topic Re: Site to Site VPN failing when IKEv2 and different PANOS in General Topics

Site to Site VPN failing when IKEv2 and different PANOS

COlson — Thu, 14 Apr 2022 00:58:21 GMT

Hello,

I’ve recently ran into an issue where I’m using IKEv2 preferred and the two firewalls are using different versions of PAN-OS. It will fail with “invalid sig.”. If both firewalls are the same PAN-OS version (this has been happening on 9.1.11-9.1-13h3… I don’t have any other versions to test), it works fine. But since I can’t update all firewalls at the same time, there are periods of time where they are different versions and that results in the tunnel dropping.

Additionally, as I’m using IKEv2 preferred, I assumed that when IKEv2 failed, it would use IKEv1 but that doesn’t seem to be the case.

Are both of these expected behaviors? There must be something I am missing.

Thanks.

Re: Site to Site VPN failing when IKEv2 and different PANOS

Remo — Wed, 20 Apr 2022 05:49:27 GMT

Hi @COlson

I don't know the exact detail of the implementstion of "IKEv2 preferred" but I only had issues with this in the past. I recommend you to use IKEv2 only. Once the tunnel is successfully connected it will not suddenly fail to establish and then do a fallback to IKEv1. If it really fails in such a situation, then it probably is because of an (unlikely) MITM attack.

Re: Site to Site VPN failing when IKEv2 and different PANOS

COlson — Sun, 24 Apr 2022 00:40:03 GMT

Hi,

I could set it to IKEv2 only but the same problem arises; as soon as the the two firewalls are on different versions of PAN-OS, IKEv2 fails. I would have thought that would be the use case for IKEv2 preferred but it doesn’t seem it.