09-16-2021 02:31 AM
Hi All,
1st Post so hopefully i'm doing this correctly.
I am trying to setup a VPN tunnel to a 3rd Party. We have a PA-3020 and they have a Cisco ASA. They do have another Cisco in-between both our devices which is performing NAT. Hence we have enabled NAT-T.
The main issue I am having is that the tunnel is not coming up. The error message I get in the logs and debugs is:
Expecting IP address type in main mode, but KEY_ID.
###.###.###.###[4500] - ###.##.###.###[4500]:(nil) invalid ID payload.
We have the tunnel setup as follows:
main mode and using ip addresses.
ikev1
(lifetime = 28800:28800)
(lifebyte = 0:0)
enctype = AES:AES
(encklen = 256:256)
hashtype = SHA1:SHA1
authmethod = PSK:PSK
dh_group = DH5:DH5
NAT-T enabled
I am also performing source and destination nats as the ip ranges conflicts on both sides. We have set the Proxy IDs on both ends as the nat ranges.
On the PA-3020 the local and peer ID have been set as the public ips of the peers. I have also tried their private ip (as they are natting) just as a test, and I am getting the same error. Also tried removing the IDs and same thing.
I have read an article about How to determine the correct value to put in the PAN IKE peer KEYID field? But cannot seem to find the KEYID field (in hex or ascii) in the packet capture.
Any help on why I am getting the error would help as I am not sure what else to try.
Thanks in advance
09-17-2021 02:13 AM
Hi,
Setting the KEYID in HEX for the peer id seems to bring the tunnel up.
Testing traffic as I am doing both source and destination nat, and I am hitting the nat and security policy but need 3rd Party to confirm if they see any traffic. On the PA side I am seeing timeouts at the moment.
I did have to set my nat policy as from zone trust to destination zone trust for the nat work work.
I did have the destination nat set to the 3rd party zone but this did not nat correctly.
09-16-2021 07:28 AM - edited 09-16-2021 09:50 AM
Hi @Hemal_Vaghela ,
Could you have them run this command on their ASA, "show run all | i crypto isakmp identity"? You want to make sure you match that configuration on your firewall. Sometimes I have found that "auto" doesn't work so well, but they probably can't change it since the config is global and applies to all their VPNs.
Thanks,
Tom
09-17-2021 12:26 AM
Hi Tom,
I have got the 3rd party to run the command and they confirmed it is set as an ip address.
output was:
crypto isakmp identity key-id 213.61.xxx.xxx.
I also managed to confirmed that that ip was was HEX format in the packet capture. I tried setting the peer id as KEYID and setting the value of the peer ip in HEX format. The PA did not like this in IKEv1 mode. I have asked to change this to IKEv2 with the below P1/P2 settings.
lifetime = 28800
lifebyte = 0
enctype = AES
encklen = 256
hashtype = SHA512
authmethod = PSK
dh_group = DH20
NAT-T enabled
Just waiting to confirm if this is working.
Thanks,
Hemal.
09-17-2021 02:13 AM
Hi,
Setting the KEYID in HEX for the peer id seems to bring the tunnel up.
Testing traffic as I am doing both source and destination nat, and I am hitting the nat and security policy but need 3rd Party to confirm if they see any traffic. On the PA side I am seeing timeouts at the moment.
I did have to set my nat policy as from zone trust to destination zone trust for the nat work work.
I did have the destination nat set to the 3rd party zone but this did not nat correctly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
