topic Re: Configuring tunnel ike-gateway with API in General Topics

Configuring tunnel ike-gateway with API

Joshua_Peterson — Sat, 09 Oct 2021 13:55:32 GMT

I am at my wits end with this. Can anybody tell me what I am doing wrong here? I'm trying to make a script that will use the API to stand up L2L VPN tunnels, and there is something in this request that is making the firewall puke (error 18 "Malformed Request").

The API calls:

making the gateway, this works just fine:

curl --globoff -X GET "https://palo.mydomain.com/api?key=<censored>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/ike/gateway/entry[@name='test']&element=<authentication><pre-shared-key><key>PASSWORD</key></pre-shared-key></authentication><protocol><ikev1><dpd><enable>yes</enable></dpd><ike-crypto-profile>API-Test</ike-crypto-profile></ikev1><ikev2><dpd><enable>yes</enable></dpd></ikev2></protocol><local-address><ip>1.1.1.1</ip><interface>ethernet1/4</interface></local-address><protocol-common><nat-traversal><enable>no</enable></nat-traversal><fragmentation><enable>no</enable></fragmentation></protocol-common><peer-address><ip>IP-1.1.1.1</ip></peer-address><local-id><id>1.1.1.1</id><type>ipaddr</type></local-id><peer-id><id>2.2.2.2</id><type>ipaddr</type></peer-id>"

Making the ipsec tunnel, this one pukes only for the ike-gateway parameter:

<response status="error" code="18"><msg><line>Malformed Request</line></msg></response>

I have also tried and get the same error:

curl --globoff -X GET "https://palo.mydomain.com/api?key=<censored>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='tunnel_name']&element=<auto-key><ike-gateway><entry name="test"/></ike-gateway></auto-key>"

The Error:

<response status="error" code="18"><msg><line>Malformed Request</line></msg></response>

The CLI Debug:

user@PA# set network tunnel ipsec tunnel_name auto-key ike-gateway Test
(container-tag: network container-tag: tunnel container-tag: ipsec container-tag: entry key-tag: name value: tunnel_name container-tag: auto-key container-tag: ike-gateway container-tag: entry key-tag: name value: Test)
((eol-matched: . #t) (xpath-prefix: . /config/devices/entry[@name='localhost.localdomain']) (context-inserted-at-end-p: . #f))
(network (tunnel (ipsec (entry (@ (name tunnel_name)) (auto-key (ike-gateway (entry (@ (name Test)))))))))
(entry (@ (name Test)))

<request cmd="set" obj="/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='tunnel_name']/auto-key/ike-gateway" cookie=""><entry name='Test'/></request>

2021-10-09 09:21:23
<response status="success" code="20"><msg>command succeeded</msg></response>

This is a lab device running 10.0.

I can't figure out what I'm doing wrong here. Am I nuts?

Re: Configuring tunnel ike-gateway with API

Joshua_Peterson — Sat, 09 Oct 2021 19:27:19 GMT

Looking through the API browser it gave me a xpath for /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='api-test']/auto-key/ike-gateway/entry[@name='test1']

(forgive me for changing the tunnel and ike-gateway names, I'm trying to see if there is some character or term it doesn't like)

If I try to run this it tells me there is a error for the configuration target. That makes send to me, because up to this point the [@name="thing"] syntax has only been used for the target of a change, and I am not trying to change "thing" in this case but rather trying to apply it as a setting, as is, to the tunnel.

Re: Configuring tunnel ike-gateway with API

Joshua_Peterson — Sat, 09 Oct 2021 20:07:39 GMT

This is absolutely BIZZAR. I ran the command "set network tunnel ipsec asdf auto-key ike-gateway test1" from the CLI with "debug cli on" and found there was an error "Server error : asdf -> auto-key constraints failed : default crypto profile doesn't exist
asdf -> auto-key is invalid"

I have no 'default' crypto policies.

I had seen this before and assumed it was an order of operation issue, and so I set the crypto profile before I set the ike-gateway by doing <auto-key><ipsec-crypto-profile>asdf</ipsec-crypto-profile><ike-gateway><entry name="test1"/></ike-gateway></auto-key> (the ipsec policy is set before the gateway, so it doesn't need to worry about the default crypto policy) but that did not help.

So of all the stupid things I have ever had to do, it added a ipsec policy called 'default'. Bam, it works just fine now. It's so stupid I can't even be happy I've solved it.

SUMMARY: If you want to use the API, don't go deleting your 'defaults'...

(┛◉Д◉)┛彡┻━┻

Re: Configuring tunnel ike-gateway with API

Joshua_Peterson — Sat, 09 Oct 2021 21:27:22 GMT

Well, never mind. I accidentally ran the command with action=get instead of action=set, and that always works. Back to the drawing board.

Re: Configuring tunnel ike-gateway with API

Joshua_Peterson — Sun, 10 Oct 2021 09:25:47 GMT

I think this is boiling down to the quotes I was using in windows command prompt. I was using double-quotes on the outside, and all single quotes on the parameters, but it did not like that in CMD.

Upon further inspection, the browser changed all the single quotes but for the ike-gateway name to %27, and had no double-quotes for the request in the browser. I changed my quotes in the cmd request to %27 as well and it worked like a charm.

I wasn't opening and closing my quotes in a way command prompt could understand.