Configuring tunnel ike-gateway with API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configuring tunnel ike-gateway with API

L1 Bithead

I am at my wits end with this. Can anybody tell me what I am doing wrong here? I'm trying to make a script that will use the API to stand up L2L VPN tunnels, and there is something in this request that is making the firewall puke (error 18 "Malformed Request"). 

 

The API calls:

making the gateway, this works just fine:

curl --globoff -X GET "https://palo.mydomain.com/api?key=<censored>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/ike/gateway/entry[@name='test']&element=<authentication><pre-shared-key><key>PASSWORD</key></pre-shared-key></authentication><protocol><ikev1><dpd><enable>yes</enable></dpd><ike-crypto-profile>API-Test</ike-crypto-profile></ikev1><ikev2><dpd><enable>yes</enable></dpd></ikev2></protocol><local-address><ip>1.1.1.1</ip><interface>ethernet1/4</interface></local-address><protocol-common><nat-traversal><enable>no</enable></nat-traversal><fragmentation><enable>no</enable></fragmentation></protocol-common><peer-address><ip>IP-1.1.1.1</ip></peer-address><local-id><id>1.1.1.1</id><type>ipaddr</type></local-id><peer-id><id>2.2.2.2</id><type>ipaddr</type></peer-id>"

 

Making the ipsec tunnel, this one pukes only for the ike-gateway parameter:

curl --globoff -X GET "https://palo.mydomain.com/api?key=<censored>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='tunnel_name']/auto-key/ike-gateway&element=<entry name='Test'/>"

<response status="error" code="18"><msg><line>Malformed Request</line></msg></response>

 

I have also tried and get the same error:

curl --globoff -X GET "https://palo.mydomain.com/api?key=<censored>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='tunnel_name']&element=<auto-key><ike-gateway><entry name="test"/></ike-gateway></auto-key>"

 

 

The Error:

<response status="error" code="18"><msg><line>Malformed Request</line></msg></response>

 

The CLI Debug:

user@PA# set network tunnel ipsec tunnel_name auto-key ike-gateway Test
(container-tag: network container-tag: tunnel container-tag: ipsec container-tag: entry key-tag: name value: tunnel_name container-tag: auto-key container-tag: ike-gateway container-tag: entry key-tag: name value: Test)
((eol-matched: . #t) (xpath-prefix: . /config/devices/entry[@name='localhost.localdomain']) (context-inserted-at-end-p: . #f))
(network (tunnel (ipsec (entry (@ (name tunnel_name)) (auto-key (ike-gateway (entry (@ (name Test)))))))))
(entry (@ (name Test)))


<request cmd="set" obj="/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='tunnel_name']/auto-key/ike-gateway" cookie=""><entry name='Test'/></request>


2021-10-09 09:21:23
<response status="success" code="20"><msg>command succeeded</msg></response>

 

This is a lab device running 10.0.

 

I can't figure out what I'm doing wrong here. Am I nuts?

1 accepted solution

Accepted Solutions

L1 Bithead

I think this is boiling down to the quotes I was using in windows command prompt. I was using double-quotes on the outside, and all single quotes on the parameters, but it did not like that in CMD. 

 

Upon further inspection, the browser changed all the single quotes but for the ike-gateway name to %27, and had no double-quotes for the request in the browser. I changed my quotes in the cmd request to %27 as well and it worked like a  charm. 

 

I wasn't opening and closing my quotes in a way command prompt could understand.

View solution in original post

4 REPLIES 4

L1 Bithead

Looking through the API browser it gave me a xpath for /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunn...

(forgive me for changing the tunnel and ike-gateway names, I'm trying to see if there is some character or term it doesn't like)

If I try to run this it tells me there is a error for the configuration target. That makes send to me, because up to this point the [@name="thing"]  syntax has only been used for the target of a change, and I am not trying to change "thing" in this case but rather trying to apply it as a setting, as is, to the tunnel. 

L1 Bithead

This is absolutely BIZZAR. I ran the command "set network tunnel ipsec asdf auto-key ike-gateway test1" from the CLI with "debug cli on" and found there was an error "Server error : asdf -> auto-key constraints failed : default crypto profile doesn't exist
asdf -> auto-key is invalid"

 

I have no 'default' crypto policies. 

 

I had seen this before and assumed it was an order of operation issue, and so I set the crypto profile before I set the ike-gateway by doing <auto-key><ipsec-crypto-profile>asdf</ipsec-crypto-profile><ike-gateway><entry name="test1"/></ike-gateway></auto-key> (the ipsec policy is set before the gateway, so it doesn't need to worry about the default crypto policy) but that did not help. 

So of all the stupid things I have ever had to do, it added a ipsec policy called 'default'. Bam, it works just fine now. It's so stupid I can't even be happy I've solved it. 

 

SUMMARY: If you want to use the API, don't go deleting your 'defaults'...

(┛◉Д◉)┛彡┻━┻

L1 Bithead

Well, never mind. I accidentally ran the command with action=get instead of action=set, and that always works. Back to the drawing board.

L1 Bithead

I think this is boiling down to the quotes I was using in windows command prompt. I was using double-quotes on the outside, and all single quotes on the parameters, but it did not like that in CMD. 

 

Upon further inspection, the browser changed all the single quotes but for the ike-gateway name to %27, and had no double-quotes for the request in the browser. I changed my quotes in the cmd request to %27 as well and it worked like a  charm. 

 

I wasn't opening and closing my quotes in a way command prompt could understand.

  • 1 accepted solution
  • 3203 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!