This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Client-to-Site IKEv2 IPSec without GlobalProtect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client-to-Site IKEv2 IPSec without GlobalProtect

Go to solution
kemeris
L1 Bithead

‎05-07-2025 11:38 PM

Hello,

 

I am totally new to Palo Alto and trying to set up VPN connection from Android Strongswan VPN Client app to Palo Alto without GlobalProtect.

I have requirement so client's IP is unknown and can be any public IP. At the moment IPSec tunnel is UP but I always setting error on client side: "setting up TUN device failed, no virtual IP found". Is it possible at all set up such VPN on Palo Alto?

 

 

Thank you in advance.

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
kiwi
Community Team Member

‎05-08-2025 05:50 AM

Hi @kemeris ,

 

It should be possible to set up the VPN.

I've seen this error when the client requested a virtual IPv6 address (as opposed to an IPv4 one) but the server wasn't configured to provide such.

 

Can you check the client/server logs to get more information ?

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

6 REPLIES 6

Go to solution
kiwi
Community Team Member

‎05-08-2025 05:50 AM

Hi @kemeris ,

 

It should be possible to set up the VPN.

I've seen this error when the client requested a virtual IPv6 address (as opposed to an IPv4 one) but the server wasn't configured to provide such.

 

Can you check the client/server logs to get more information ?

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Go to solution
Brandon_Wertz
L6 Presenter

‎05-08-2025 07:30 AM

@kemeris wrote:

Hello,

 

I am totally new to Palo Alto and trying to set up VPN connection from Android Strongswan VPN Client app to Palo Alto without GlobalProtect.

I have requirement so client's IP is unknown and can be any public IP. At the moment IPSec tunnel is UP but I always setting error on client side: "setting up TUN device failed, no virtual IP found". Is it possible at all set up such VPN on Palo Alto?

 

 

Thank you in advance.

 

 

@kemeris -- It's been my understanding that the Global Protect client VPN functionality doesn't work or isn't stable if not using the GP client software.  You mentioned an Android OS the GP client would be a license purchase requirement, but I don't think there's a way around it.  Even if it does work, I don't think it would be a supported option so any issue you might run into in the future would be at your own risk.

0 Likes Likes

Go to solution
kemeris
L1 Bithead

‎05-08-2025 07:40 AM

My Android device with Strongswan client do have public IPv4 and IPv6. Client (88.118.127.99) connects to Palo Alto (5.133.66.229) by hostname vpn.zeusit.lt which does not have AAAA DNS record. Maybe I miss understood IPSec tunnel Proxy ID's?

 

Here is Palo Alto debug log:

 

2025-05-08 17:06:18.066 +0300 [INFO]: { 1: }: received IKE request 88.118.127.99[55025] to 5.133.66.229[500], found IKE gateway IKEv2-gateway
2025-05-08 17:06:18.069 +0300 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEv2-gateway <====
====> Initiated SA: 5.133.66.229[500]-88.118.127.99[55025] SPI:733e18ff8deacefd:0ca46fccf4375c3d SN:1 <====
2025-05-08 17:06:18.069 +0300 [INFO]: { 1: }: NAT detected: peer behind NAT
2025-05-08 17:06:18.069 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4b9e4210 ignoring unauthenticated notify payload (16430)
2025-05-08 17:06:18.069 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4b9e4210 ignoring unauthenticated notify payload (16431)
2025-05-08 17:06:18.069 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4b9e4210 ignoring unauthenticated notify payload (16406)
2025-05-08 17:06:18.070 +0300 [PERR]: { 1: }: DH group id 19 != 14, responding with INVALID_KE_PAYLOAD
2025-05-08 17:06:18.103 +0300 [INFO]: { 1: }: received IKE request 88.118.127.99[55025] to 5.133.66.229[500], found IKE gateway IKEv2-gateway
2025-05-08 17:06:18.103 +0300 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEv2-gateway <====
====> Initiated SA: 5.133.66.229[500]-88.118.127.99[55025] SPI:733e18ff8deacefd:f072cd9877704c4b SN:2 <====
2025-05-08 17:06:18.104 +0300 [INFO]: { 1: }: NAT detected: peer behind NAT
2025-05-08 17:06:18.104 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4ba1e000 ignoring unauthenticated notify payload (16430)
2025-05-08 17:06:18.104 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4ba1e000 ignoring unauthenticated notify payload (16431)
2025-05-08 17:06:18.104 +0300 [PWRN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:0x55eb4ba1e000 ignoring unauthenticated notify payload (16406)
2025-05-08 17:06:18.108 +0300 [INFO]: { 1: }: build IKEv2 CR payload[0]: 'CN=zeusit.lt'
2025-05-08 17:06:18.167 +0300 [INFO]: { 1: }: cert received: subject=emailAddress=c100001@vpn.zeusit.lt,CN=c100001-vpn_zeusit_it
2025-05-08 17:06:18.167 +0300 [INFO]: { 1: }: cert received: issuer=CN=zeusit.lt[ee?]
2025-05-08 17:06:18.172 +0300 [PERR]: RSA_verify failed: 0:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:228:
2025-05-08 17:06:18.172 +0300 [WARN]: { 1: }: 5.133.66.229[500] - 88.118.127.99[55025]:(nil) RSA_verify switch hash_alg SHA256 to SHA1
2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: 5.133.66.229[4500] - 88.118.127.99[55012]:0x7f660008a320 authentication result: success
2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16384 is not a child notify type
2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type INITIAL_CONTACT
2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16396 is not a child notify type
2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type MOBIKE_SUPPORTED
2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16399 is not a child notify type
2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type NO_ADDITIONAL_ADDRESSES
2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16417 is not a child notify type
2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type EAP_ONLY_AUTHENTICATION
2025-05-08 17:06:18.172 +0300 [PWRN]: { 1: }: 16420 is not a child notify type
2025-05-08 17:06:18.172 +0300 [INFO]: { 1: }: received Notify payload protocol 0 type 16420
2025-05-08 17:06:18.172 +0300 [PNTF]: { 1: }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway IKEv2-gateway <====
====> Initiated SA: 5.133.66.229[4500]-88.118.127.99[55012] message id:0x00000001 parent SN:2 <====
2025-05-08 17:06:18.172 +0300 [ERR ]: { 1: 2}: Proposal Unmatched.!
2025-05-08 17:06:18.173 +0300 [ERR ]: { 1: 2}: Proposal Unmatched.!
2025-05-08 17:06:18.173 +0300 [INFO]: { 1: 2}: SADB_UPDATE proto=255 0.0.0.0[55012]=>5.133.66.229[4500] ESP tunl spi 0xECF0D729 auth=SHA384 enc=AES256/32 lifetime soft 3108/0 hard 3600/0
2025-05-08 17:06:18.173 +0300 [INFO]: { 1: 2}: SADB_ADD proto=255 5.133.66.229[4500]=>88.118.127.99[55012] ESP tunl spi 0xCF038831 auth=SHA384 enc=AES256/32 lifetime soft 2898/0 hard 3600/0
2025-05-08 17:06:18.173 +0300 [PNTF]: { 1: 2}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel c100001-1:c100001 <====
====> Installed SA: 5.133.66.229[4500]-88.118.127.99[55012] SPI:0xECF0D729/0xCF038831 lifetime 3600 Sec lifesize unlimited <====
2025-05-08 17:06:18.173 +0300 [PNTF]: { 1: 2}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; tunnel c100001-1:c100001 <====
====> Established SA: 5.133.66.229[4500]-88.118.127.99[55012] message id:0x00000001, SPI:0xECF0D729/0xCF038831 parent SN:2 <====
2025-05-08 17:06:18.173 +0300 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; gateway IKEv2-gateway <====
====> Established SA: 5.133.66.229[4500]-88.118.127.99[55012] SPI:733e18ff8deacefd:f072cd9877704c4b SN:2 lifetime
28800 Sec <====
2025-05-08 17:06:18.180 +0300 [INFO]: { 1: 2}: SPI ECF0D729 inserted by IKE responder, return 0 0.
2025-05-08 17:06:18.186 +0300 [INFO]: { 1: }: KA list add: 5.133.66.229[4500]->88.118.127.99[55012], (in_use=1),total=1
2025-05-08 17:06:19.708 +0300 [INFO]: { 1: }: received DELETE payload, gateway IKEv2-gateway SA state ESTABLISHED, SPI 733e18ff8deacefd:f072cd9877704c4b
2025-05-08 17:06:19.708 +0300 [INFO]: { 1: }: 5.133.66.229[4500] - 88.118.127.99[55012]:(nil) closing IKEv2 SA IKEv2-gateway:2, code 7
2025-05-08 17:06:19.708 +0300 [PNTF]: { 1: 2}: ====> IPSEC KEY DELETED; tunnel c100001-1:c100001 <====
====> Deleted SA: 5.133.66.229[4500]-88.118.127.99[55012] SPI:0xECF0D729/0xCF038831 <====
2025-05-08 17:06:19.708 +0300 [INFO]: { 1: 2}: SADB_DELETE proto=255 src=0.0.0.0[0] dst=5.133.66.229[0] ESP spi=0xECF0D729
2025-05-08 17:06:19.710 +0300 [INFO]: { 1: 2}: SPI ECF0D729 removed by IKE SA delete, return 0 0.

 

Here is client log:

kemeris_0-1746714978115.png

 

I can also post my Palo Alto configuration if necessary.

 

 

 

 

 

0 Likes Likes

Go to solution
kemeris
L1 Bithead
In response to Brandon_Wertz

‎05-08-2025 07:51 AM

I use Android StrongSwan only for testing purposes, as it allows me to easily inspect logs. My main goal is to set up a Palo Alto IPSec tunnel that works with native Windows and macOS clients, so no third-party client is needed. We already have a VPN solution that requires a separate VPN client.

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter
In response to kemeris

‎05-08-2025 08:21 AM

@kemeris wrote:

I use Android StrongSwan only for testing purposes, as it allows me to easily inspect logs. My main goal is to set up a Palo Alto IPSec tunnel that works with native Windows and macOS clients, so no third-party client is needed. We already have a VPN solution that requires a separate VPN client.

Oh ok, Windows/MacOS is a free/included license. 

 

If you already have a separate VPN solution with a separate VPN client, what purpose will Global Protect serve?  I understand the desire to not deploy a second VPN client onto an endpoint, but if you're wanting to use Global Protect I'm not sure there's a supported way forward without using the Global Protect endpoint software.

0 Likes Likes

Go to solution
kemeris
L1 Bithead
In response to kiwi

‎05-08-2025 08:24 AM

Looks like my reply with Palo Alto debug logs has been removed by stuff. Thank you #Kiwi for your help!

0 Likes Likes
  • 1 accepted solution
  • 836 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks