- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-24-2018 07:19 AM
HI
Been trying to get a VPN tunnel working between a Linksys Rv082 and Palo Alto. (dont ask...)
But no luck in the testing, i based my PA config on the Linksys Rv082 settings, wich i got from the person that is on the other end, but so far - no success. Anybody tried this before ?I would appreciate any experiance or pointers.
i provided a link to Linksys emulated routers (http://ui.linksys.com/LRT214/v1.0.2.06/gateway_to_gateway.htm )
This link is not the same router, but still the settings are the same.
Thank you
Regards Johnny_5
09-24-2018 08:50 AM
As paloalto also supports these weak algorithms, I don't think this is the problem. But as @VinceM already wrote: Do NOT use these algorithms! They are weak and easy to crack since many years.
Anyway, for more helpful troubleshooting results you should ask the other person to do a connection test because in this case you will have more information in the systemlogs on your PA about the actual reason that prevents a successfull connection.
09-24-2018 09:32 AM - edited 09-25-2018 11:38 AM
i will post complete konfig for both tomorrow, that way it will be easier to see i think.
the ips have been changed to protect the innocent.
LinksysR1
<---------->
LAN 10.3.2.1/24 (device-router)
WAN Static 199.167.52.137 /255.255.255.248
Default GW 199.167.52.136
dns1 199.167.52.10
dns2 199.167.52.11
ipsec
Local group:
local security GW type: ip only
ip address:199.167.52.137
local security group type:subnet
ip address: 10.3.2.0/24
remote group:
remote security Gw type: ip only
ip address:194.167.54.8
remote security group type:subnet
ip address: 10.4.8.0/24
name: tunnel fun
Phase2:AES/SHA1
local group:10.3.2.0/24
remote group:10.4.8.0/24
remote GW: 194.167.54.8
Keying mode: ike w/preshared key
Phase1 DH Group: Group1
Phase1 encryption: AES-256
phase1 authentication: SHA1
phase1 SA life time: 28800
perfect forward secrecy
Phase2 DH Group: Group1
Phase2 encryption: AES-256
phase2 authentication: SHA1
phase2 SA life time: 28800
pre-shared key: barreloffun
advanced:
keep-alive
Netbios broadcast
dead peer detection (DPD) interval 10 sec
09-25-2018 11:41 AM
I think 2 possible errors
1. tunnel cihpers are mismatch
2. static routing could be wrong.
Palo Alto konfig:
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="194.167.54.8"/>
</ip>
<interface-management-profile>Allow Ping</interface-management-profile>
</layer3>
<comment>ISPånd</comment>
</entry>
<entry name="ethernet1/2">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="10.4.8.1/24"/>
</ip>
</layer3>
<comment>test_client</comment>
</entry>
</ethernet>
<loopback>
<units/>
</loopback>
<vlan>
<units/>
</vlan>
<tunnel>
<units>
<entry name="tunnel.1"/>
</units>
</tunnel>
</interface>
<vlan/>
<virtual-wire/>
<profiles>
<monitor-profile>
<entry name="default">
<interval>3</interval>
<threshold>5</threshold>
<action>wait-recover</action>
</entry>
</monitor-profile>
<interface-management-profile>
<entry name="Allow Ping">
<ping>yes</ping>
</entry>
</interface-management-profile>
</profiles>
<ike>
<crypto-profiles>
<ike-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
</hash>
<dh-group>
<member>group2</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<hash>
<member>sha256</member>
</hash>
<dh-group>
<member>group19</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<encryption>
<member>aes-256-cbc</member>
</encryption>
<hash>
<member>sha384</member>
</hash>
<dh-group>
<member>group20</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
</ike-crypto-profiles>
<ipsec-crypto-profiles>
<entry name="default">
<esp>
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group>group2</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<esp>
<encryption>
<member>aes-128-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group19</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<esp>
<encryption>
<member>aes-256-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group20</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Crypto2">
<esp>
<authentication>
<member>sha1</member>
</authentication>
<encryption>
<member>aes-256-cbc</member>
<member>aes-256-gcm</member>
</encryption>
</esp>
<lifetime>
<hours>28800</hours>
</lifetime>
<dh-group>group2</dh-group>
</entry>
<entry name="Crypto1">
<esp>
<authentication>
<member>sha1</member>
</authentication>
<encryption>
<member>aes-256-cbc</member>
<member>aes-256-gcm</member>
</encryption>
</esp>
<lifetime>
<hours>28800</hours>
</lifetime>
<dh-group>group1</dh-group>
</entry>
</ipsec-crypto-profiles>
<global-protect-app-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</entry>
</global-protect-app-crypto-profiles>
</crypto-profiles>
<gateway>
<entry name="I_Like_IKE">
<authentication>
<pre-shared-key>
<key>-AQ==Tunneoffun=</key>
</pre-shared-key>
</authentication>
<protocol>
<ikev1>
<dpd>
<enable>yes</enable>
</dpd>
</ikev1>
<ikev2>
<dpd>
<enable>yes</enable>
</dpd>
</ikev2>
<version>ikev1</version>
</protocol>
<local-address>
<ip>194.167.54.8/29</ip>
<interface>ethernet1/1</interface>
</local-address>
<protocol-common>
<nat-traversal>
<enable>no</enable>
</nat-traversal>
<fragmentation>
<enable>no</enable>
</fragmentation>
</protocol-common>
<peer-address>
<ip>199.167.52.137</ip>
</peer-address>
</entry>
</gateway>
</ike>
<qos>
<profile>
<entry name="default">
<class>
<entry name="class1">
<priority>real-time</priority>
</entry>
<entry name="class2">
<priority>high</priority>
</entry>
<entry name="class3">
<priority>high</priority>
</entry>
<entry name="class4">
<priority>medium</priority>
</entry>
<entry name="class5">
<priority>medium</priority>
</entry>
<entry name="class6">
<priority>low</priority>
</entry>
<entry name="class7">
<priority>low</priority>
</entry>
<entry name="class8">
<priority>low</priority>
</entry>
</class>
</entry>
</profile>
</qos>
<virtual-router>
<entry name="ISP Static">
<protocol>
<bgp>
<enable>no</enable>
<dampening-profile>
<entry name="default">
<cutoff>1.25</cutoff>
<reuse>0.5</reuse>
<max-hold-time>900</max-hold-time>
<decay-half-life-reachable>300</decay-half-life-reachable>
<decay-half-life-unreachable>900</decay-half-life-unreachable>
<enable>yes</enable>
</entry>
</dampening-profile>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
</bgp>
</protocol>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>tunnel.1</member>
</interface>
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<routing-table>
<ip>
<static-route>
<entry name="ISP Static">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<ip-address>199.167.52.136</ip-address>
</nexthop>
<interface>ethernet1/1</interface>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
</virtual-router>
<tunnel>
<ipsec>
<entry name="ipsec1">
<auto-key>
<ike-gateway>
<entry name="I_Like_IKE"/>
</ike-gateway>
<ipsec-crypto-profile>Crypto1</ipsec-crypto-profile>
</auto-key>
<tunnel-monitor>
<enable>no</enable>
</tunnel-monitor>
<tunnel-interface>tunnel.1</tunnel-interface>
<anti-replay>yes</anti-replay>
</entry>
</ipsec>
</tunnel>
</network>
<deviceconfig>
<system>
<ip-address>192.168.2.1</ip-address>
<netmask>255.255.255.0</netmask>
<update-server>updates.paloaltonetworks.com</update-server>
<update-schedule>
<threats>
<recurring>
<weekly>
<day-of-week>weday</day-of-week>
<at>01:00</at>
<action>download-only</action>
</weekly>
</recurring>
</threats>
</update-schedule>
<timezone>mars</timezone>
<service>
<disable-telnet>yes</disable-telnet>
<disable-http>yes</disable-http>
</service>
<hostname>PA</hostname>
<default-gateway>192.168.1.1</default-gateway>
<dns-setting>
<servers>
<primary>8.8.8.8</primary>
<secondary>8.8.4.4</secondary>
</servers>
</dns-setting>
<route>
<service>
<entry name="dns">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="ntp">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="paloalto-networks-services">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="url-updates">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
</service>
</route>
<ntp-servers>
<primary-ntp-server>
<ntp-server-address>timeaftertime.timeaftertime</ntp-server-address>
<authentication-type>
<none/>
</authentication-type>
</primary-ntp-server>
</ntp-servers>
</system>
<setting>
<config>
<rematch>yes</rematch>
</config>
<management>
<hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
</management>
</setting>
</deviceconfig>
<vsys>
<entry name="vsys1">
<application/>
<application-group/>
<zone>
<entry name="THe_!Internet">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="Test Client">
<network>
<layer3>
<member>ethernet1/2</member>
</layer3>
</network>
</entry>
<entry name="TUN1">
<network>
<layer3>
<member>tunnel.1</member>
</layer3>
</network>
</entry>
</zone>
<service/>
<service-group/>
<schedule/>
<rulebase>
<security>
<rules>
<entry name="Allow-Any">
<to>
<member>Test Client</member>
<member>THe_!Internet</member>
<member>TUN1</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
</rules>
</security>
</rulebase>
<import>
<network>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>tunnel.1</member>
</interface>
</network>
</import>
</entry>
</vsys>
</entry>
</devices>
</config>
09-30-2018 03:23 AM
Maybe I overlooked something in this config but right now it seems to me that the config on PA side is incomplete: Phase 2 networks and phase 1 crypto settings.
09-30-2018 11:17 AM - edited 09-30-2018 11:18 AM
i hate to quote myself, but i was on to something when i posted this(execpt the static thing);
"I think 2 possible errors,1. tunnel cihpers are mismatch,2. static routing could be wrong."
Well the solution was i fact a mismatch of DH group 1 and DH group 2. Also went from MD5 to SHA1.
After fixing this the tunnel was successful, but only one side could ping, the other could not.
So found out that the policy was also missing a zone for the vpn tunnel traffic.
So adding ----> Source: zLAN+zVPN & Destination: zLAN+zVPN.
Solved the issue, now both sides can ping and traffic flows.
Thank you for your feedback and sorry i did not post the solution earlier, but i was pressed for time and there was a delivery dead line....Johnny_Five is alive!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!