topic Re: Client-to-Site IKEv2 IPSec without GlobalProtect in General Topics

Client-to-Site IKEv2 IPSec without GlobalProtect

kemeris — Thu, 08 May 2025 06:38:11 GMT

Hello,

I am totally new to Palo Alto and trying to set up VPN connection from Android Strongswan VPN Client app to Palo Alto without GlobalProtect.

I have requirement so client's IP is unknown and can be any public IP. At the moment IPSec tunnel is UP but I always setting error on client side: "setting up TUN device failed, no virtual IP found". Is it possible at all set up such VPN on Palo Alto?

Thank you in advance.

Re: Client-to-Site IKEv2 IPSec without GlobalProtect

kiwi — Thu, 08 May 2025 12:50:01 GMT

Hi @kemeris ,

It should be possible to set up the VPN.

I've seen this error when the client requested a virtual IPv6 address (as opposed to an IPv4 one) but the server wasn't configured to provide such.

Can you check the client/server logs to get more information ?

Kind regards,

-Kim.

Re: Client-to-Site IKEv2 IPSec without GlobalProtect

Brandon_Wertz — Thu, 08 May 2025 14:30:41 GMT

@kemeris wrote:

Hello,

I am totally new to Palo Alto and trying to set up VPN connection from Android Strongswan VPN Client app to Palo Alto without GlobalProtect.

I have requirement so client's IP is unknown and can be any public IP. At the moment IPSec tunnel is UP but I always setting error on client side: "setting up TUN device failed, no virtual IP found". Is it possible at all set up such VPN on Palo Alto?

Thank you in advance.

@kemeris -- It's been my understanding that the Global Protect client VPN functionality doesn't work or isn't stable if not using the GP client software. You mentioned an Android OS the GP client would be a license purchase requirement, but I don't think there's a way around it. Even if it does work, I don't think it would be a supported option so any issue you might run into in the future would be at your own risk.

Re: Client-to-Site IKEv2 IPSec without GlobalProtect

kemeris — Thu, 08 May 2025 14:40:41 GMT

My Android device with Strongswan client do have public IPv4 and IPv6. Client (88.118.127.99) connects to Palo Alto (5.133.66.229) by hostname vpn.zeusit.lt which does not have AAAA DNS record. Maybe I miss understood IPSec tunnel Proxy ID's?

Here is Palo Alto debug log:

2025-05-08 17:06:18.066 +0300 [INFO]: { 1: }: received IKE request 88.118.127.99[55025] to 5.133.66.229[500], found IKE gateway IKEv2-gateway 2025-05-08 17:06:18.069 +0300 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEv2-gateway <==== ====> Initiated SA: 5.133.66.229[500]-88.118.127.99[55025] SPI:733e18ff8deacefd:0ca46fccf4375c3d SN:1 <==== 2025-05-08 17:06:18.069 +0300 [INFO]: { 1: }: NAT detected: peer behind NAT 2025-05-08 17:06:18.069 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4b9e4210 ignoring unauthenticated notify payload (16430) 2025-05-08 17:06:18.069 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4b9e4210 ignoring unauthenticated notify payload (16431) 2025-05-08 17:06:18.069 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4b9e4210 ignoring unauthenticated notify payload (16406) 2025-05-08 17:06:18.070 +0300 [PERR]: { 1: }: DH group id 19 != 14, responding with INVALID_KE_PAYLOAD 2025-05-08 17:06:18.103 +0300 [INFO]: { 1: }: received IKE request 88.118.127.99[55025] to 5.133.66.229[500], found IKE gateway IKEv2-gateway 2025-05-08 17:06:18.103 +0300 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEv2-gateway <==== ====> Initiated SA: 5.133.66.229[500]-88.118.127.99[55025] SPI:733e18ff8deacefd:f072cd9877704c4b SN:2 <==== 2025-05-08 17:06:18.104 +0300 [INFO]: { 1: }: NAT detected: peer behind NAT 2025-05-08 17:06:18.104 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4ba1e000 ignoring unauthenticated notify payload (16430) 2025-05-08 17:06:18.104 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4ba1e000 ignoring unauthenticated notify payload (16431) 2025-05-08 17:06:18.104 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4ba1e000 ignoring unauthenticated notify payload (16406) 2025-05-08 17:06:18.108 +0300 [INFO]: { 1: }: build IKEv2 CR payload[0]: 'CN=zeusit.lt' 2025-05-08 17:06:18.167 +0300 [INFO]: { 1: }: cert received: subject=emailAddress=c100001@vpn.zeusit.lt,CN=c100001-vpn_zeusit_it 2025-05-08 17:06:18.167 +0300 [INFO]: { 1: }: cert received: issuer=CN=zeusit.lt[ee?] 2025-05-08 17:06:18.172 +0300 [PERR]: RSA_verify failed: 0:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:228: 2025-05-08 17:06:18.172 +0300 [WARN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:(nil) RSA_verify switch hash_alg SHA256 to SHA1 2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: 5.133.66.229[4500] - 88.118.127.99[55012]:0x7f660008a320 authentication result: success 2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16384 is not a child notify type 2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type INITIAL_CONTACT 2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16396 is not a child notify type 2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type MOBIKE_SUPPORTED 2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16399 is not a child notify type 2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type NO_ADDITIONAL_ADDRESSES 2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16417 is not a child notify type 2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type EAP_ONLY_AUTHENTICATION 2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16420 is not a child notify type 2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type 16420 2025-05-08 17:06:18.172 +0300 [PNTF]: { 1: }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEv2-gateway <==== ====> Initiated SA: 5.133.66.229[4500]-88.118.127.99[55012] message id:0x00000001 parent SN:2 <==== 2025-05-08 17:06:18.172 +0300 [ERR ]: { 1: 2}: Proposal Unmatched.! 2025-05-08 17:06:18.173 +0300 [ERR ]: { 1: 2}: Proposal Unmatched.! 2025-05-08 17:06:18.173 +0300 [INFO]: { 1: 2}: SADB_UPDATE proto=255 0.0.0.0[55012]=>5.133.66.229[4500] ESP tunl spi 0xECF0D729 auth=SHA384 enc=AES256/32 lifetime soft 3108/0 hard 3600/0 2025-05-08 17:06:18.173 +0300 [INFO]: { 1: 2}: SADB_ADD proto=255 5.133.66.229[4500]=>88.118.127.99[55012] ESP tunl spi 0xCF038831 auth=SHA384 enc=AES256/32 lifetime soft 2898/0 hard 3600/0 2025-05-08 17:06:18.173 +0300 [PNTF]: { 1: 2}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel c100001-1:c100001 <==== ====> Installed SA: 5.133.66.229[4500]-88.118.127.99[55012] SPI:0xECF0D729/0xCF038831 lifetime 3600 Sec lifesize unlimited <==== 2025-05-08 17:06:18.173 +0300 [PNTF]: { 1: 2}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; tunnel c100001-1:c100001 <==== ====> Established SA: 5.133.66.229[4500]-88.118.127.99[55012] message id:0x00000001, SPI:0xECF0D729/0xCF038831 parent SN:2 <==== 2025-05-08 17:06:18.173 +0300 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; gateway IKEv2-gateway <==== ====> Established SA: 5.133.66.229[4500]-88.118.127.99[55012] SPI:733e18ff8deacefd:f072cd9877704c4b SN:2 lifetime 28800 Sec <==== 2025-05-08 17:06:18.180 +0300 [INFO]: { 1: 2}: SPI ECF0D729 inserted by IKE responder, return 0 0. 2025-05-08 17:06:18.186 +0300 [INFO]: { 1: }: KA list add: 5.133.66.229[4500]->88.118.127.99[55012], (in_use=1),total=1 2025-05-08 17:06:19.708 +0300 [INFO]: { 1: }: received DELETE payload, gateway IKEv2-gateway SA state ESTABLISHED, SPI 733e18ff8deacefd:f072cd9877704c4b 2025-05-08 17:06:19.708 +0300 [INFO]: { 1: }: 5.133.66.229[4500] - 88.118.127.99[55012]:(nil) closing IKEv2 SA IKEv2-gateway:2, code 7 2025-05-08 17:06:19.708 +0300 [PNTF]: { 1: 2}: ====> IPSEC KEY DELETED; tunnel c100001-1:c100001 <==== ====> Deleted SA: 5.133.66.229[4500]-88.118.127.99[55012] SPI:0xECF0D729/0xCF038831 <==== 2025-05-08 17:06:19.708 +0300 [INFO]: { 1: 2}: SADB_DELETE proto=255 src=0.0.0.0[0] dst=5.133.66.229[0] ESP spi=0xECF0D729 2025-05-08 17:06:19.710 +0300 [INFO]: { 1: 2}: SPI ECF0D729 removed by IKE SA delete, return 0 0.

Here is client log:

I can also post my Palo Alto configuration if necessary.

Re: Client-to-Site IKEv2 IPSec without GlobalProtect

kemeris — Thu, 08 May 2025 14:51:14 GMT

I use Android StrongSwan only for testing purposes, as it allows me to easily inspect logs. My main goal is to set up a Palo Alto IPSec tunnel that works with native Windows and macOS clients, so no third-party client is needed. We already have a VPN solution that requires a separate VPN client.

Re: Client-to-Site IKEv2 IPSec without GlobalProtect

Brandon_Wertz — Thu, 08 May 2025 15:21:53 GMT

@kemeris wrote:

I use Android StrongSwan only for testing purposes, as it allows me to easily inspect logs. My main goal is to set up a Palo Alto IPSec tunnel that works with native Windows and macOS clients, so no third-party client is needed. We already have a VPN solution that requires a separate VPN client.

Oh ok, Windows/MacOS is a free/included license.

If you already have a separate VPN solution with a separate VPN client, what purpose will Global Protect serve? I understand the desire to not deploy a second VPN client onto an endpoint, but if you're wanting to use Global Protect I'm not sure there's a supported way forward without using the Global Protect endpoint software.

Re: Client-to-Site IKEv2 IPSec without GlobalProtect

kemeris — Thu, 08 May 2025 15:24:41 GMT

Looks like my reply with Palo Alto debug logs has been removed by stuff. Thank you #Kiwi for your help!