topic Site to site VPN help :( in General Topics

Site to site VPN help :(

jeremylo — Thu, 30 Aug 2018 06:21:46 GMT

Unable to make VPN work. Both "IKE Info" and "Tunnel Info" are red light in IPSec Tunnel.

The peer is a Juniper vSRX.

Normal configuration with trust, untrust and VPN zone in both firewall. Each zone has its own subnet.

Both firewall can ping each other untrust interface.

Workstations behind the firewalls can ping firewall's untrust interface too (default route + source NAT)

Security policy for VPN zone to VPN zone set to allow any.

debug ike gateway and tunnel were on

ikemgr.log show "SA dying from state INI_IKE_SA_INIT_SENT, caller ikev2_abort" after 10 times retry.

test and show vpn ike-sa gateway show

State: "INIT send <= Idle <== Idle <== Idle"

reason: ikev2_initiator_start

I think this is what SA keep trying.

I have no idea how to solve this.

Re: Site to site VPN help :(

reaper — Thu, 30 Aug 2018 11:56:11 GMT

looks like they're not playing ball

verify all ike settings from a fresh perspective to make sure all parameters are correct (peer ip is accurtate, negotiation settings are good etc )

From the PA you can manually initiate by using > test vpn ike-sa gateway <gateway> (and > test vpn ipsec-sa gateway <gw> for phase2 )

if there's a similar command on the juniper you should try that too, being able to compare 'inbound' system logs may grant more visibility in your issue than staring at debug logs (inbound system logs wil tell you what the remote end is doing wrong, if no system logs show up, the remote end is not talking or is being blocked)

Re: Site to site VPN help :(

OtakarKlier — Thu, 30 Aug 2018 13:49:14 GMT

Hello,

I found a few articles that talk about VPN's between Juniper and PAN. They might be worth checking out?

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-for-Configuring-a-Juniper-SRX-IPSEC-VPN-Tunnel-to-a-Palo/ta-p/61287

https://live.paloaltonetworks.com/t5/Configuration-Articles/PanOS-to-Juniper-SRX-Route-Based-VPN-with-OSPF/ta-p/53112

Hope that helps.

Re: Site to site VPN help :(

jeremylo — Fri, 31 Aug 2018 01:32:08 GMT

Hello. I think I overlook the type of VPN - "Route-based" and "Policy-based".

I don't even know I'm using which type. Policy-based require setup "Proxy ID" and I don't have any of it.

Found some info in https://blog.webernetz.net/route-vs-policy-based-vpn-tunnels/

Mention that PaloAlto don't support Policy-based VPN. Is that true?

Re: Site to site VPN help :(

reaper — Fri, 31 Aug 2018 06:24:44 GMT

hi @jeremylo

We are route based, which means that how the tunnel is set up and how traffic is put into it are 2 separate processes

a policy based system combines those 2 functions

This in itself is not a big issue, as ProxyIDs fix that 'incompatibility'

A route based VPN solution simply requires you to set up a VPN profile (peer, crypto, ..) and then add routes on the VirtualRouter that point to the tunnel interface for all the subnets at the other end of the tunnel

A policy-based system combines the subnets that need to speak to each other in the VPN decision process, which can be simulated by creating matching subnet pairs in ProxyID which would tell the remote (policy-based) system the routing pairs

So the statement that we don't support policy based VPN is false (at the bottom of the article you can see they included a chart where we are marked as supporting policy based 😉 ). We aren't policy based but we do provide the proxyID functionality to make us compatible

for the Juniper SRX use the 'bind-interface' option when configuring the ipsec vpn to make it route based

Re: Site to site VPN help :(

jeremylo — Thu, 06 Sep 2018 07:53:02 GMT

Reason found. The vSRX was faulty. Setup and use the new version vSRX has no problem