- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-20-2021 05:44 PM - edited 02-20-2021 05:53 PM
I was configuring a Site-to-site IPsec VPN and I was having a hard time matching my Encryption and Authentication parameters. The remote end device is Huawei Eudemon 1000E and my local device is PA-800. I have finished the configuration both sides by picking the closed parameters(I suppose) which I presume would work to get the tunnel up and running. Unfortunately, Its not up and running yet and my prime suspicion would be the IPsec parameters not matching on each of the peers.
I have details here below:
Supported parameters on my local PA800 are:
And on the remote Huawei Firewall Device, the supported parameters are:
02-22-2021 02:15 PM
Huawei doesn't really appear to have clear information which algorithms they support
1. And 2. should work if huawei implemented cbc as default. 3. You'll need to pick something other than xcbc as that's not supported on the Palo
To troubleshoot this, try initiating the connection from the huawei while running these commands on the Palo:
reaper@PA-VM2> debug ike gateway GW1 on debug
Debugging for IKE gateway GW1 is enabled (debug).
IKE gateway debug level:
GW1 2 debug
reaper@PA-VM2> debug ike tunnel Tunnel1 on debug
Debugging for IPSec tunnel Tunnel1 is enabled (debug).
IKE gateway debug level:
GW1 2 debug
IPSec tunnel debug level:
Tunnel1 2 debug
reaper@PA-VM2> tail follow yes mp-log ikemgr.log
02-22-2021 02:15 PM
Huawei doesn't really appear to have clear information which algorithms they support
1. And 2. should work if huawei implemented cbc as default. 3. You'll need to pick something other than xcbc as that's not supported on the Palo
To troubleshoot this, try initiating the connection from the huawei while running these commands on the Palo:
reaper@PA-VM2> debug ike gateway GW1 on debug
Debugging for IKE gateway GW1 is enabled (debug).
IKE gateway debug level:
GW1 2 debug
reaper@PA-VM2> debug ike tunnel Tunnel1 on debug
Debugging for IPSec tunnel Tunnel1 is enabled (debug).
IKE gateway debug level:
GW1 2 debug
IPSec tunnel debug level:
Tunnel1 2 debug
reaper@PA-VM2> tail follow yes mp-log ikemgr.log
02-28-2021 01:49 AM
@reaper You have accurately put it there and I just got it working successfully yesterday with not specific type stated will automatically meaning as CBC. Thank you for sharing your knowledge and wishing all the best!
Next challenge will be DHCP from the Remote Site via the Tunnel to the AD and DHCP server that is situated in the HQ. Drop me any link of a related topic if you got one. Thank you again!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!