topic Palo in AWS to Azure VPN Gateway in VM-Series in the Public Cloud

topic Palo in AWS to Azure VPN Gateway in VM-Series in the Public Cloud https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/palo-in-aws-to-azure-vpn-gateway/m-p/485525#M1555 <P>Hi All, I am trying to setup a site-to-to site VPN between Palo (v9.0.1) and Azure VPN gateway.</P><P> </P><P>I have a question and an issue that I am trying to resolve...</P><P> </P><P>NAT-T should be enabled in the gateway settings since AWS NATs everything?</P><P> </P><P>This is the error I keep getting...</P><P> </P><DIV><DIV><SPAN>2022-05-06 15:09:24.235 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>received IKE request 21.50.80.20[500] to 10.10.50.20[500], found IKE gateway TEST_VPN</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.235 -0700 [PNTF]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway TEST_VPN <====</SPAN></DIV><DIV><SPAN>====> Initiated SA</SPAN><SPAN>: </SPAN><SPAN>10.10.50.20[500]-21.50.80.20[500] SPI:e6a2d4b06fcdec78:a017e7a7durt67ug SN:654 <====</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.235 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>received Notify type NAT_DETECTION_SOURCE_IP</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>received Notify type NAT_DETECTION_DESTINATION_IP</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>NAT detected</SPAN><SPAN>: </SPAN><SPAN>behind NAT</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>success</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>update request message_id 0x0</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[4500] - 21.50.80.20[4500]:0x7fffd4109fc0 authentication result</SPAN><SPAN>: </SPAN><SPAN>success</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [PNTF]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway TEST_VPN <====</SPAN></DIV><DIV><SPAN>====> Initiated SA</SPAN><SPAN>: </SPAN><SPAN>10.10.50.20[4500]-21.50.80.20[4500] message id:0x00000001 parent SN:654 <====</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>update request message_id 0x1</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[4500] - 21.50.80.20[4500]:(nil) closing IKEv2 SA TEST_VPN:954, code 15</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [PNTF]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway TEST_VPN <====</SPAN></DIV><DIV><SPAN>====> Failed SA</SPAN><SPAN>: </SPAN><SPAN>10.10.50.20[4500]-21.50.80.20[4500] SPI:e6a2d4b06fcdec78:a017e7a7durt67ug SN 954 <====</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>SA dying from state RES_IKE_AUTH_RCVD, caller ikev2_abort</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>SA deleted</SPAN><SPAN>: </SPAN><SPAN>state DYING, caller ikev2_abort</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>stop retransmit for sa 0x7fffd406bb70 (DEAD), CID 0, child 0x7fffd406bb70</SPAN></DIV><DIV> </DIV><DIV><SPAN>Any help would be appreciated...</SPAN></DIV></DIV> Fri, 06 May 2022 22:26:03 GMT PaulZharyuk 2022-05-06T22:26:03Z Palo in AWS to Azure VPN Gateway https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/palo-in-aws-to-azure-vpn-gateway/m-p/485525#M1555 <P>Hi All, I am trying to setup a site-to-to site VPN between Palo (v9.0.1) and Azure VPN gateway.</P><P> </P><P>I have a question and an issue that I am trying to resolve...</P><P> </P><P>NAT-T should be enabled in the gateway settings since AWS NATs everything?</P><P> </P><P>This is the error I keep getting...</P><P> </P><DIV><DIV><SPAN>2022-05-06 15:09:24.235 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>received IKE request 21.50.80.20[500] to 10.10.50.20[500], found IKE gateway TEST_VPN</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.235 -0700 [PNTF]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway TEST_VPN <====</SPAN></DIV><DIV><SPAN>====> Initiated SA</SPAN><SPAN>: </SPAN><SPAN>10.10.50.20[500]-21.50.80.20[500] SPI:e6a2d4b06fcdec78:a017e7a7durt67ug SN:654 <====</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.235 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>received Notify type NAT_DETECTION_SOURCE_IP</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>received Notify type NAT_DETECTION_DESTINATION_IP</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>NAT detected</SPAN><SPAN>: </SPAN><SPAN>behind NAT</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [PWRN]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>see whether there's matching transform</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>found same ID. compare attributes</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>OK; advance to next of my transform type</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>success</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.236 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>update request message_id 0x0</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[4500] - 21.50.80.20[4500]:0x7fffd4109fc0 authentication result</SPAN><SPAN>: </SPAN><SPAN>success</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [PNTF]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway TEST_VPN <====</SPAN></DIV><DIV><SPAN>====> Initiated SA</SPAN><SPAN>: </SPAN><SPAN>10.10.50.20[4500]-21.50.80.20[4500] message id:0x00000001 parent SN:654 <====</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>update request message_id 0x1</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [INFO]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>10.10.50.20[4500] - 21.50.80.20[4500]:(nil) closing IKEv2 SA TEST_VPN:954, code 15</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [PNTF]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway TEST_VPN <====</SPAN></DIV><DIV><SPAN>====> Failed SA</SPAN><SPAN>: </SPAN><SPAN>10.10.50.20[4500]-21.50.80.20[4500] SPI:e6a2d4b06fcdec78:a017e7a7durt67ug SN 954 <====</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>SA dying from state RES_IKE_AUTH_RCVD, caller ikev2_abort</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>SA deleted</SPAN><SPAN>: </SPAN><SPAN>state DYING, caller ikev2_abort</SPAN></DIV><DIV><SPAN>2022-05-06 15:09:24.240 -0700 [DEBG]</SPAN><SPAN>: { </SPAN><SPAN>3</SPAN><SPAN>: }: </SPAN><SPAN>stop retransmit for sa 0x7fffd406bb70 (DEAD), CID 0, child 0x7fffd406bb70</SPAN></DIV><DIV> </DIV><DIV><SPAN>Any help would be appreciated...</SPAN></DIV></DIV> Fri, 06 May 2022 22:26:03 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/palo-in-aws-to-azure-vpn-gateway/m-p/485525#M1555 PaulZharyuk 2022-05-06T22:26:03Z Re: Palo in AWS to Azure VPN Gateway https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/palo-in-aws-to-azure-vpn-gateway/m-p/504129#M1586 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/201927">@PaulZharyuk</a> ,</P> <P>You need to put the private IP addresses as IKE peer ID when defining the IKE Gateway.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Astardzhiev_0-1655369419774.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41835iE5671120678B9BE4/image-size/medium?v=v2&px=400" role="button" title="Astardzhiev_0-1655369419774.png" alt="Astardzhiev_0-1655369419774.png" /></span></P> <P> </P> <P>If you don't define anything (leave the default of none), firewalls will use IP addresses as peer identifiers. But when behind NAT device will send the private address as local peer (because that is assigned on its interface), while the remote peer will expect to see the public IP (because you have defind the public IP as remote peer).</P> <P> </P> <P>For that reason when behind NAT, in addition to NAT-T you need to change IKE peer identification to use the private addresses.</P> <P> </P> <P>P.S. I hope you have upgraded your firewall as 9.0 is out of support since March.</P> Thu, 16 Jun 2022 08:53:40 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/palo-in-aws-to-azure-vpn-gateway/m-p/504129#M1586 aleksandar.astardzhiev 2022-06-16T08:53:40Z