- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-14-2020 03:13 PM
i'm have issues with IPSEC Tunnel which is configured by another engineer. currently facing issues with Tunnel connectivity and i need to cross verify the parameters. So can someone guide how to heck pre shared key in plain text format
@IPSec IPSec S2S VPN between Palo Alto and 3rd party Security FW Vendor -> ISAKMP Negotiation Question regarding site to site VPN
09-14-2020 08:34 PM
This isn't possible. You can't go back and get the clear text value for anything in the configuration when it comes to passwords, pre-shared keys or anything of the sort. The firewall simply stores hash or encrypted form of the value.
09-14-2020 08:34 PM
This isn't possible. You can't go back and get the clear text value for anything in the configuration when it comes to passwords, pre-shared keys or anything of the sort. The firewall simply stores hash or encrypted form of the value.
09-14-2020 11:28 PM
as @BPry said, but to verifiy if there is a mismatch you can use this command in CLI:
less mp-log ikemgr.log
09-15-2020 06:37 AM
@Abdul-Fattah , you will see "pre-share mismatch" only if the remote site is initiator of the tunnel negotiation and you are receiver. If you are the initiator you will only see "IKE phase1 timeout" message in the logs. This is caused by the nature of the IPsec
09-15-2020 07:22 AM - edited 09-15-2020 07:24 AM
If you see in logs as @aleksandar.astardzhiev mentioned then best thing is to have new key on both ends.
Unless you can get the Pre-Shared key from other side of the connection.
Regards
09-15-2020 08:32 AM
Thanks guys for your response...what i understand is that we have very limited options in Paloalto in terms of troubleshooting Tunnel down issues.. So i can go ahead and reconfigure Pre-shared key and test again.
Appreciated Everyone for your response !! @BPry @Abdul-Fattah @MP18
09-15-2020 11:22 AM
Hey @iamvivekms ,
I cannot agree with your statement - "we have very limited options in Paloalto in terms of troubleshooting Tunnel down issues"
It is quite the opposite:
Wrong PSK is the most common mistake when configuring new tunnel so my suggest in this case is:
1. Re-Enter the psk again at your end of the tunnel.
2. Re-enter the psk at remote end of the tunnel
3. Agree on new psk
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!