topic Re: IKE and IPsec Encryption and Authentication Parameters for Site-to-site IPsec VPN in General Topics

IKE and IPsec Encryption and Authentication Parameters for Site-to-site IPsec VPN

sisayfe — Sun, 21 Feb 2021 01:53:15 GMT

I was configuring a Site-to-site IPsec VPN and I was having a hard time matching my Encryption and Authentication parameters. The remote end device is Huawei Eudemon 1000E and my local device is PA-800. I have finished the configuration both sides by picking the closed parameters(I suppose) which I presume would work to get the tunnel up and running. Unfortunately, Its not up and running yet and my prime suspicion would be the IPsec parameters not matching on each of the peers.

I have details here below:

Supported parameters on my local PA800 are:

And on the remote Huawei Firewall Device, the supported parameters are:

For Phase-1, the closest and the strongest possible IKE Encryption algorithm that is present on both sides would be the AES-256 which is AES-256-CBC on my side and a mere AES-256 on the remote side. Will these two work fine together where each configured on their respective end or I will be having a problem here?
In a similar case for Phase-2 Encryption, the closest and the strongest possible Encryption algorithms that is present on both sides would be the AES-256 which is AES-256-CBC/AES-256-GCM on my side and again a bloody plain AES-256 on the remote side. So will these two work fine together where each configured on their respective end or I will be having another problem here too?
Based on your view on #1 and #2, what option is the best and viable way to proceed?
On the Remote end of Huawei Eudemon, there is a Choice Integrity algorithm option which I am not clear about on how to proceed with? What recommendation do you have for me here?

Re: IKE and IPsec Encryption and Authentication Parameters for Site-to-site IPsec VPN

reaper — Mon, 22 Feb 2021 22:15:26 GMT

Huawei doesn't really appear to have clear information which algorithms they support

1. And 2. should work if huawei implemented cbc as default. 3. You'll need to pick something other than xcbc as that's not supported on the Palo

To troubleshoot this, try initiating the connection from the huawei while running these commands on the Palo:

reaper@PA-VM2> debug ike gateway GW1 on debug Debugging for IKE gateway GW1 is enabled (debug). IKE gateway debug level: GW1 2 debug reaper@PA-VM2> debug ike tunnel Tunnel1 on debug Debugging for IPSec tunnel Tunnel1 is enabled (debug). IKE gateway debug level: GW1 2 debug IPSec tunnel debug level: Tunnel1 2 debug reaper@PA-VM2> tail follow yes mp-log ikemgr.log

Re: IKE and IPsec Encryption and Authentication Parameters for Site-to-site IPsec VPN

sisayfe — Sun, 28 Feb 2021 09:49:58 GMT

@reaper You have accurately put it there and I just got it working successfully yesterday with not specific type stated will automatically meaning as CBC. Thank you for sharing your knowledge and wishing all the best!

Next challenge will be DHCP from the Remote Site via the Tunnel to the AD and DHCP server that is situated in the HQ. Drop me any link of a related topic if you got one. Thank you again!