AWS changing aes for ike and ipsec doesnt allow traffic to pass

L7 Applicator

AWS changing aes for ike and ipsec doesnt allow traffic to pass

Hello,

We have a successful tunnels to our VPC and traffic is passing. We used the AWS downloaded cofing to guide us on the PAN side. Now when I change the ike and ipsec settings to different ciphers, say from aes128 to aes256 the tunnel stays up and is extablished but we cannot pass traffic. 

 

Anyone else run into this?

 

Thanks in advance!

L5 Sessionator

Re: AWS changing aes for ike and ipsec doesnt allow traffic to pass

What version of PAN-OS software are you running on the firewall? is a it a VM-Series firewall or a physical firewall?

L7 Applicator

Re: AWS changing aes for ike and ipsec doesnt allow traffic to pass

On our side we are running a physical PAN with 8.0.14 code. On the AWS side its the built in AWS connectors.

L5 Sessionator

Re: AWS changing aes for ike and ipsec doesnt allow traffic to pass

I've never seen any issue like that with our VM-Series firewalls. I don't deal with the Physical firewalls but the IPsec/IKE enginee should be the same. 

Have you tried clearing the tunnel and reestabling the IPsec tunnel? if so and that didn't resolve the issue I would suggest opening up a case with support. 

L7 Applicator

Re: AWS changing aes for ike and ipsec doesnt allow traffic to pass

Thanks for the suggestion. It didnt worl so I opened a support case. I'll post the solution when we find one.

L1 Bithead

Re: AWS changing aes for ike and ipsec doesnt allow traffic to pass

Did you set proper MTU set on the tunnel? 1427 

L7 Applicator

Re: AWS changing aes for ike and ipsec doesnt allow traffic to pass

Yep as well as leaving it default. No Joy.

L7 Applicator

Re: AWS changing aes for ike and ipsec doesnt allow traffic to pass

Ok so wierd settings, who knows where the real issue is since AWS is a blackbox.

 

IKE settings:

These are OK as aes-256-cbc, sha256, DH group14

 

IPsec settings:

aes-256-cbc, sha1, DH group 14.

 

So it was the SHA version on the IPSec config that was causing the issues. Wont do sha256 but still estabilishes the tunnel.

 

Gotta love interoperatability....

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!