IPSec P2P VPN Tunnel not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec P2P VPN Tunnel not working

L2 Linker

Hi,

I am trying to terminate on PaloAlto VM-100 (8.0.13) an IPsec tunnel.

It seems that the other side is not able to connect at all. We have checke all IKE settings and they seem OK.
I am using a Loopback interface with an external IP address (exactly as I am using for the GlobalProtect VPN which is working fine).
Do I have to create any NAT rules for the IPsec tunnel to work? I do not have any NAT rules for Global Protect.

Thank you for any suggestions.

1 accepted solution

Accepted Solutions

Well... tonight I had to restart the PA and after I saw that the IPsec is all red.

I went to CLI and:

 

> show vpn ike-sa gateway xxx_IKE_GW

IKE SA for gateway ID 1 not found.

> test vpn ike-sa gateway xxx_IKE_GW

Start time: Oct.28 01:47:20
Initiate 1 IKE SA.

> show vpn ike-sa gateway xxx_IKE_GW

IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 nn.nn.254.2 xxx_IKE_GW Init Main PSK/ DH2/3DES/SHA1 Oct.28 01:47:20 Oct.28 08:47:20 v1 13 1 1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.


IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
xxx_IKE_GW 3 xxx:xxx 1 Resp ESP/ DH2/tunl/SHA1 F4010E4C 60330C71 1C5EA19E 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.


There is no IKEv2 SA found.

 

It seems that invoking the test vpn ike-sa gateway xxx_IKE_GW command initiated the IKE SA.

Why didn't it work automatically? Do I always have to do this after reboot? I guess it should wor by itself, shouldn't it?

 

 

See my other thread about the GlobalProtect GW:

https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-stopped-to-work-after-appliance-re...

 

 

View solution in original post

7 REPLIES 7

L6 Presenter

Do you see allowed IKE packets comming to this IP? What do the logs of the other device say? Do you have any VPN related logs on your device for this connection?

The connectio has been created from the scratch on the partner (initiator) side and it started to work.

Seems that everything was OK on our side.

Thank you 🙂

Well... tonight I had to restart the PA and after I saw that the IPsec is all red.

I went to CLI and:

 

> show vpn ike-sa gateway xxx_IKE_GW

IKE SA for gateway ID 1 not found.

> test vpn ike-sa gateway xxx_IKE_GW

Start time: Oct.28 01:47:20
Initiate 1 IKE SA.

> show vpn ike-sa gateway xxx_IKE_GW

IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 nn.nn.254.2 xxx_IKE_GW Init Main PSK/ DH2/3DES/SHA1 Oct.28 01:47:20 Oct.28 08:47:20 v1 13 1 1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.


IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
xxx_IKE_GW 3 xxx:xxx 1 Resp ESP/ DH2/tunl/SHA1 F4010E4C 60330C71 1C5EA19E 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.


There is no IKEv2 SA found.

 

It seems that invoking the test vpn ike-sa gateway xxx_IKE_GW command initiated the IKE SA.

Why didn't it work automatically? Do I always have to do this after reboot? I guess it should wor by itself, shouldn't it?

 

 

See my other thread about the GlobalProtect GW:

https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-stopped-to-work-after-appliance-re...

 

 

Unless you have vpn monitoring configured vpn tunnel is initiated only if devices try to send traffic to other side (if there is interesting traffic).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

So when there is no interesting traffic on GUI of IPsec tunnel we will see both reds?

mean both ike and ipsec will be down with out interesting traffic?

MP

Help the community: Like helpful comments and mark solutions.

Yes

If you want it to be green then configure tunnel monitoring.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks for reply back.

Will enable tunnel Monitor and give it a test.

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 26707 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!