IPsec Site-to-Site VPN trouble (decap bytes 0)

AMS-IX · ‎08-07-2015

Hi all.

I am trying to set up an IPsec s2s tunnel with non-Palo Alto peers. So far I have tried 3 different peers (Strongswan 5.3.2, Cisco router, Cisco SOHO router) and every time I have problems seeing incoming decrypted traffic to the PA.

"Local site" being the PA one, here's the info I have so far:

- IPsec tunnel is up

- "show session all filter protocol 50" shows one active tunnel session (for the ipsec tunnel)

- "show vpn flow tunnel-id name <tunnel name>" shows encap packets, but no decap packets

- Proxy-ID is set to the local NAT address range after translation has been done, and to the native address range for the remote site (no NAT is being done there)

- Remote site end hosts receive packets from the local site, via the tunnel (e.g. echo requests from the post-NAT IPs. NAT range is specific to the PA tunnel interface)

- Local site end hosts never receive replies (e.g. echo replies)

- I have tried putting the (internal) tunnel interface in both the "internal" zone, as well as the "vpn" zone, no luck

- I am using a loopback as the external interface, set in the vpn zone

- Policies from vpn to internal zone and vice versa allow all traffic

UPDATE (some additional notes):

- IPsec tunnel is terminated in a logical loopback interface on the PA, which is configured in the VPN zone.

- Although all policies have logging enabled at session end, I never see logs of tunneled packets incoming from the other peer

- I have thought of configuring the IPsec tunnel to terminate on a logical interface in case it's the loopback interface causing the problem, but all external physical interfaces are set on the untrust zone and I would like to keep

VPN and untrust zones/policies separate.

- The PA is directly connected via a VLAN to our two edge routers. The edge routers have an ingress L3 ACL permitting esp/ahp packets towards the PA loopback address. Removing the L3 ACL entirely also did not help.

Any advice/insight would be greatly appreciated!

Message was edited by: Aris Lamprianidis

ArnljotSeem · ‎10-09-2017

Did you ever find a solution to this problem? I have the same issue with a StrongSwan, although a simpler setup without NAT. I'm using an external IP as my peer IP, so no loopback.

Ping works both ways, although not for every packet size. E.g. From the firewall (inside interface) size=1080 works but not 1085, size=282 works but not 283 !?

Traffic is flowing from local site, but no reply is ever received. I did a packet capture on the tunnel interface, and see the three-way handshake, but when our host does a http GET, I see no reply.

Very odd. We're running PANOS 7.0.14 and we have numerous other VPN's up and running, but only this one with Strongswan.

AMS-IX · ‎11-13-2017

Hello @ArnljotSeem,

Unfortunately this thread is now 2 years old, so I cannot recall what the root cause was. Based on your problem description so far though, I'm inclined to say that the issue behind it is not the same one.

You're saying that other VPN s2s solutions work, and this is specific to the PA and StrongSwan. I'd check release notes for any later StrongSwan versions, and/or try a different FOSS IPSec solutions, if at all possible. This message sounds hopelessly generic, but I'd at least wanted to let you know I didn't have the answer you were seeking for anyway 😕

punit.jethva · ‎11-01-2021

Check this out - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsiCAC

IPsec Site-to-Site VPN trouble (decap bytes 0)

IPsec Site-to-Site VPN trouble (decap bytes 0)

Show your appreciation!