PANOS-8.0 broke IPSec XAuth VPN?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PANOS-8.0 broke IPSec XAuth VPN?

L2 Linker

Hi,

 

After I upgraded to our PA-3050 to PANOS-8.0, ios and android native clients (using ipsec xauth) don't work anymore. These clients can  authenticate successfuly and get a valid IP from the gateway ip pool. But after this they can't access anything. There is no traffic logs shown with the vpn ip either.

 

Anybody using 8.0 can test if ipsec xauth is functional to see if its 8.0 upgrade or something else is wrong with my setup.

 

Thanks,

 

Rahman

20 REPLIES 20

L1 Bithead

Hi,

I have found the problem with PAN-TAC. It happen in all PANOS 8.0 version and theGlobalProtect IPSec Crypto, now doesn´t support sha256, and all new Android phone from version 6 only use sha256. If you test with an Android version 5 will work fine. I don´t know why PaloAlto erase this option. 

PAN-TAC said me, that they are working in a new feature to introduce the sha256 in news version, maybe in PANOS 8.0.8, but it is no sure.

 

When you connect an Andrroid in version 6 or later, if you use show vpn ipsec-sa command, you can see how the negotiation is sha256

 

Best Regards

Sergio

@SergioAfonso

 

So this is only an issue with phones not laptops or pc's

Hi,
I have some similar issues with some versions if Linux, but I have to confirmated yet. DO you
have problems with PCs?

Best Regards
Sergio

@SergioAfonso

 

I haven't upgraded to 8 yet I am just gather information at this time, but if it break the VPN in anyway I want to know about it and how to fix it

Hi Guys, 

 

Interesting one, tested again on 8.0.7 , no joy for android 6. IOS devices connect fine with the xauth. Client works best always anyways if the licence. 

Have ye tried cert authentication for the androids on 6.0. Will check tomorrow, but with the cert based auth/client certs can have sha 256 if androids need that. 

Might be a workaround to get ye out of the woods. 

The gp client connects fine anyways, no licence needed for the gp client on version 8 on windows or macbooks. and IOS devices connecting fine using xauth from a quick check..

Screen Shot 2018-01-29 at 21.48.39.png

best regards,

 

Rob 

hi,
There is not a solution yet. PAN-TAC told me that maybe in version 8.0.8 introduce this new feature, or in version 9. So, my recomendation is if you don´t need any new feature introduced in version 8, don´t upgrade.

 

Regards

  • 8342 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!