Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - alemarqx

Pages1
#1
Virtual private networks / Palo Alto and OPNSense IKEv1 tunnel keeps returning timeout
March 03, 2023, 03:28:53 AM
Hello all,
Please help me to understand this behavior:

I need to establish a Ikev1 tunnel between Palo Alto and OPNSense FW, but the connections keeps retransmiting until the timeouts.

Follow the logs while tunnel is trying to connect:

OPNSense side:
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="1"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="2"] 07[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V V ]
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="3"] 07[IKE] <3> received NAT-T (RFC 3947) vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="4"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="5"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="6"] 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="7"] 07[IKE] <3> received DPD vendor ID
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="8"] 07[ENC] <3> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="9"] 07[IKE] <3> 45.230.39.17 is initiating a Main Mode IKE_SA
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="10"] 07[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="11"] 07[ENC] <3> generating ID_PROT response 0 [ SA V V V ]
<30>1 2023-03-02T23:10:00-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="12"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="13"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="14"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:02-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="15"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="16"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="17"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:04-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="18"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="19"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="20"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:07-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="21"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="22"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="23"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:12-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="24"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="25"] 07[NET] <3> received packet: from 45.230.39.17[500] to 192.168.0.254[500] (204 bytes)
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="26"] 07[IKE] <3> received retransmit of request with ID 0, retransmitting response
<30>1 2023-03-02T23:10:20-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="27"] 07[NET] <3> sending packet: from 192.168.0.254[500] to 45.230.39.17[500] (136 bytes)
<30>1 2023-03-02T23:10:30-03:00 OPNsense.training.local charon 2030 - [meta sequenceId="28"] 15[JOB] <3> deleting half open IKE_SA with 45.230.39.17 after timeout

Palo Alto Side:
2023-03-02 23:21:50.292 -0300  [PNTF]: {    5:     }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:21:55.956 -0300  [PNTF]: {    7:     }: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
                                                      ====> Initiated SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <====
2023-03-02 23:22:00.300 -0300  [PNTF]: {    5:     }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:10.309 -0300  [PNTF]: {    5:     }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:20.320 -0300  [PNTF]: {    5:     }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).
2023-03-02 23:22:28.019 -0300  [PNTF]: {    7:     }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
                                                      ====> Failed SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <==== Due to timeout.
2023-03-02 23:22:28.019 -0300  [INFO]: {    7:     }: ====> PHASE-1 SA DELETED <====
                                                      ====> Deleted SA: 45.230.39.17[500]-179.209.225.162[500] cookie:13bbfd1d547f9b85:0000000000000000 <====
2023-03-02 23:22:30.327 -0300  [PNTF]: {    5:     }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=585d01c1a4284904 c3efdcc9adf1db84 (size=16).

Palo Alto Public IP: 45.230.39.17
OPNSence Public IP: 179.209.225.162 and Internal IP is: 192.168.0.254

NAT Transversal is enabled in both sides but I can't understand why it is returning timeout.

Thank you in advance!
#2
Virtual private networks / Palo Alto and OPNsense Ikev1 tunnel
March 03, 2023, 03:16:46 AM
Hello all,
Please help me,

I am trying to stablish an tunnel between Palo Alto and OPNSense, but it keeps logging:
Pages1