Corente - CSG to Paloalto 500 "VIP_INIT_DELAY timed out, reason = IPsec Phase2 Failed"

(Doc ID 2332466.1)

Last updated on JANUARY 10, 2018

Applies to:

Corente Cloud Services Exchange - Version 9.4 and later
Information in this document applies to any platform.

Symptoms

Setting Up VPN Using a Third-Party VPN(PaloAlto 500) device to access Compute Classic instances by using Corente Services Gateway in Oracle Cloud fails at "IKE Phase2".

-- Secure log--
xxxOPCvpn pluto[5514]: "T.xxxOPCvpn-paloalto.1048580" #71164: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
xxxOPCvpnn pluto[5514]: "T.xxxOPCvpn-paloalto.1048580 #71164: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=OAKLEY_SHA2_256 group=modp2048}
xxxOPCvpn pluto[5514]: "T.xxxOPCvpn-paloalto.1048580 #71165: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#71164 msgid:a24dbc43 proposal=AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160, AES(12)_256-SHA2_256(5)_256, AES(12)_192-MD5(1)_128, AES(12)_192-SHA1(2)_160, AES(12)_192-SHA2_256(5)_256, AES(12)_128-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_128-SHA2_256(5)_256, 3DES(3)_192-MD5(1)_12 pfsgroup=OAKLEY_GROUP_MODP2048}
xxxOPCvpn pluto[5514]: "T.xxxOPCvpn-paloalto.1048580 #71165: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal        < ---
-- Oralog--
IPsec Phase2 Failed 10.101.102.0/24-10.0.102.0/24:DOWN 10.101.102.0/24-10.0.101.0/24:DOWN 10.101.102.0/24-10.0.8.0/24:DOWN" almcode="161" tunnel_type="None" </tunnel> </org_event>
xxxOPCvpn org: :xxxOPCvpn-paloalto(10.0.108.134): Tearing tunnels down because VIP_INIT_DELAY timed out, reason = IPsec Phase2 Failed
--ping--
13:55:19.037641 IP 10.19.66.150.4500 > 123.231.12.187.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] < -- no return traffic
13:55:19.039564 IP 10.19.66.150.4500 > 123.231.12.187.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
13:55:20.042747 IP 10.19.66.150.4500 > 123.231.12.187.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
13:55:24.046853 IP 10.19.66.150.4500 > 123.231.12.187.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms