S2S VPN between PA-3020 and Cisco ASA 5525

cancel
Showing results for 
Search instead for 
Did you mean: 

S2S VPN between PA-3020 and Cisco ASA 5525

L1 Bithead

Hi All,

 

1st Post so hopefully i'm doing this correctly.

 

I am trying to setup a VPN tunnel to a 3rd Party. We have a PA-3020 and they have a Cisco ASA. They do have another Cisco in-between both our devices which is performing NAT. Hence we have enabled NAT-T.

 

The main issue I am having is that the tunnel is not coming up. The error message I get in the logs and debugs is:

 

Expecting IP address type in main mode, but KEY_ID.

###.###.###.###[4500] - ###.##.###.###[4500]:(nil) invalid ID payload.

 

We have the tunnel setup as follows:

main mode and using ip addresses.

ikev1

(lifetime = 28800:28800)
(lifebyte = 0:0)
 enctype = AES:AES
(encklen = 256:256)
hashtype = SHA1:SHA1
authmethod = PSK:PSK
dh_group = DH5:DH5

NAT-T enabled

 

I am also performing source and destination nats as the ip ranges conflicts on both sides. We have set the Proxy IDs on both ends as the nat ranges.

 

On the PA-3020 the local and peer ID have been set as the public ips of the peers. I have also tried their private ip (as they are natting) just as a test, and I am getting the same error. Also tried removing the IDs and same thing.

 

I have read an article about How to determine the correct value to put in the PAN IKE peer KEYID field? But cannot seem to find the KEYID field (in hex or ascii) in the packet capture.

Link: How to determine the correct value to put in the PAN IKE peer K... - Knowledge Base - Palo Alto Netw...

 

Any help on why I am getting the error would help as I am not sure what else to try.

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

 

Setting the KEYID in HEX  for the peer id seems to bring the tunnel up. 

Testing traffic as I am doing both source and destination nat, and I am hitting the nat and security policy but need 3rd Party to confirm if they see any traffic. On the PA side I am seeing timeouts at the moment.

 

I did have to set my nat policy as from zone trust to destination zone trust for the nat work work.

I did have the destination nat set to the 3rd party zone but this did not nat correctly.

View solution in original post

3 REPLIES 3

L4 Transporter

Hi @Hemal_Vaghela ,

 

Could you have them run this command on their ASA, "show run all | i crypto isakmp identity"?  You want to make sure you match that configuration on your firewall.  Sometimes I have found that "auto" doesn't work so well, but they probably can't change it since the config is global and applies to all their VPNs.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

I have got the 3rd party to run the command and they confirmed it is set as an ip address.

output was:

crypto isakmp identity key-id 213.61.xxx.xxx.

 

I also managed to confirmed that that ip was was HEX format in the packet capture. I tried setting the peer id as KEYID and setting the value of the peer ip in HEX format. The PA did not like this in IKEv1 mode. I have asked to change this to IKEv2 with the below P1/P2 settings. 

lifetime = 28800
lifebyte = 0
enctype = AES
encklen = 256
hashtype = SHA512
authmethod = PSK
dh_group = DH20

NAT-T enabled

 

Just waiting to confirm if this is working.

 

Thanks,

 

Hemal.

 

 

Hi,

 

Setting the KEYID in HEX  for the peer id seems to bring the tunnel up. 

Testing traffic as I am doing both source and destination nat, and I am hitting the nat and security policy but need 3rd Party to confirm if they see any traffic. On the PA side I am seeing timeouts at the moment.

 

I did have to set my nat policy as from zone trust to destination zone trust for the nat work work.

I did have the destination nat set to the 3rd party zone but this did not nat correctly.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!