IPSec P2P VPN Tunnel not working

Reply
Highlighted
L2 Linker

IPSec P2P VPN Tunnel not working

Hi,

I am trying to terminate on PaloAlto VM-100 (8.0.13) an IPsec tunnel.

It seems that the other side is not able to connect at all. We have checke all IKE settings and they seem OK.
I am using a Loopback interface with an external IP address (exactly as I am using for the GlobalProtect VPN which is working fine).
Do I have to create any NAT rules for the IPsec tunnel to work? I do not have any NAT rules for Global Protect.

Thank you for any suggestions.


Accepted Solutions
Highlighted
L2 Linker

Well... tonight I had to restart the PA and after I saw that the IPsec is all red.

I went to CLI and:

 

> show vpn ike-sa gateway xxx_IKE_GW

IKE SA for gateway ID 1 not found.

> test vpn ike-sa gateway xxx_IKE_GW

Start time: Oct.28 01:47:20
Initiate 1 IKE SA.

> show vpn ike-sa gateway xxx_IKE_GW

IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 nn.nn.254.2 xxx_IKE_GW Init Main PSK/ DH2/3DES/SHA1 Oct.28 01:47:20 Oct.28 08:47:20 v1 13 1 1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.


IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
xxx_IKE_GW 3 xxx:xxx 1 Resp ESP/ DH2/tunl/SHA1 F4010E4C 60330C71 1C5EA19E 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.


There is no IKEv2 SA found.

 

It seems that invoking the test vpn ike-sa gateway xxx_IKE_GW command initiated the IKE SA.

Why didn't it work automatically? Do I always have to do this after reboot? I guess it should wor by itself, shouldn't it?

 

 

See my other thread about the GlobalProtect GW:

https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-stopped-to-work-after-appliance-re...

 

 

View solution in original post


All Replies
Highlighted
L5 Sessionator

Do you see allowed IKE packets comming to this IP? What do the logs of the other device say? Do you have any VPN related logs on your device for this connection?

Highlighted
L2 Linker

The connectio has been created from the scratch on the partner (initiator) side and it started to work.

Seems that everything was OK on our side.

Thank you :-)

Highlighted
L2 Linker

Well... tonight I had to restart the PA and after I saw that the IPsec is all red.

I went to CLI and:

 

> show vpn ike-sa gateway xxx_IKE_GW

IKE SA for gateway ID 1 not found.

> test vpn ike-sa gateway xxx_IKE_GW

Start time: Oct.28 01:47:20
Initiate 1 IKE SA.

> show vpn ike-sa gateway xxx_IKE_GW

IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 nn.nn.254.2 xxx_IKE_GW Init Main PSK/ DH2/3DES/SHA1 Oct.28 01:47:20 Oct.28 08:47:20 v1 13 1 1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.


IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
xxx_IKE_GW 3 xxx:xxx 1 Resp ESP/ DH2/tunl/SHA1 F4010E4C 60330C71 1C5EA19E 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.


There is no IKEv2 SA found.

 

It seems that invoking the test vpn ike-sa gateway xxx_IKE_GW command initiated the IKE SA.

Why didn't it work automatically? Do I always have to do this after reboot? I guess it should wor by itself, shouldn't it?

 

 

See my other thread about the GlobalProtect GW:

https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-stopped-to-work-after-appliance-re...

 

 

View solution in original post

Highlighted
L7 Applicator

Unless you have vpn monitoring configured vpn tunnel is initiated only if devices try to send traffic to other side (if there is interesting traffic).

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
Cyber Elite

So when there is no interesting traffic on GUI of IPsec tunnel we will see both reds?

mean both ike and ipsec will be down with out interesting traffic?

MP
Highlighted
L7 Applicator

Yes

If you want it to be green then configure tunnel monitoring.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
Cyber Elite

Thanks for reply back.

Will enable tunnel Monitor and give it a test.

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!