IPsec Site-to-Site VPN trouble (decap bytes 0)

AMS-IX · ‎08-07-2015

Hi all.

I am trying to set up an IPsec s2s tunnel with non-Palo Alto peers. So far I have tried 3 different peers (Strongswan 5.3.2, Cisco router, Cisco SOHO router) and every time I have problems seeing incoming decrypted traffic to the PA.

"Local site" being the PA one, here's the info I have so far:

- IPsec tunnel is up

- "show session all filter protocol 50" shows one active tunnel session (for the ipsec tunnel)

- "show vpn flow tunnel-id name <tunnel name>" shows encap packets, but no decap packets

- Proxy-ID is set to the local NAT address range after translation has been done, and to the native address range for the remote site (no NAT is being done there)

- Remote site end hosts receive packets from the local site, via the tunnel (e.g. echo requests from the post-NAT IPs. NAT range is specific to the PA tunnel interface)

- Local site end hosts never receive replies (e.g. echo replies)

- I have tried putting the (internal) tunnel interface in both the "internal" zone, as well as the "vpn" zone, no luck

- I am using a loopback as the external interface, set in the vpn zone

- Policies from vpn to internal zone and vice versa allow all traffic

UPDATE (some additional notes):

- IPsec tunnel is terminated in a logical loopback interface on the PA, which is configured in the VPN zone.

- Although all policies have logging enabled at session end, I never see logs of tunneled packets incoming from the other peer

- I have thought of configuring the IPsec tunnel to terminate on a logical interface in case it's the loopback interface causing the problem, but all external physical interfaces are set on the untrust zone and I would like to keep

VPN and untrust zones/policies separate.

- The PA is directly connected via a VLAN to our two edge routers. The edge routers have an ingress L3 ACL permitting esp/ahp packets towards the PA loopback address. Removing the L3 ACL entirely also did not help.

Any advice/insight would be greatly appreciated!

Message was edited by: Aris Lamprianidis

pulukas · ‎08-08-2015

Based on this information I believe the issue is on the other device. Since you vpn shows decap of zero, this means no packets are coming out of the tunnel from the remote side.

If the PA were dropping or blocking by policy or inspection, you would see decap increment but nothing on the local host packet capture.

What do the IPSEC stats for the tunnel show on the remote node?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

pankaku · ‎08-08-2015

Could you paste the output of show session id <id number> for the traffic going from PA to Remote site.

AMS-IX · ‎08-08-2015

Hi Steven. That was my assumption on the first take. Then however I configured the two other peers (Cisco SOHO and Strongswan) and I see the same behavior..

Adding to my reply, the packet counter for the SA from the Strongswan side *is* increasing (see line before last). This part of the output of "ipsec statusall":

Security Associations (1 up, 0 connecting):
      PA[1]: ESTABLISHED 20 minutes ago, 200.200.159.51[200.200.159.51]...100.100.139.9[100.100.139.9]
      PA[1]: IKEv1 SPIs: 46112c603ecc9b01_i 5c5827074640bb75_r*, pre-shared key reauthentication in 7 hours
      PA[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
      PA{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9cb52d8_i d369e77c_o
      PA{2}:  AES_CBC_256/HMAC_SHA2_512_256, 68712 bytes_i (818 pkts, 220s ago), 70644 bytes_o (841 pkts, 1s ago), rekeying in 20 minutes
      PA{2}:    172.26.16.0/22 === 10.20.30.0/25

AMS-IX · ‎08-08-2015

Hi Pankaj, here you go (output redacted/sanitized):

"100.100.139.9" is the PA

"200.200.159.51" is the StrongSwan peer

10.20.30.0/25 is the post-NAT PA network

172.26.16.0/22 is the StrongSwan network

aris@PA(active)> show session all filter protocol 50


--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
183171       ipsec-esp      ACTIVE  TUNN       100.100.139.9[51659]/vpn/50  (100.100.139.9[59260])
vsys1                                          200.200.159.51[21208]/vpn  (200.200.159.51[54121])

And this is the output of "ip xfrm policy" on the StrongSwan side:

# ip xfrm policy

src 10.20.30.0/25 dst 172.26.16.0/22

dir fwd priority 2887

tmpl src 100.100.139.9 dst 200.200.159.51

proto esp reqid 1 mode tunnel

src 10.20.30.0/25 dst 172.26.16.0/22

dir in priority 2887

tmpl src 100.100.139.9 dst 200.200.159.51

proto esp reqid 1 mode tunnel

src 172.26.16.0/22 dst 10.20.30.0/25

dir out priority 2887

tmpl src 200.200.159.51 dst 100.100.139.9

proto esp reqid 1 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0

src ::/0 dst ::/0

socket in priority 0

src ::/0 dst ::/0

socket out priority 0

src ::/0 dst ::/0

socket in priority 0

src ::/0 dst ::/0

socket out priority 0

IPsec Site-to-Site VPN trouble (decap bytes 0)

IPsec Site-to-Site VPN trouble (decap bytes 0)

Show your appreciation!