PSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode
Issue
A site-to-site IPSec VPN between a Palo Alto Networks firewall and another firewall from a different vendor is configured. Phase 1 succeeds, but Phase 2 negotiation fails. A look at the ikemgr.log with the command
> tail follow yes mp-log ikemgr.log
shows the following errors:
( description contains ‚IKE protocol notification message received: INVALID-ID-INFORMATION (18).‘ )
and
IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout
Resolution
The most common phase-2 failure is due to Proxy ID mismatch.
- Check the Proxy ID settings on the Palo Alto Networks firewall and the firewall on the other side.
Note: Proxy ID for other firewall vendors may be referred to as the Access List or Access Control List (ACL). - Also, check the IPSec crypto to ensure that the proposals match on both sides.
https://live.paloaltonetworks.com/docs/DOC-4637