Issue
A site-to-site IPSec VPN between a Palo Alto Networks firewall and a firewall from a different vendor is configured.
Phase 1 succeeds, but Phase 2 negotiation fails.
A look at the ikemgr.log with the CLI command:
> tail follow yes mp-log ikemgr.log
shows the following errors:
( description contains 'IKE protocol notification message received: INVALID-ID-INFORMATION (18).' )
and
IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout
Cause
The most common phase-2 failure is due to Proxy ID mismatch.
Resolution
To resolve Proxy ID mismatch, please try the following:
- Check the Proxy ID settings on the Palo Alto Networks firewall and the firewall on the other side.
Note: Proxy ID for other firewall vendors may be referred to as the Access List or Access Control List (ACL). - Also, check the IPSec crypto to ensure that the proposals match on both sides.
See Also
For more info on IPSec, please see the:
IPSec and tunneling - resource list
owner: vvasilasco