On the Palo Alto for the IKE crypto profile I am using Suite-B-GCM-128, and IPSec Crypto Profile Suite-B-GCM-128. I am under the impression that routing the traffic for destination 10.10.10.0/24 to the tunnel interface as a static route is all that is needed to identify the remote private network. I do not have any Proxy ID's configured on the Palo Alto side. I am using a "encryption domain" on the Check Point. On the Check Point side the local network is the 10.10.10.0/24. received local ID 10.30.30.0/24 type IPv_4_subnet protocol 0 port 0, received remote id: 10.10.10.0/24 type IPv4_subnet protocol 0 port 0. cannot find matching phase-2 tunnel for received proxy ID. In the "Monitor" > "System" log of the Palo Alto the message I am seeing is "ike-nego-p2-proxy-id-bad" "IKE phase-2 negotiation failed when processing proxy ID. The VPN tunnel on the Palo Alto side shows all green for phase 1 and 2, however on the Check Point side I keep getting a failure per the log "IKE failure no response from peer". I am trying to establish a successful VPN connection between my Palo Alto firewall and a Check Point firewall.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |