How to determine the correct value to put in the PAN IKE peer KEYID field?

How to determine the correct value to put in the PAN IKE peer KEYID field?

18971
Created On 09/25/18 18:00 PM - Last Modified 06/13/23 03:52 AM


Resolution


When configuring a Cisco ASA key-id field, how do you determine the correct value to put in the PAN IKE peer KEYID field?

The Cisco-ASA allows any ASCII string input. This ASCII string key-id must be converted to hexadecimal before using it in the PAN’s dynamic IKE Peer KEYID field.

For example:

  • Cisco ASA isakmp key-id: foobar
  • PAN dynamic peer KEYID: 666f6f626172

Packet capture the traffic from the dynamic peer as it arrives at the PAN (debug ike pcap on; debug ike pcap off; scp export debug-pcap from ikemgr.pcap) and examine in wireshark.  The HEX and ASCII values in the first IKE packet from the dynamic peer is listed.

Hex to ASCII converter tool:

http://www.dolcevie.com/js/converter.html

Sonicwall, Juniper and Netscreen use  ASCII for the key ID as well.

owner: panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMQCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language