topic Re: Trouble with IPSec Site2Site VPN in General Topics

Trouble with IPSec Site2Site VPN

c.keller — Wed, 07 Oct 2020 17:32:42 GMT

I am a beginner in the Palo Alto World.

I want to setup a Site2Site VPN to a customer.
The customer has a Palo Alto System running.

I cannot get the tunnel up.

The admin of the customer and me are troubleshooting the problems, but so far nothing is working.

The customer site seems to be ok, because he has some other site2site VPNs running.

My firewall is connected via Ethernet 1/1 to Fritzbox Router. I have Global Protect running, so the connection to internet is setup correctly so far. My Router has a port forwarding for (TCP442, UDP4500,4501,500 and ESP Protocol to the Firewall.

IPSec Crypto and IKE Crypto is correctly set up and checked multiple times.

Parameter of IKE Gateway is

Address Type IP4
Interface ethernet1/1 (connected to Fritzbox)
Local IP: -> Here is my 1. question : IP Adress of Firewall (Router), or public IP?
Peer IP Address Type IP
Peer Address: x.x.x.x IP Address of customer
Authentication: Pre-Shared Key
Pre-shared key: xxxxxxxxxx
Local identification: None -> Should here be my public ip? If yes, what has the customer to set up.
Peer Identifikation: None -> Should here be the Address of the customer?

Advanced Option:

Enable passive mode: off
Enable NAT Traversal: Should it be on or off.

IPSec Tunnels
3 ProxyIDs

If it do test vpn through cli i get following messages:

In case public ip address as local address
2020-10-07 07:50:30.965 +0200 [INFO]: { 1: }: Gateway-GW: IKEv2 SA test initiate start. 2020-10-07 07:50:30.965 +0200 [PNTF]: { 1: }:
====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway Prominent-GW <==== ====> Initiated SA: PublicIP[500]-CustomerIP[500] SPI:f3fd987d11f3e10f:0000000000000000 SN:43 <====
logfiles end here

In case of IP Address of router as local ip address
2020-10-07 07:57:51.550 +0200 [INFO]: { 1: }: Gateway-GW: IKEv2 SA test initiate start.
2020-10-07 07:57:51.550 +0200 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway Gateway-GW <==== ====> Initiated SA: 192.168.178.7[500]-CustomerIP[500] SPI:b66c331180c0f75f:0000000000000000 SN:44 <====
2020-10-07 07:57:51.601 +0200 [PWRN]: { 1: }: 192.168.178.7[500] - CustomerIP[500]:0x10344480 [Prominent-GW:44] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2020-10-07 07:57:57.051 +0200 [PWRN]: { 1: }: 192.168.178.7[500] - CustomerIP[500]:0x10344640 [Prominent-GW:44] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2020-10-07 07:58:07.062 +0200 [PWRN]: { 1: }: 192.168.178.7[500] - CustomerIP[500]:0x10344480 [Prominent-GW:44] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.

For testing i allowed everything in security policy.

So how can i find the issue. Any suggestion to troubleshoot this problem.

Thank you for your help.

Re: Trouble with IPSec Site2Site VPN

Abdul-Fattah — Wed, 07 Oct 2020 19:31:01 GMT

Hi,

sincei port forwarding enabled, local IP would be the firewall ip local id is same as what you set on the other side as peer id. Your Peer-id set it to customer public ip, NAT traversal is also not needed,
Try to turn off the firewall on your Fritzbox.
If that didn’t help, turn on ike passive mode on your firewall and make the other side initiate the connection.

Re: Trouble with IPSec Site2Site VPN

BPry — Wed, 07 Oct 2020 21:32:30 GMT

@c.keller

Local identification: None -> Should here be my public ip? If yes, what has the customer to set up.

Your local identification can be literally anything you want it to be, as long as the other side has it setup as their peer identification. This can be done by any option as long as you have it configured correctly on the other end. IP Address is the most common followed by FQDN, but as long as what you are sending is what the other end is expecting it'll work.
Peer Identifikation: None -> Should here be the Address of the customer?

The Peer Identification needs to be whatever the other end has set as their local identification, so you need to get this information from the customer. Usually, it's the IP Address or the FQDN, but it can be any option supported.

Again, the IP Address is the most common ID to use but it isn't the only one. There's a couple caveats with the other methods, but as long as both peers are sending/expecting the same information it should work fine (baring running into these caveats like FQDN use when set to aggressive mode, ect).You can leave these options set to none and you want them to match on each node.

Re: Trouble with IPSec Site2Site VPN

c.keller — Thu, 08 Oct 2020 04:39:41 GMT

@BPry Thanks for the quick answer.

The customer is a big company and they can not change things on PA as quickly i can.

At the moment they have Peer IP set to my public ip. The local and peer identification is set to none.

The NAT-T option is set to false.

I tried a lot of different things in the past week, without success.

If i use public ip in the as Ethernet1/1 (I have to add a subinterface to Ethernet1/1 and use public IP Address). Global Protect breaks and i think no communication works. But if i use firewall IP address with interface, i think customers firewall does not allow it.

I think the IP will not be translated to my public ip and the tunnel does not get up.

Is there a chance to do something, without changing the customer part?

I wondering, is this not common to have the PA to a router? Because i saw in the other rules to different companies, that they use alway public ip as peer (customer PA) with local and peer identifier set to none.

Re: Trouble with IPSec Site2Site VPN

c.keller — Thu, 08 Oct 2020 04:40:22 GMT

Thanks to your answer. Will try the firewall switch off.

Re: Trouble with IPSec Site2Site VPN

c.keller — Thu, 08 Oct 2020 05:07:42 GMT

Another quick question: Do Global Protect interfere with site2site vpn? This is a suggestion by the customer?

Re: Trouble with IPSec Site2Site VPN

c.keller — Thu, 08 Oct 2020 05:44:36 GMT

@Abdul-Fattah : Firewall off had no effect.

Re: Trouble with IPSec Site2Site VPN

Abdul-Fattah — Thu, 08 Oct 2020 07:43:40 GMT

@c.keller

if you set the ID to none by default the firewall will use the IP, so make sure that the customer side Peer-ID and your Local-ID match.

if the problem with the Identification you will recieve a notification in the logs.

what system logs is your firewall reporting regarding the IPsec?

is the firewall receiving or trying to make a connection to the other end?, check sessions and traffic logs.

Re: Trouble with IPSec Site2Site VPN

c.keller — Sat, 10 Oct 2020 10:39:12 GMT

Finally it was a mismatch in the Ike Crypt setting. And also a communication timeout issue with PA-220. Seemed like the PA was to slow to response. After Dead peer detection was deactivated, it worked.