Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Probably a strange question...but Linksys RV082 and PA VPN tunnel anyone?

L1 Bithead

HI 

 

Been trying to get a VPN tunnel working between a Linksys Rv082 and Palo Alto. (dont ask...)

 

 

But no luck in the testing, i based my PA config on the Linksys Rv082 settings, wich i got from the person that is on the other end, but so far - no success. Anybody tried this before ?I would appreciate any experiance or pointers.

 

i provided a link to Linksys emulated routers (http://ui.linksys.com/LRT214/v1.0.2.06/gateway_to_gateway.htm )

This link is not the same router, but still the settings are the same.

 

Thank you

 

Regards Johnny_5

6 REPLIES 6

L5 Sessionator

Hi,

 

If config shown on the link is the same as in your prod make theses change

no DES or 3DES, no SHA1.

 

Which have have you got in your palo monitor / System tab ??

 

V.

As paloalto also supports these weak algorithms, I don't think this is the problem. But as @VinceM already wrote: Do NOT use these algorithms! They are weak and easy to crack since many years.

 

Anyway, for more helpful troubleshooting results you should ask the other person to do a connection test because in this case you will have more information in the systemlogs on your PA about the actual reason that prevents a successfull connection.

L1 Bithead

i will post complete konfig for both tomorrow, that way it will be easier to see i think.

 

 

the ips have been changed to protect the innocent.

 

LinksysR1
<---------->
LAN 10.3.2.1/24 (device-router)
WAN Static 199.167.52.137 /255.255.255.248
Default GW 199.167.52.136
dns1 199.167.52.10
dns2 199.167.52.11

ipsec
Local group:
local security GW type: ip only
ip address:199.167.52.137
local security group type:subnet
ip address: 10.3.2.0/24

remote group:
remote security Gw type: ip only
ip address:194.167.54.8
remote security group type:subnet
ip address: 10.4.8.0/24


name: tunnel fun
Phase2:AES/SHA1
local group:10.3.2.0/24
remote group:10.4.8.0/24
remote GW: 194.167.54.8

Keying mode: ike w/preshared key
Phase1 DH Group: Group1
Phase1 encryption: AES-256
phase1 authentication: SHA1
phase1 SA life time: 28800
perfect forward secrecy
Phase2 DH Group: Group1
Phase2 encryption: AES-256
phase2 authentication: SHA1
phase2 SA life time: 28800
pre-shared key: barreloffun

advanced:
keep-alive
Netbios broadcast
dead peer detection (DPD) interval 10 sec

I think 2 possible errors

1. tunnel cihpers are mismatch

2. static routing could be wrong.

 

Palo Alto konfig:

 


<ethernet>
<entry name="ethernet1/1">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="194.167.54.8"/>
</ip>
<interface-management-profile>Allow Ping</interface-management-profile>
</layer3>
<comment>ISP&#xE5;nd</comment>
</entry>
<entry name="ethernet1/2">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="10.4.8.1/24"/>
</ip>
</layer3>
<comment>test_client</comment>
</entry>
</ethernet>
<loopback>
<units/>
</loopback>
<vlan>
<units/>
</vlan>
<tunnel>
<units>
<entry name="tunnel.1"/>
</units>
</tunnel>
</interface>
<vlan/>
<virtual-wire/>
<profiles>
<monitor-profile>
<entry name="default">
<interval>3</interval>
<threshold>5</threshold>
<action>wait-recover</action>
</entry>
</monitor-profile>
<interface-management-profile>
<entry name="Allow Ping">
<ping>yes</ping>
</entry>
</interface-management-profile>
</profiles>
<ike>
<crypto-profiles>
<ike-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
</hash>
<dh-group>
<member>group2</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<hash>
<member>sha256</member>
</hash>
<dh-group>
<member>group19</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<encryption>
<member>aes-256-cbc</member>
</encryption>
<hash>
<member>sha384</member>
</hash>
<dh-group>
<member>group20</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
</ike-crypto-profiles>
<ipsec-crypto-profiles>
<entry name="default">
<esp>
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group>group2</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<esp>
<encryption>
<member>aes-128-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group19</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<esp>
<encryption>
<member>aes-256-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group20</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Crypto2">
<esp>
<authentication>
<member>sha1</member>
</authentication>
<encryption>
<member>aes-256-cbc</member>
<member>aes-256-gcm</member>
</encryption>
</esp>
<lifetime>
<hours>28800</hours>
</lifetime>
<dh-group>group2</dh-group>
</entry>
<entry name="Crypto1">
<esp>
<authentication>
<member>sha1</member>
</authentication>
<encryption>
<member>aes-256-cbc</member>
<member>aes-256-gcm</member>
</encryption>
</esp>
<lifetime>
<hours>28800</hours>
</lifetime>
<dh-group>group1</dh-group>
</entry>
</ipsec-crypto-profiles>
<global-protect-app-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</entry>
</global-protect-app-crypto-profiles>
</crypto-profiles>
<gateway>
<entry name="I_Like_IKE">
<authentication>
<pre-shared-key>
<key>-AQ==Tunneoffun=</key>
</pre-shared-key>
</authentication>
<protocol>
<ikev1>
<dpd>
<enable>yes</enable>
</dpd>
</ikev1>
<ikev2>
<dpd>
<enable>yes</enable>
</dpd>
</ikev2>
<version>ikev1</version>
</protocol>
<local-address>
<ip>194.167.54.8/29</ip>
<interface>ethernet1/1</interface>
</local-address>
<protocol-common>
<nat-traversal>
<enable>no</enable>
</nat-traversal>
<fragmentation>
<enable>no</enable>
</fragmentation>
</protocol-common>
<peer-address>
<ip>199.167.52.137</ip>
</peer-address>
</entry>
</gateway>
</ike>
<qos>
<profile>
<entry name="default">
<class>
<entry name="class1">
<priority>real-time</priority>
</entry>
<entry name="class2">
<priority>high</priority>
</entry>
<entry name="class3">
<priority>high</priority>
</entry>
<entry name="class4">
<priority>medium</priority>
</entry>
<entry name="class5">
<priority>medium</priority>
</entry>
<entry name="class6">
<priority>low</priority>
</entry>
<entry name="class7">
<priority>low</priority>
</entry>
<entry name="class8">
<priority>low</priority>
</entry>
</class>
</entry>
</profile>
</qos>
<virtual-router>
<entry name="ISP Static">
<protocol>
<bgp>
<enable>no</enable>
<dampening-profile>
<entry name="default">
<cutoff>1.25</cutoff>
<reuse>0.5</reuse>
<max-hold-time>900</max-hold-time>
<decay-half-life-reachable>300</decay-half-life-reachable>
<decay-half-life-unreachable>900</decay-half-life-unreachable>
<enable>yes</enable>
</entry>
</dampening-profile>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
</bgp>
</protocol>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>tunnel.1</member>
</interface>
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<routing-table>
<ip>
<static-route>
<entry name="ISP Static">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<ip-address>199.167.52.136</ip-address>
</nexthop>
<interface>ethernet1/1</interface>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
</virtual-router>
<tunnel>
<ipsec>
<entry name="ipsec1">
<auto-key>
<ike-gateway>
<entry name="I_Like_IKE"/>
</ike-gateway>
<ipsec-crypto-profile>Crypto1</ipsec-crypto-profile>
</auto-key>
<tunnel-monitor>
<enable>no</enable>
</tunnel-monitor>
<tunnel-interface>tunnel.1</tunnel-interface>
<anti-replay>yes</anti-replay>
</entry>
</ipsec>
</tunnel>
</network>
<deviceconfig>
<system>
<ip-address>192.168.2.1</ip-address>
<netmask>255.255.255.0</netmask>
<update-server>updates.paloaltonetworks.com</update-server>
<update-schedule>
<threats>
<recurring>
<weekly>
<day-of-week>weday</day-of-week>
<at>01:00</at>
<action>download-only</action>
</weekly>
</recurring>
</threats>
</update-schedule>
<timezone>mars</timezone>
<service>
<disable-telnet>yes</disable-telnet>
<disable-http>yes</disable-http>
</service>
<hostname>PA</hostname>
<default-gateway>192.168.1.1</default-gateway>
<dns-setting>
<servers>
<primary>8.8.8.8</primary>
<secondary>8.8.4.4</secondary>
</servers>
</dns-setting>
<route>
<service>
<entry name="dns">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="ntp">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="paloalto-networks-services">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
<entry name="url-updates">
<source>
<address>194.167.54.8/29</address>
<interface>ethernet1/1</interface>
</source>
</entry>
</service>
</route>
<ntp-servers>
<primary-ntp-server>
<ntp-server-address>timeaftertime.timeaftertime</ntp-server-address>
<authentication-type>
<none/>
</authentication-type>
</primary-ntp-server>
</ntp-servers>
</system>
<setting>
<config>
<rematch>yes</rematch>
</config>
<management>
<hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
</management>
</setting>
</deviceconfig>
<vsys>
<entry name="vsys1">
<application/>
<application-group/>
<zone>
<entry name="THe_!Internet">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="Test Client">
<network>
<layer3>
<member>ethernet1/2</member>
</layer3>
</network>
</entry>
<entry name="TUN1">
<network>
<layer3>
<member>tunnel.1</member>
</layer3>
</network>
</entry>
</zone>
<service/>
<service-group/>
<schedule/>
<rulebase>
<security>
<rules>
<entry name="Allow-Any">
<to>
<member>Test Client</member>
<member>THe_!Internet</member>
<member>TUN1</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
</rules>
</security>
</rulebase>
<import>
<network>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>tunnel.1</member>
</interface>
</network>
</import>
</entry>
</vsys>
</entry>
</devices>
</config>

@johnny_five

Maybe I overlooked something in this config but right now it seems to me that the config on PA side is incomplete: Phase 2 networks and phase 1 crypto settings.

i hate to quote myself, but i was on to something when i posted this(execpt the static thing);

"I think 2 possible errors,1. tunnel cihpers are mismatch,2. static routing could be wrong."

 

Well the solution was i fact a mismatch of DH group 1 and DH group 2. Also went from MD5 to SHA1.

After fixing this the tunnel was successful, but only one side could ping, the other could not.

 

So found out that the policy was also missing a zone for the vpn tunnel traffic.

So adding ----> Source: zLAN+zVPN & Destination: zLAN+zVPN.

 

Solved the issue, now both sides can ping and traffic flows.

 

Thank you for your feedback and sorry i did not post the solution earlier, but i was pressed for time and there was a delivery dead line....Johnny_Five is alive!

  • 4548 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!