IPsec phase-2 with OCI stays down
10032
Created On 03/19/20 02:03 AM - Last Modified 04/04/20 00:15 AM
Symptom
- IPsec tunnel is configured between on-prem PA Firewall and OCI however the phase-2 negotiation fails.
- Review System logs to understand and verify the failure events.
- Above log snippet shows phase-2 negotiation failure as no matching proposal was chosen.
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: Any
- Deployment: Any
Cause
- Phase-2 negotiation failure due to no matching proposal being available in Security Associations payload
Resolution
- Oracle supports only the following parameters for phase-2
Encryption: aes-256-cbc
Authentication: sha1
DH Group: group5
Lifetime: 3600 secs
- Configure IPsec crypto profiles on the firewall to include the above set
Ref: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Reference/paloaltoCPE.htm