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="9"] 07[IKE] <3> 45.230.39.17 is initiating a Main Mode IKE_SA
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="10"] 07[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="11"] 07[ENC] <3> generating ID_PROT response 0 [ SA V V V ]
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="12"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="13"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="14"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="15"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="16"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="17"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="18"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="19"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="20"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="21"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="22"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="23"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="24"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="25"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="26"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="27"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:30-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="28"] 15[JOB] <3> deleting half open IKE_SA with 45.230.39.17 after timeout
Palo Alto Side:
2023-03-02 23:21:50.292 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:21:55.956 -0300 [PNTF]: { 7: }: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <====
2023-03-02 23:22:00.300 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:10.309 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:20.320 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:28.019 -0300 [PNTF]: { 7: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
====> Failed SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <==== Due to timeout.
2023-03-02 23:22:28.019 -0300 [INFO]: { 7: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <====
2023-03-02 23:22:30.327 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
Palo Alto Public IP: 45.230.39.17
OPNSence Public IP: 179.209.225.162 and Internal IP is: 192.168.0.254
NAT Transversal is enabled in both sides but I can't understand why it is returning timeout.
Thank you in advance!
Please help me to understand this behavior:
I need to establish a Ikev1 tunnel between Palo Alto and OPNSense FW, but the connections keeps retransmiting until the timeouts.
Follow the logs while tunnel is trying to connect:
OPNSense side:
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="1"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="2"] 07[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V V ]
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="3"] 07[IKE] <3> received NAT-T (RFC 3947) vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="4"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="5"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="6"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="7"] 07[IKE] <3> received DPD vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="8"] 07[ENC] <3> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="9"] 07[IKE] <3> 45.230.39.17 is initiating a Main Mode IKE_SA
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="10"] 07[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="11"] 07[ENC] <3> generating ID_PROT response 0 [ SA V V V ]
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="12"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="13"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="14"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="15"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="16"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="17"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="18"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="19"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="20"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="21"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="22"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="23"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="24"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="25"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="26"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="27"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:30-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="28"] 15[JOB] <3> deleting half open IKE_SA with 45.230.39.17 after timeout
Palo Alto Side:
2023-03-02 23:21:50.292 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:21:55.956 -0300 [PNTF]: { 7: }: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <====
2023-03-02 23:22:00.300 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:10.309 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:20.320 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:28.019 -0300 [PNTF]: { 7: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
====> Failed SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <==== Due to timeout.
2023-03-02 23:22:28.019 -0300 [INFO]: { 7: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <====
2023-03-02 23:22:30.327 -0300 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
Palo Alto Public IP: 45.230.39.17
OPNSence Public IP: 179.209.225.162 and Internal IP is: 192.168.0.254
NAT Transversal is enabled in both sides but I can't understand why it is returning timeout.
Thank you in advance!