topic Re: Site to Site VPN IPSec issue between PA and Azure in VM-Series in the Public Cloud

Site to Site VPN IPSec issue between PA and Azure

informatiq — Fri, 24 Mar 2017 14:20:58 GMT

Hello,

I have some problem to configure a VPN between my Palo Alto and Azure.

I follow this tutorial : https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-VPN-Tunnel-Between-a-Palo-Alto-Networks/ta-p/59065

So I have this configuration:

Tunnel Interface: It’s an IP in /32 include in the subnet of the Azure gateway (in /29)

IKE Gateway: My firewall is behind NAT

IKE Crypto Profile:

IPsec Crypto Profile:

IPsec Tunnel:

Static Route: Destination address is my server subnet

Status of the IPsec tunnels are red (so Phase 1 and Phase 2 of the negotiation don’t succeed):

To test and send data through the VPN, I try to connect in RDP to a VM in Azure. But my PC can’t access to the server.

The firewall can’t ping the public IP of Azure. With a traceroute, I can see that packets go on Internet.

This is system logs from the firewall with “vpn” as a filter:

In traffic log, the application is “incomplete” with end session reason “aged-out”:

Results with some commands in the CLI:

show vpn ike-sa gateway GW-IKE-Azure = “IKE gateway GW-IKE-Azure not found”

test vpn ike-sa gateway GW-IKE-Azure = “Initiate IKE SA: Total 1 gateways found. 1 ike sa found”

show session all filter application ike = “No Active Sessions”

debug ike pcap on

view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap =

The Azure configuration is:

The connection is configured as Site-to-Site connection

The address range is in /23 with 2 subnet: one in /24 (for VMs) and the second in /29 (for the subnet gateway).

I have a VM subnet with one server install.

Have you got any idea to solve the problem?

Thank you in advance for your help.

Re: Site to Site VPN IPSec issue between PA and Azure

narayan — Fri, 24 Mar 2017 20:58:11 GMT

Can you follow this for IKEv2 and let me know if it works:

https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-IPsec-VPN-for-Microsoft-Azure-Environment/ta-p/60340

There doesn't seem to be much difference between the two...you may need to uncheck the liveliness check and the DH group to no-pfs.

Re: Site to Site VPN IPSec issue between PA and Azure

informatiq — Mon, 27 Mar 2017 07:30:14 GMT

Hello,

Thank you for your answer.

I make modifications, but it doesn't work. I have the same error message in systems logs :

Re: Site to Site VPN IPSec issue between PA and Azure

informatiq — Mon, 27 Mar 2017 14:50:24 GMT

I have just had a new error message:

Re: Site to Site VPN IPSec issue between PA and Azure

TranceforLife — Mon, 27 Mar 2017 22:05:12 GMT

Heys,

Would be nice to see a full log output:

> tail lines 200 mp-log ikemgr.log

It is been some time since my last set-up but just a quick update/tips on this:

- make sure Palo in the "passive" mode. So it will not be able to initiate a VPN but we could not make it working when its disabled.

- IKEv2 initiate 2 tunnels: IKE tunnel ( old name of IKEv1 Phase 1) and CHILD_SA (old name of IKEv1 Phase 2). Default lifetime for IKE Tunnel is 86400 or 28800 seconds (depends of the vendor) for CHILD_SA is 3600 seconds hence your tunnel will be always re-established every hour. But it takes couple seconds not minutes.

- disable no-pfs on IPSec Crypto

- disable "Liveness Check" on the IKE Gateway configuration.

Make sure that all other setting are compatible with Azure. Please see below:

IPsec Parameters

Note:

Although the values listed below are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

IKE Phase 1 setup

Property	Policy-based	Route-based and Standard or High Performance VPN gateway
IKE Version	IKEv1	IKEv2
Diffie-Hellman Group	Group 2 (1024 bit)	Group 2 (1024 bit)
Authentication Method	Pre-Shared Key	Pre-Shared Key
Encryption Algorithms	AES256 AES128 3DES	AES256 3DES
Hashing Algorithm	SHA1(SHA128)	SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time)	28,800 seconds	10,800 seconds

IKE Phase 2 setup

Property	Policy-based	Route-based and Standard or High Performance VPN gateway
IKE Version	IKEv1	IKEv2
Hashing Algorithm	SHA1(SHA128)	SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)	3,600 seconds	3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)	102,400,000 KB	-
IPsec SA Encryption & Authentication Offers (in the order of preference)	1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/A	See Route-based Gateway IPsec Security Association (SA) Offers(below)
Perfect Forward Secrecy (PFS)	No	Yes (DH Group1, 2, 5, 14, 24)
Dead Peer Detection	Not supported	Supported

After doing all this tunnel still stable for the past 3 days.

You can clear the tunnel couple times to see if everything is working correctly:

> clear vpn ike-sa gateway (for IKE Tunnel)

> clear vpn ipsec-sa tunnel (for CHILD_SA)

Hope it helps!

more info here:

https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/m-p/98936#M44162

Re: Site to Site VPN IPSec issue between PA and Azure

itounsi — Tue, 02 May 2017 14:35:07 GMT

Hi all,

I need your help to configure a vpn between PA3020 and Azure with dynamic gateway.

I have a problem "ike-nego-p1-fail " --> ( description contains 'IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: X.X.X.X[500]-X.X.X.X[500] cookie:6a4facbf0c032fc8:0000000000000000. Due to timeout.' )

and ( eventid eq ike-nego-p1-delete ) --> and and ( description contains 'IKE phase-1 SA is deleted SA: SA: X.X.X.X[500]-X.X.X.X[500] cookie:6a4facbf0c032fc8:0000000000000000.' )

Re: Site to Site VPN IPSec issue between PA and Azure

niyengar — Tue, 02 May 2017 21:57:50 GMT

Hi,

My guess is that you need an alternative authentication method in the IKE gateway setup: Local Identification portion.

You can use email or fqdn and as long as they match on both sides it doesn't matter what it is...

The guess is here that NAT is breaking IKE

Re: Site to Site VPN IPSec issue between PA and Azure

TranceforLife — Thu, 11 May 2017 13:14:40 GMT

Make sure you have Layer 3 communication between the peer. Before setting up the tunnel, please ping the remote peer ip. If Layer 3 is good, make sure your policy is allowing ike, IPSec etc application on the untrust interface (zone).

Re: Site to Site VPN IPSec issue between PA and Azure

JennyHuang36 — Wed, 07 Jun 2017 23:40:56 GMT

Hi, I got question regarding 96415 fixed in 7.1.6. However, I am still seeing the issue in 7.1.6.

What should I do, should I upgrade to 8.0.0+Please assist. Thank you.

96415
Fixed an issue where the firewall failed to pass traffic in strongSwan and Azure IPSec tunnels while using IKEv2 because it did not send a Delete payload during a Phase 2 Child SA re-keying. With this fix, the firewall correctly sends a Delete payload during re-keying if it is the node that initiated the re-keying.