AWS changing aes for ike and ipsec doesnt allow traffic to pass

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

AWS changing aes for ike and ipsec doesnt allow traffic to pass

Cyber Elite
Cyber Elite

Hello,

We have a successful tunnels to our VPC and traffic is passing. We used the AWS downloaded cofing to guide us on the PAN side. Now when I change the ike and ipsec settings to different ciphers, say from aes128 to aes256 the tunnel stays up and is extablished but we cannot pass traffic. 

 

Anyone else run into this?

 

Thanks in advance!

7 REPLIES 7

L5 Sessionator

What version of PAN-OS software are you running on the firewall? is a it a VM-Series firewall or a physical firewall?

On our side we are running a physical PAN with 8.0.14 code. On the AWS side its the built in AWS connectors.

I've never seen any issue like that with our VM-Series firewalls. I don't deal with the Physical firewalls but the IPsec/IKE enginee should be the same. 

Have you tried clearing the tunnel and reestabling the IPsec tunnel? if so and that didn't resolve the issue I would suggest opening up a case with support. 

Thanks for the suggestion. It didnt worl so I opened a support case. I'll post the solution when we find one.

Did you set proper MTU set on the tunnel? 1427 

Yep as well as leaving it default. No Joy.

Ok so wierd settings, who knows where the real issue is since AWS is a blackbox.

 

IKE settings:

These are OK as aes-256-cbc, sha256, DH group14

 

IPsec settings:

aes-256-cbc, sha1, DH group 14.

 

So it was the SHA version on the IPSec config that was causing the issues. Wont do sha256 but still estabilishes the tunnel.

 

Gotta love interoperatability....

  • 5554 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!