10-26-2018 05:20 AM
Hi,
I am trying to terminate on PaloAlto VM-100 (8.0.13) an IPsec tunnel.
It seems that the other side is not able to connect at all. We have checke all IKE settings and they seem OK.
I am using a Loopback interface with an external IP address (exactly as I am using for the GlobalProtect VPN which is working fine).
Do I have to create any NAT rules for the IPsec tunnel to work? I do not have any NAT rules for Global Protect.
Thank you for any suggestions.
10-27-2018 04:56 PM - edited 10-28-2018 07:30 AM
Well... tonight I had to restart the PA and after I saw that the IPsec is all red.
I went to CLI and:
> show vpn ike-sa gateway xxx_IKE_GW
IKE SA for gateway ID 1 not found.
> test vpn ike-sa gateway xxx_IKE_GW
Start time: Oct.28 01:47:20
Initiate 1 IKE SA.
> show vpn ike-sa gateway xxx_IKE_GW
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 nn.nn.254.2 xxx_IKE_GW Init Main PSK/ DH2/3DES/SHA1 Oct.28 01:47:20 Oct.28 08:47:20 v1 13 1 1
Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
xxx_IKE_GW 3 xxx:xxx 1 Resp ESP/ DH2/tunl/SHA1 F4010E4C 60330C71 1C5EA19E 9 1
Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
There is no IKEv2 SA found.
It seems that invoking the test vpn ike-sa gateway xxx_IKE_GW command initiated the IKE SA.
Why didn't it work automatically? Do I always have to do this after reboot? I guess it should wor by itself, shouldn't it?
See my other thread about the GlobalProtect GW:
10-26-2018 06:25 AM
Do you see allowed IKE packets comming to this IP? What do the logs of the other device say? Do you have any VPN related logs on your device for this connection?
10-26-2018 07:17 AM - edited 10-26-2018 07:18 AM
The connectio has been created from the scratch on the partner (initiator) side and it started to work.
Seems that everything was OK on our side.
Thank you 🙂
10-27-2018 04:56 PM - edited 10-28-2018 07:30 AM
Well... tonight I had to restart the PA and after I saw that the IPsec is all red.
I went to CLI and:
> show vpn ike-sa gateway xxx_IKE_GW
IKE SA for gateway ID 1 not found.
> test vpn ike-sa gateway xxx_IKE_GW
Start time: Oct.28 01:47:20
Initiate 1 IKE SA.
> show vpn ike-sa gateway xxx_IKE_GW
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 nn.nn.254.2 xxx_IKE_GW Init Main PSK/ DH2/3DES/SHA1 Oct.28 01:47:20 Oct.28 08:47:20 v1 13 1 1
Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
xxx_IKE_GW 3 xxx:xxx 1 Resp ESP/ DH2/tunl/SHA1 F4010E4C 60330C71 1C5EA19E 9 1
Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
There is no IKEv2 SA found.
It seems that invoking the test vpn ike-sa gateway xxx_IKE_GW command initiated the IKE SA.
Why didn't it work automatically? Do I always have to do this after reboot? I guess it should wor by itself, shouldn't it?
See my other thread about the GlobalProtect GW:
10-27-2018 05:37 PM
Unless you have vpn monitoring configured vpn tunnel is initiated only if devices try to send traffic to other side (if there is interesting traffic).
10-27-2018 09:06 PM
So when there is no interesting traffic on GUI of IPsec tunnel we will see both reds?
mean both ike and ipsec will be down with out interesting traffic?
10-28-2018 07:32 AM
Yes
If you want it to be green then configure tunnel monitoring.
10-28-2018 07:47 AM
Thanks for reply back.
Will enable tunnel Monitor and give it a test.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
