Site to site VPN help :(

Reply
L2 Linker

Site to site VPN help :(

Unable to make VPN work. Both "IKE Info" and "Tunnel Info" are red light in IPSec Tunnel.

The peer is a Juniper vSRX.

Normal configuration with trust, untrust and VPN zone in both firewall. Each zone has its own subnet.

Both firewall can ping each other untrust interface.

Workstations behind the firewalls can ping firewall's untrust interface too (default route + source NAT)

Security policy for VPN zone to VPN zone set to allow any.

 

debug ike gateway and tunnel were on

ikemgr.log show "SA dying from state INI_IKE_SA_INIT_SENT, caller ikev2_abort"  after 10 times retry.

 

test and show vpn ike-sa gateway show

State: "INIT send <= Idle <== Idle <== Idle"

reason: ikev2_initiator_start

I think this is what SA keep trying.

 

I have no idea how to solve this. 

 

 

Community Manager

Re: Site to site VPN help :(

looks like they're not playing ball

 

verify all ike settings from a fresh perspective to make sure all parameters are correct (peer ip is accurtate, negotiation settings are good etc )

 

From the PA you can manually initiate by using > test vpn ike-sa gateway <gateway> (and > test vpn ipsec-sa gateway <gw> for phase2 )

 

if there's a similar command on the juniper you should try that too, being able to compare 'inbound' system logs may grant more visibility in your issue than staring at debug logs (inbound system logs wil tell you what the remote end is doing wrong, if no system logs show up, the remote end is not talking or is being blocked)


Help the community: Like helpful comments and mark solutions
Reaper out
L7 Applicator

Re: Site to site VPN help :(

L2 Linker

Re: Site to site VPN help :(

Hello. I think I overlook the type of VPN - "Route-based" and "Policy-based".

I don't even know I'm using which type. Policy-based require setup "Proxy ID" and I don't have any of it.

Found some info in https://blog.webernetz.net/route-vs-policy-based-vpn-tunnels/

Mention that PaloAlto don't support Policy-based VPN. Is that true?

Community Manager

Re: Site to site VPN help :(

hi @jeremylo

We are route based, which means that how the tunnel is set up and how traffic is put into it are 2 separate processes

a policy based system combines those 2 functions 

 

This in itself is not a big issue, as ProxyIDs fix that 'incompatibility'

 

A route based VPN solution simply requires you to set up a VPN profile (peer, crypto, ..) and then add routes on the VirtualRouter that point to the tunnel interface for all the subnets at the other end of the tunnel

 

A policy-based system combines the subnets that need to speak to each other in the VPN decision process, which can be simulated by creating matching subnet pairs in ProxyID which would tell the remote (policy-based) system the routing pairs

 

So the statement that we don't support policy based VPN is false (at the bottom of the article you can see they included a chart where we are marked as supporting policy based ;) ). We aren't policy based but we do provide the proxyID functionality to make us compatible 

 

for the Juniper SRX use the 'bind-interface' option when configuring the ipsec vpn to make it route based


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: Site to site VPN help :(

Reason found. The vSRX was faulty. Setup and use the new version vSRX has no problem

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!