How to handle invalid ipsec tunnels?

Reply
L1 Bithead

How to handle invalid ipsec tunnels?

Trying to migrate from Cisco ASA to Palo Alto using Expedition.

These two are being flagged as Invalid IPSec Tunnels. (Some IP addresses has been renamed)

 

object network obj-X1.X1.X1.X1
host X1.X1.X1.X1
object network NETWORK_OBJ_192.168.169.0_24_02
subnet 192.168.169.0 255.255.255.0
object network obj-10.0.0.141
host 10.0.0.141
object network obj-X1.X1.X1.X1
host X1.X1.X1.X1

nat (inside,outside) source static obj-10.0.0.141 obj-10.0.0.141 destination static obj-X1.X1.X1.X1 obj-X1.X1.X1.X1
nat (inside,outside) source static NETWORK_OBJ_10.0.0.10 10.6.0.10 destination static NETWORK_OBJ_192.168.169.0_24 NETWORK_OBJ_192.168.169.0_24
nat (inside,outside) source static 10.6.0.10 10.6.0.10 destination static NETWORK_OBJ_192.168.169.0_24 NETWORK_OBJ_192.168.169.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.0.0.237 obj-10.6.0.15 destination static NETWORK_OBJ_192.168.169.0_24_01 NETWORK_OBJ_192.168.169.0_24_01
nat (inside,outside) source static obj-10.6.0.15 obj-10.6.0.15 destination static NETWORK_OBJ_192.168.169.0_24_01 NETWORK_OBJ_192.168.169.0_24_01 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.0.0.238 obj-10.6.0.25 destination static NETWORK_OBJ_192.168.169.0_24_02 NETWORK_OBJ_192.168.169.0_24_02
nat (inside,outside) source static obj-10.6.0.25 obj-10.6.0.25 destination static NETWORK_OBJ_192.168.169.0_24_02 NETWORK_OBJ_192.168.169.0_24_02 no-proxy-arp route-lookup

access-list outside_cryptoABC extended permit ip object obj-10.0.0.141 object obj-X1.X1.X1.X1 log
access-list outside_cryptoABC extended permit icmp object obj-10.0.0.141 object obj-X1.X1.X1.X1 log
access-list outside_cryptomap_4 extended permit ip object NETWORK_OBJ_10.6.0.0 object NETWORK_OBJ_192.168.169.0_2

 

crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_4
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X2.X2.X2.X2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES
crypto map outside_map 5 match address outside_cryptoABC
crypto map outside_map 5 set peer X3.X3.X3.X3
crypto map outside_map 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto ca trustpool policy

 

Any ideas why? and how to fix?

L4 Transporter

Re: How to handle invalid ipsec tunnels?

Some causes of the VPN tunnels being flagged as invalid are below:

 

-No preshare key. To remediate open the IKE gateway config and enter the preshare key

-No crypto assigned to the IKE or IPSec. To remediate check and add the crypto for the IKE and IPSec if none entered.

L1 Bithead

Re: How to handle invalid ipsec tunnels?

Thank you for the quick response!

 

How do you undo an existing import if you want to reimport the same configuration that has the preshare keys?  The previous one I imported has ***** as the preshare key.  Or do I just need to recreate the project?

L4 Transporter

Re: How to handle invalid ipsec tunnels?

you can import multiple config into the same project. 

 

Expedition control which config is being displayed by using the file selector drop down in the lower right hand corner. This is useful if you are merging or collapsing configs for example. 

 

In your case if you have already made changes to the original ASA file imported you can then merge your changes (minus the IPSec vpn configs) into your base config (Attached is a default PanOS 8.1 base config you can use) then make change to the newly imported confnig (with the preshare keys) and only merge the VPN configs from the new file into your base config. 

 

Expedition is a config editor that allows you to move config snippets by using the Export --> Merge option.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!