AnsweredAssumed Answered

Palo Alto 2 Checkpoint fw Tunnel issue (Not coming up)

Question asked by Boopathi Manickam on Oct 15, 2018
Latest reply on Oct 15, 2018 by Boopathi Manickam

Hello, This is regarding IPSec VPN setup - Paloalto to Checkpoint VSX VS. Checkpoint end firewall details. 1. Physical box VSX ( license of IPSec VPN blade at VSX enabled), few Virtual System created. 2.Internet is directly terminated at VS FW. Checkpoint and Palo Alto can ping each other’s public after enabling ICMP 3. IKEV2 is preferred, IKEv1 is minimum. 5. Required parameters Encryption – AES128/AES256, Integrity(hash) – SHA256/SHA384, DH- 14 6. P1 Lifetime-28800 seconds (8hrs), P2 Lifetime -3600 seconds (1hr) , PFS – enabled 7. Palo Alto is created as interoperable device. Working for parameters: IKEv1, (P1) Encryption – AES128, Integrity(hash) – SHA, DH- 14 and (P2) Encryption – AES256, Integrity(hash) – SHA, DH- 14 Not working for SHA256 or SHA384 No access through CLI (IKE debug view is not possible) Troubleshooting already done : Policy Global Prosperities and Gateway Properties Traditional Mode - checked Following errors have been received during VPN turn up activity. 1.IKE: Aggressive Mode Sent Notification to Peer: no proposal chosen 2.After sending IKE traffic, there is no coming or going traffic. Whenever I’m adding SHA256 or SHA384 at VPN community, there is no proposal chosen and not working at all. If anyone has faced any issue for building IPSec VPN with Paloalto, kindly share your input. Your information is appreciated

Outcomes