IPsec phase-2 with OCI stays down

IPsec phase-2 with OCI stays down

10032
Created On 03/19/20 02:03 AM - Last Modified 04/04/20 00:15 AM


Symptom


  • IPsec tunnel is configured between on-prem PA Firewall and OCI however the phase-2 negotiation fails.
  • Review System logs to understand and verify the failure events.
User-added image  
  •  Above log snippet shows phase-2 negotiation failure as no matching proposal was chosen.

Environment


  • Platform: PA-VM
  • PAN-OS / Plugin Version: Any
  • Deployment: Any

Cause


  • Phase-2 negotiation failure due to no matching proposal being available in Security Associations payload

Resolution


  • Oracle supports only the following parameters for phase-2
                IPSec Protocol: ESP
                Encryption: aes-256-cbc
                Authentication: sha1
                DH Group: group5
                Lifetime: 3600 secs
  • Configure IPsec crypto profiles on the firewall to include the above set
User-added image
           Ref: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Reference/paloaltoCPE.htm
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPAJCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language