topic Re: Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone? in General Topics

Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

johnny_five — Mon, 24 Sep 2018 14:19:24 GMT

Been trying to get a VPN tunnel working between a Linksys Rv082 and Palo Alto. (dont ask...)

But no luck in the testing, i based my PA config on the Linksys Rv082 settings, wich i got from the person that is on the other end, but so far - no success. Anybody tried this before ?I would appreciate any experiance or pointers.

i provided a link to Linksys emulated routers (http://ui.linksys.com/LRT214/v1.0.2.06/gateway_to_gateway.htm )

This link is not the same router, but still the settings are the same.

Thank you

Regards Johnny_5

Re: Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

VinceM — Mon, 24 Sep 2018 14:30:48 GMT

Hi,

If config shown on the link is the same as in your prod make theses change

no DES or 3DES, no SHA1.

Which have have you got in your palo monitor / System tab ??

Re: Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

Remo — Mon, 24 Sep 2018 15:50:22 GMT

As paloalto also supports these weak algorithms, I don't think this is the problem. But as @VinceM already wrote: Do NOT use these algorithms! They are weak and easy to crack since many years.

Anyway, for more helpful troubleshooting results you should ask the other person to do a connection test because in this case you will have more information in the systemlogs on your PA about the actual reason that prevents a successfull connection.

Re: Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

johnny_five — Tue, 25 Sep 2018 18:38:51 GMT

i will post complete konfig for both tomorrow, that way it will be easier to see i think.

the ips have been changed to protect the innocent.

LinksysR1
<---------->
LAN 10.3.2.1/24 (device-router)
WAN Static 199.167.52.137 /255.255.255.248
Default GW 199.167.52.136
dns1 199.167.52.10
dns2 199.167.52.11

ipsec
Local group:
local security GW type: ip only
ip address:199.167.52.137
local security group type:subnet
ip address: 10.3.2.0/24

remote group:
remote security Gw type: ip only
ip address:194.167.54.8
remote security group type:subnet
ip address: 10.4.8.0/24

name: tunnel fun
Phase2:AES/SHA1
local group:10.3.2.0/24
remote group:10.4.8.0/24
remote GW: 194.167.54.8

Keying mode: ike w/preshared key
Phase1 DH Group: Group1
Phase1 encryption: AES-256
phase1 authentication: SHA1
phase1 SA life time: 28800
perfect forward secrecy
Phase2 DH Group: Group1
Phase2 encryption: AES-256
phase2 authentication: SHA1
phase2 SA life time: 28800
pre-shared key: barreloffun

advanced:
keep-alive
Netbios broadcast
dead peer detection (DPD) interval 10 sec

Re: Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

johnny_five — Tue, 25 Sep 2018 18:41:22 GMT

I think 2 possible errors

1. tunnel cihpers are mismatch

2. static routing could be wrong.

Palo Alto konfig:

<ethernet>
<entry name="ethernet1/1">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="194.167.54.8"/>
</ip>
<interface-management-profile>Allow Ping</interface-management-profile>
</layer3>
<comment>ISPånd</comment>
</entry>
<entry name="ethernet1/2">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="10.4.8.1/24"/>
</ip>
</layer3>
<comment>test_client</comment>
</entry>
</ethernet>
<loopback>
<units/>
</loopback>
<vlan>
<units/>
</vlan>
<tunnel>
<units>
<entry name="tunnel.1"/>
</units>
</tunnel>
</interface>
<vlan/>
<virtual-wire/>
<profiles>
<monitor-profile>
<entry name="default">
<interval>3</interval>
<threshold>5</threshold>
<action>wait-recover</action>
</entry>
</monitor-profile>
<interface-management-profile>
<entry name="Allow Ping">
<ping>yes</ping>
</entry>
</interface-management-profile>
</profiles>
<ike>
<crypto-profiles>
<ike-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
</hash>
<dh-group>
<member>group2</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<hash>
<member>sha256</member>
</hash>
<dh-group>
<member>group19</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<encryption>
<member>aes-256-cbc</member>
</encryption>
<hash>
<member>sha384</member>
</hash>
<dh-group>
<member>group20</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
</ike-crypto-profiles>
<ipsec-crypto-profiles>
<entry name="default">
<esp>
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group>group2</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<esp>
<encryption>
<member>aes-128-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group19</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<esp>
<encryption>
<member>aes-256-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group20</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Crypto2">
<esp>
<authentication>
<member>sha1</member>
</authentication>
<encryption>
<member>aes-256-cbc</member>
<member>aes-256-gcm</member>
</encryption>
</esp>
<lifetime>
<hours>28800</hours>
</lifetime>
<dh-group>group2</dh-group>
</entry>
<entry name="Crypto1">
<esp>
<authentication>
<member>sha1</member>
</authentication>
<encryption>
<member>aes-256-cbc</member>
<member>aes-256-gcm</member>
</encryption>
</esp>
<lifetime>
<hours>28800</hours>
</lifetime>
<dh-group>group1</dh-group>
</entry>
</ipsec-crypto-profiles>
<global-protect-app-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</entry>
</global-protect-app-crypto-profiles>
</crypto-profiles>
<gateway>
<entry name="I_Like_IKE">
<authentication>
<pre-shared-key>
<key>-AQ==Tunneoffun=</key>
</pre-shared-key>
</authentication>
<protocol>
<ikev1>
<dpd>
<enable>yes</enable>
</dpd>
</ikev1>
<ikev2>
<dpd>
<enable>yes</enable>
</dpd>
</ikev2>
<version>ikev1</version>
</protocol>
<local-address>
<ip>194.167.54.8/29</ip>
<interface>ethernet1/1</interface>
</local-address>
<protocol-common>
<nat-traversal>
<enable>no</enable>
</nat-traversal>
<fragmentation>
<enable>no</enable>
</fragmentation>
</protocol-common>
<peer-address>
<ip>199.167.52.137</ip>
</peer-address>
</entry>
</gateway>
</ike>
<qos>
<profile>
<entry name="default">
<class>
<entry name="class1">
<priority>real-time</priority>
</entry>
<entry name="class2">
<priority>high</priority>
</entry>
<entry name="class3">
<priority>high</priority>
</entry>
<entry name="class4">
<priority>medium</priority>
</entry>
<entry name="class5">
<priority>medium</priority>
</entry>
<entry name="class6">
<priority>low</priority>
</entry>
<entry name="class7">
<priority>low</priority>
</entry>
<entry name="class8">
<priority>low</priority>
</entry>
</class>
</entry>
</profile>
</qos>
<virtual-router>
<entry name="ISP Static">
<protocol>
<bgp>
<enable>no</enable>
<dampening-profile>
<entry name="default">
<cutoff>1.25</cutoff>
<reuse>0.5</reuse>
<max-hold-time>900</max-hold-time>
<decay-half-life-reachable>300</decay-half-life-reachable>
<decay-half-life-unreachable>900</decay-half-life-unreachable>
<enable>yes</enable>
</entry>
</dampening-profile>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
</bgp>
</protocol>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>tunnel.1</member>
</interface>
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<routing-table>
<ip>
<static-route>
<entry name="ISP Static">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<ip-address>199.167.52.136</ip-address>
</nexthop>
<interface>ethernet1/1</interface>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
</virtual-router>
<tunnel>
<ipsec>
<entry name="ipsec1">
<auto-key>
<ike-gateway>
<entry name="I_Like_IKE"/>
</ike-gateway>
<ipsec-crypto-profile>Crypto1</ipsec-crypto-profile>
</auto-key>
<tunnel-monitor>
<enable>no</enable>
</tunnel-monitor>
<tunnel-interface>tunnel.1</tunnel-interface>
<anti-replay>yes</anti-replay>
</entry>
</ipsec>
</tunnel>
</network>
<deviceconfig>
<system>
<ip-address>192.168.2.1</ip-address>
<netmask>255.255.255.0</netmask>
<update-server>updates.paloaltonetworks.com</update-server>
<update-schedule>
<threats>
<recurring>
<weekly>
<day-of-week>weday</day-of-week>
<at>01:00</at>
<action>download-only</action>
</weekly>
</recurring>
</threats>
</update-schedule>
<timezone>mars</timezone>
<service>
<disable-telnet>yes</disable-telnet>
<disable-http>yes</disable-http>
</service>
<hostname>PA</hostname>
<default-gateway>192.168.1.1</default-gateway>
<dns-setting>
<servers>
<primary>8.8.8.8</primary>
<secondary>8.8.4.4</secondary>
</servers>
</dns-setting>
<route>
<service>
<entry name="dns">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="ntp">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="paloalto-networks-services">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="url-updates">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
</service>
</route>
<ntp-servers>
<primary-ntp-server>
<ntp-server-address>timeaftertime.timeaftertime</ntp-server-address>
<authentication-type>
<none/>
</authentication-type>
</primary-ntp-server>
</ntp-servers>
</system>
<setting>
<config>
<rematch>yes</rematch>
</config>
<management>
<hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
</management>
</setting>
</deviceconfig>
<vsys>
<entry name="vsys1">
<application/>
<application-group/>
<zone>
<entry name="THe_!Internet">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="Test Client">
<network>
<layer3>
<member>ethernet1/2</member>
</layer3>
</network>
</entry>
<entry name="TUN1">
<network>
<layer3>
<member>tunnel.1</member>
</layer3>
</network>
</entry>
</zone>
<service/>
<service-group/>
<schedule/>
<rulebase>
<security>
<rules>
<entry name="Allow-Any">
<to>
<member>Test Client</member>
<member>THe_!Internet</member>
<member>TUN1</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
</rules>
</security>
</rulebase>
<import>
<network>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>tunnel.1</member>
</interface>
</network>
</import>
</entry>
</vsys>
</entry>
</devices>
</config>

Re: Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

Remo — Sun, 30 Sep 2018 10:23:44 GMT

@johnny_five

Maybe I overlooked something in this config but right now it seems to me that the config on PA side is incomplete: Phase 2 networks and phase 1 crypto settings.

Re: Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

johnny_five — Sun, 30 Sep 2018 18:18:38 GMT

i hate to quote myself, but i was on to something when i posted this(execpt the static thing);

"I think 2 possible errors,1. tunnel cihpers are mismatch,2. static routing could be wrong."

Well the solution was i fact a mismatch of DH group 1 and DH group 2. Also went from MD5 to SHA1.

After fixing this the tunnel was successful, but only one side could ping, the other could not.

So found out that the policy was also missing a zone for the vpn tunnel traffic.

So adding ----> Source: zLAN+zVPN & Destination: zLAN+zVPN.

Solved the issue, now both sides can ping and traffic flows.

Thank you for your feedback and sorry i did not post the solution earlier, but i was pressed for time and there was a delivery dead line....Johnny_Five is alive!