https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue-between-palo-and-ms-azure/m-p/98312#M44127 <P>So, we know the IPSEC tunnell is using IKEv2, as is stated here.</P> <P>We also know that the error states "lacks KE Payload", So I looked for that.. and found this from:</P> <P><A href="https://tools.ietf.org/html/rfc4306" target="_blank">https://tools.ietf.org/html/rfc4306</A></P> <P>&nbsp;</P> <PRE class="newpage"><SPAN class="grey"><A href="https://tools.ietf.org/html/rfc4306" target="_blank">RFC 4306</A> IKEv2 December 2005</SPAN> A CHILD_SA is created by sending a CREATE_CHILD_SA request. The CREATE_CHILD_SA request MAY optionally contain a KE payload for an additional Diffie-Hellman exchange to enable stronger guarantees of forward secrecy for the CHILD_SA. The keying material for the CHILD_SA is a function of SK_d established during the establishment of the IKE_SA, the nonces exchanged during the CREATE_CHILD_SA exchange, and the Diffie-Hellman value (if KE payloads are included in the CREATE_CHILD_SA exchange). In the CHILD_SA created as part of the initial exchange, a second KE payload and nonce MUST NOT be sent. The nonces from the initial exchange are used in computing the keys for the CHILD_SA.</PRE> <P>&nbsp;</P> <P>It talks about there being an Optional KE Payload. &nbsp;.. but the KE is the Key Exchange info..</P> <P>And because the PAN is a "responder" in this IPSEC setup, it sounds like the&nbsp;PAN side is looking for the KE packet, but is not seeing it, thus not bringing the tunnel up.</P> <P>&nbsp;</P> <P>I would recommend talking with the Azure end, and seeing if they have this configured or not.</P> <P>At the same time, I would recommend you checking the Crypto settings and ensure that all values match for Phase 1 - IKE and Phse 2 - IPSEC.</P> <P>&nbsp;</P> <P>It sounds like after you confirm this info, that giving support here a call and they can continue working with you if you cannot get the tunnel working.</P> <P>&nbsp;</P> Mon, 18 Jul 2016 18:19:21 GMT jdelio 2016-07-18T18:19:21Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue-between-palo-and-ms-azure/m-p/98286#M44121 <P>Hi Guys,</P><P>&nbsp;</P><P>Having problems with a site2site VPN connection on a palo alto firewall. It seems to randomly drop and stop working. Sometimes it will stay up for days then drop and other times it stays up for about an hour and then drop. I have followed various guides from palo and Microsoft (this is a VPN to MS Azure) on how to configure it and as I say it works but seemingly decides to drop for reasons unknown.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN logs.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4863iCFFC9D82295FCE00/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="VPN logs.png" alt="VPN logs.png" /></span></P><P>Any ideas?</P><P>&nbsp;</P><P>Thank you,</P> Mon, 18 Jul 2016 11:07:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue-between-palo-and-ms-azure/m-p/98286#M44121 TranceforLife 2016-07-18T11:07:18Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue-between-palo-and-ms-azure/m-p/98312#M44127 <P>So, we know the IPSEC tunnell is using IKEv2, as is stated here.</P> <P>We also know that the error states "lacks KE Payload", So I looked for that.. and found this from:</P> <P><A href="https://tools.ietf.org/html/rfc4306" target="_blank">https://tools.ietf.org/html/rfc4306</A></P> <P>&nbsp;</P> <PRE class="newpage"><SPAN class="grey"><A href="https://tools.ietf.org/html/rfc4306" target="_blank">RFC 4306</A> IKEv2 December 2005</SPAN> A CHILD_SA is created by sending a CREATE_CHILD_SA request. The CREATE_CHILD_SA request MAY optionally contain a KE payload for an additional Diffie-Hellman exchange to enable stronger guarantees of forward secrecy for the CHILD_SA. The keying material for the CHILD_SA is a function of SK_d established during the establishment of the IKE_SA, the nonces exchanged during the CREATE_CHILD_SA exchange, and the Diffie-Hellman value (if KE payloads are included in the CREATE_CHILD_SA exchange). In the CHILD_SA created as part of the initial exchange, a second KE payload and nonce MUST NOT be sent. The nonces from the initial exchange are used in computing the keys for the CHILD_SA.</PRE> <P>&nbsp;</P> <P>It talks about there being an Optional KE Payload. &nbsp;.. but the KE is the Key Exchange info..</P> <P>And because the PAN is a "responder" in this IPSEC setup, it sounds like the&nbsp;PAN side is looking for the KE packet, but is not seeing it, thus not bringing the tunnel up.</P> <P>&nbsp;</P> <P>I would recommend talking with the Azure end, and seeing if they have this configured or not.</P> <P>At the same time, I would recommend you checking the Crypto settings and ensure that all values match for Phase 1 - IKE and Phse 2 - IPSEC.</P> <P>&nbsp;</P> <P>It sounds like after you confirm this info, that giving support here a call and they can continue working with you if you cannot get the tunnel working.</P> <P>&nbsp;</P> Mon, 18 Jul 2016 18:19:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue-between-palo-and-ms-azure/m-p/98312#M44127 jdelio 2016-07-18T18:19:21Z