topic Re: IPSec P2P VPN Tunnel not working in General Topics

IPSec P2P VPN Tunnel not working

Filip_Fronczak — Fri, 26 Oct 2018 12:20:17 GMT

Hi,

I am trying to terminate on PaloAlto VM-100 (8.0.13) an IPsec tunnel.

It seems that the other side is not able to connect at all. We have checke all IKE settings and they seem OK.
I am using a Loopback interface with an external IP address (exactly as I am using for the GlobalProtect VPN which is working fine).
Do I have to create any NAT rules for the IPsec tunnel to work? I do not have any NAT rules for Global Protect.

Thank you for any suggestions.

Re: IPSec P2P VPN Tunnel not working

santonic — Fri, 26 Oct 2018 13:25:17 GMT

Do you see allowed IKE packets comming to this IP? What do the logs of the other device say? Do you have any VPN related logs on your device for this connection?

Re: IPSec P2P VPN Tunnel not working

Filip_Fronczak — Fri, 26 Oct 2018 14:18:10 GMT

The connectio has been created from the scratch on the partner (initiator) side and it started to work.

Seems that everything was OK on our side.

Thank you 🙂

Re: IPSec P2P VPN Tunnel not working

Filip_Fronczak — Sun, 28 Oct 2018 14:30:36 GMT

Well... tonight I had to restart the PA and after I saw that the IPsec is all red.

I went to CLI and:

> show vpn ike-sa gateway xxx_IKE_GW

IKE SA for gateway ID 1 not found.

> test vpn ike-sa gateway xxx_IKE_GW

Start time: Oct.28 01:47:20
Initiate 1 IKE SA.

> show vpn ike-sa gateway xxx_IKE_GW

IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 nn.nn.254.2 xxx_IKE_GW Init Main PSK/ DH2/3DES/SHA1 Oct.28 01:47:20 Oct.28 08:47:20 v1 13 1 1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
xxx_IKE_GW 3 xxx:xxx 1 Resp ESP/ DH2/tunl/SHA1 F4010E4C 60330C71 1C5EA19E 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

There is no IKEv2 SA found.

It seems that invoking the test vpn ike-sa gateway xxx_IKE_GW command initiated the IKE SA.

Why didn't it work automatically? Do I always have to do this after reboot? I guess it should wor by itself, shouldn't it?

See my other thread about the GlobalProtect GW:

https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-stopped-to-work-after-appliance-reboot/m-p/237468/thread-id/68035/highlight/false#M68039

Re: IPSec P2P VPN Tunnel not working

Raido_Rattameister — Sun, 28 Oct 2018 00:37:51 GMT

Unless you have vpn monitoring configured vpn tunnel is initiated only if devices try to send traffic to other side (if there is interesting traffic).

Re: IPSec P2P VPN Tunnel not working

MP18 — Sun, 28 Oct 2018 04:06:58 GMT

So when there is no interesting traffic on GUI of IPsec tunnel we will see both reds?

mean both ike and ipsec will be down with out interesting traffic?

Re: IPSec P2P VPN Tunnel not working

Raido_Rattameister — Sun, 28 Oct 2018 14:32:31 GMT

Yes

If you want it to be green then configure tunnel monitoring.

Re: IPSec P2P VPN Tunnel not working

MP18 — Sun, 28 Oct 2018 14:47:22 GMT

Thanks for reply back.

Will enable tunnel Monitor and give it a test.