topic Re: VPN SITE TO SITE PALO ALTO NETWORKS in General Topics

VPN SITE TO SITE PALO ALTO NETWORKS

ra7oub4 — Wed, 30 May 2018 09:10:24 GMT

Hello,

I configure a VPN tunnel between two firewalls Palo alto Networks . The tunnel status is up but the other network is unreacheable.

I configure the tunnel on the trust zone . I restart the firewalls without result . The first PA-500 with PANOS 7.1.0 and the second with PANOS 8.0.3

Should I do an upgrade to the OS? Or there is any suggestion to do ?

I will appreciate your helps.

Thank you

Re: VPN SITE TO SITE PALO ALTO NETWORKS

kiwi — Wed, 30 May 2018 09:49:35 GMT

Hi @ra7oub4,

Did you configure routes to the tunnel interface ? Any information in the logs ?

Eitherway, both PAN-OS versions are rather old and I would recommend upgrading.

7.1.0 was released in March 2016.

8.0.3 was released in June 2017.

A good resource with a lot of info :

https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-and-tunneling-resource-list/ta-p/67721

Cheers !

-Kiwi.

Re: VPN SITE TO SITE PALO ALTO NETWORKS

ra7oub4 — Wed, 30 May 2018 10:07:50 GMT

Hello @kiwi

Thank you for your reply . Yes I configure the necessary route . I follow all the steps listed in this article

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535

In the logs, I found this information :

IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA: x.x.x.x[500]-y.y.y.y[500] message id:0x00000000.
IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA
IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x982EEEEA

Have you any suggestion to do . Thanks

Re: VPN SITE TO SITE PALO ALTO NETWORKS

kiwi — Wed, 30 May 2018 13:04:31 GMT

Hi @ra7oub4,

I'm leaning towards some negotiation issues... doublecheck if settings are the same on both ends.

Also try increasing the debug level for more information :

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-issues/ta-p/59187

https://live.paloaltonetworks.com/t5/Management-Articles/Advanced-VPN-IPSec-troubleshooting-8-0-enable-debugging-per-VPN/ta-p/169303

Cheers,

-Kiwi.

Re: VPN SITE TO SITE PALO ALTO NETWORKS

LukeBullimore — Fri, 01 Jun 2018 15:59:26 GMT

HI,

You mentioned you applied your tunnel interface to the "Trust" zone. Is there a possibility that your VPN traffic is being NATted?

What happens if you make a new zone for the tunnel interface?

Thanks,

Luke.

Re: VPN SITE TO SITE PALO ALTO NETWORKS

ra7oub4 — Wed, 06 Jun 2018 11:24:54 GMT

Hello @kiwi @LukeBullimore

Thank you for your response . I try to configure the VPN in another Zone called VPNZone without result.

I found this logs in the monitor tab:

IKE protocol IPSec SA delete message sent to peer.
IKE daemon configuration load phase-2 succeeded
IKE daemon configuration load phase-1 succeeded
IKE daemon configuration load phase-1 aborted
IKE daemon configuration load phase-2 aborted
Installed SA: 1.1.1.1[500]-2.2.2.2[500] SPI:0xBC2E363C/0xCAE56096 lifetime 3600 Sec lifesize unlimited

I will appreciate all your help

Thank you!

Re: VPN SITE TO SITE PALO ALTO NETWORKS

LukeBullimore — Wed, 06 Jun 2018 13:20:40 GMT

After configuring the new zone, did you create a security policy rule to allow traffic? e,g,

from: VPNZone

source: any

to: any

destination: any

application:any

service: any

action: allow

Re: VPN SITE TO SITE PALO ALTO NETWORKS

ra7oub4 — Wed, 06 Jun 2018 16:39:13 GMT

Hello ,

Yes, I configured this security rule without result .

I allow trafic:

From :

VPNZone

InternalZone

source: any

TO:

InternalZone

VPNZone

destination: any

application:any

service: any

action: allow

Should I modify the destination to any?