topic Re: S2S VPN between PA-3020 and Cisco ASA 5525 in General Topics

S2S VPN between PA-3020 and Cisco ASA 5525

Hemal_Vaghela — Thu, 16 Sep 2021 09:31:03 GMT

Hi All,

1st Post so hopefully i'm doing this correctly.

I am trying to setup a VPN tunnel to a 3rd Party. We have a PA-3020 and they have a Cisco ASA. They do have another Cisco in-between both our devices which is performing NAT. Hence we have enabled NAT-T.

The main issue I am having is that the tunnel is not coming up. The error message I get in the logs and debugs is:

Expecting IP address type in main mode, but KEY_ID.

###.###.###.###[4500] - ###.##.###.###[4500]:(nil) invalid ID payload.

We have the tunnel setup as follows:

main mode and using ip addresses.

ikev1

(lifetime = 28800:28800)
(lifebyte = 0:0)
enctype = AES:AES
(encklen = 256:256)
hashtype = SHA1:SHA1
authmethod = PSK:PSK
dh_group = DH5:DH5

NAT-T enabled

I am also performing source and destination nats as the ip ranges conflicts on both sides. We have set the Proxy IDs on both ends as the nat ranges.

On the PA-3020 the local and peer ID have been set as the public ips of the peers. I have also tried their private ip (as they are natting) just as a test, and I am getting the same error. Also tried removing the IDs and same thing.

I have read an article about How to determine the correct value to put in the PAN IKE peer KEYID field? But cannot seem to find the KEYID field (in hex or ascii) in the packet capture.

Link: How to determine the correct value to put in the PAN IKE peer K... - Knowledge Base - Palo Alto Networks

Any help on why I am getting the error would help as I am not sure what else to try.

Thanks in advance

Re: S2S VPN between PA-3020 and Cisco ASA 5525

TomYoung — Thu, 16 Sep 2021 16:50:57 GMT

Hi @Hemal_Vaghela ,

Could you have them run this command on their ASA, "show run all | i crypto isakmp identity"? You want to make sure you match that configuration on your firewall. Sometimes I have found that "auto" doesn't work so well, but they probably can't change it since the config is global and applies to all their VPNs.

Thanks,

Tom

Re: S2S VPN between PA-3020 and Cisco ASA 5525

Hemal_Vaghela — Fri, 17 Sep 2021 07:26:13 GMT

Hi Tom,

I have got the 3rd party to run the command and they confirmed it is set as an ip address.

output was:

crypto isakmp identity key-id 213.61.xxx.xxx.

I also managed to confirmed that that ip was was HEX format in the packet capture. I tried setting the peer id as KEYID and setting the value of the peer ip in HEX format. The PA did not like this in IKEv1 mode. I have asked to change this to IKEv2 with the below P1/P2 settings.

lifetime = 28800
lifebyte = 0
enctype = AES
encklen = 256
hashtype = SHA512
authmethod = PSK
dh_group = DH20

NAT-T enabled

Just waiting to confirm if this is working.

Thanks,

Hemal.

Re: S2S VPN between PA-3020 and Cisco ASA 5525

Hemal_Vaghela — Fri, 17 Sep 2021 09:13:35 GMT

Hi,

Setting the KEYID in HEX for the peer id seems to bring the tunnel up.

Testing traffic as I am doing both source and destination nat, and I am hitting the nat and security policy but need 3rd Party to confirm if they see any traffic. On the PA side I am seeing timeouts at the moment.

I did have to set my nat policy as from zone trust to destination zone trust for the nat work work.

I did have the destination nat set to the 3rd party zone but this did not nat correctly.