S2S VPN Between PA and Cisco ASA

Sadik_Khirbash · ‎07-10-2017

Hello!

I've spent the last 2 days trying to get an IPSec tunnel working between a PAN 200 and Cisco ASA5505 but all my attempts have failed. I am not sure what the issue is and would reall appreciate any assistance to point me in the right direction.

This is a very simply setup. I've configured both sides properly but for some reason the tunnel won't come up. Here are the config of both the PA and ASA:

PA 200:

IKE Crypto: IKEPhase1_To_ASA

DH Group: group 2

Authentication: sha1

Encryption: 3des

Key lifetime: 1 day

IPsec Crypto: IKEPhase2_To_ASA

DH Group: group 2

Authentication: sha1

Encryption: 3des

Key lifetime: 1 day

Lifesize: 4608MB

IKE Gateway: STS_VPN_To_ASA

Version: IKEv1 only mode

Interface: e1/1

Peer IP Address: 172.16.200.1

PSK: cisco

Local Id: 172.16.200.2

Peer Id: 172.16.200.1

IKEv1 Exchange Mode: main

IKE Crypto Profile: IKEPhase1_To_ASA

IPSec Tunnel

Tunnel Interface: tunnel.2

Type: Auto Key

IKE Gateway: STS_VPN_To_ASA

IPSec Crypto Profile: IKEPhase2_To_ASA

Proxy IDs: ASA_LAN_TO_LAN

Local: 10.48.11.150/24

Remote: 192.168.1.200/24

VR1:

Static Route

Destination 192.168.1.0/24

Interface: tunnel.2

System Monitor Logs:

IKE phase-1 SA is expired SA: 172.16.200.2[500]-172.16.200.1[5] cookieL 19e72...

=============================================================================

ASA 5505:

asa-01# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname asa-01

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan100

nameif outside

security-level 0

ip address 172.16.200.1 255.255.255.0

!

interface Vlan200

nameif inside

security-level 100

ip address 192.168.1.200 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 100

!

interface Ethernet

!

ftp mode passive

access-list ALLOWED_TRFC_TO_PAN extended permit ip 192.168.1.0 255.255.255.0 10.48.11.0 255.255.255.0

access-list ALLOWED_TRFC_TO_PAN extended permit icmp 192.168.1.0 255.255.255.0 10.48.11.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.48.11.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 172.16.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto map ASA_TO_PAN_MAP 10 match address ALLOWED_TRFC_TO_PAN

crypto map ASA_TO_PAN_MAP 10 set peer 172.16.200.2

crypto map ASA_TO_PAN_MAP 10 set transform-set MYSET

crypto map ASA_TO_PAN_MAP 10 set security-association lifetime seconds 86400

crypto map ASA_TO_PAN_MAP 10 set security-association lifetime kilobytes 4608000

crypto map ASA_TO_PAN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 172.16.200.2 type ipsec-l2l

tunnel-group 172.16.200.2 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

: end

asa-01#

-----

Best, ~sK

TranceforLife · ‎07-10-2017

Hi,

l am not sure if your Proxy IDs look right (host with /24 subnet mask and the whole subnet from ASA side).

@BPry will be able to help, l am sure 🙂

BPry · ‎07-10-2017

@Sadik_Khirbash,

Honestly there is a bit here that I wouldn't say is 'right' in the way that I setup site-to-site tunnels, that being said I'm not going to say that the way I configure them is the 'correct' way either. @TranceforLife is correct though your proxy IDs I would say are wrong, I generally would use the actual network ranges, so for example 10.191.0.0/16 or 192.168.100.0/24 and so on.

Without knowing what your configuration actually states the following bugs me a bit on the IKE Gateway configuration; but that's probably just because I can't see the entire device config and it's likely fine.

Local Id: 172.16.200.2

Peer Id: 172.16.200.1

What does your ike logs say on both devices, that should give you a fair insight into what is actually going on? The easiest way to really troubleshoot any of this is the logs on both devices as it will generally get you pointed in the proper direction.

acc6d0b3610eec313831f7900fdbd235 · ‎07-10-2017

Hi @Sadik_Khirbash

A few things I noticed on my end here when looking at your configuration. Although you are not showing the Phase 2 configuration on the PAN side, it is easy to spot how it should look like by looking at your ASA config.

As @BPry mentioned,

Unless there is a specific reason you should not have to specify the Local and Peer ID if the VPN is between gateways with static IP addresses. In other words, unless your two firewalls are using dynamic IP address for the public IP, you should not define a Local and Peer IP whatosever, otherwise, it will mess up the phase 1 negotiation. If that's the case for you, and you really need to use this configuration, make sure that it is also properly defined on the remote side of the connection, in this case the ASA.

Local Id: 172.16.200.2

Peer Id: 172.16.200.1

https://live.paloaltonetworks.com/t5/Configuration-Articles/IPSec-VPN-Tunnel-with-Peer-Having-Dynami...

Second, confirm your phase 2 ProxyID configuration on the PAN side. It should be mirrored exactly the way your ASA is showing, but in opposite directions.

PAN200 - IPSEC Phase 2:

ProxyID1
Local: 10.48.11.0/24
Remote: 192.168.1.0

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-VPN/ta-p/68931

Also, run the following commands to troubleshoot and if you can post the output that would help us to assist you:

Step 1: Open two Putty sessions to your PA-200. On Screen One, run the follwoing command:

tail follow yes ike tail follow yes mp-log ikemgr.log

Step 2: On Screen two run the following command:

Test Phase 1

test vpn ike-sa

Step 3: Go back to Screen One and read the outputs. if you can copy and post in this thread that would be help us to analyze the messages.

Let us know how it goes.

Sadik_Khirbash · ‎07-11-2017

Thanks all for the input.

@acc6d0b3610eec313831f7900fdbd235, I tried to use this command but it was inavliad.

tail follow yes ike tail follow yes mp-log ikemgr.log

The PAN's side Phase 2 config is as follows:

IPsec Crypto: IKEPhase2_To_ASA

DH Group: group 2

Authentication: sha1

Encryption: 3des

Key lifetime: 1 day

Lifesize: 4608MB

======================================================================================

I have tried to config the Proxy IDs as listed above and also tried/played with using differnt prefixs but that didn't make any effect.

The phase 1 and phase 2 parameters of the ASA and PA are identical as I listed above.

Let me know what other info you'd like me to post that will be helpful.

Best,, ~sK

acc6d0b3610eec313831f7900fdbd235 · ‎07-11-2017

Hi @Sadik_Khirbash

My apologies for my fat finger. The command is:

tail follow yes mp-log ikemgr.log

The phase 2 ProxyID is a crucial piece of this configuration, and it would be important for us that you ensure it configured properly. The concern is not the Phase 2 paramenters, but the Proxy ID configuration at this point.

That's how your Proxy ID should be configured on the PA-200 side.

Run the above command and post the output for us, then maybe we can shine some light on it for you 🙂

Sadik_Khirbash · ‎07-11-2017

@acc6d0b3610eec313831f7900fdbd235.. Thanks for the prompt response. I did change the Proxy IDs to what you specified. Here's the output after executing the command:

rbash@PA-200> tail follow yes mp-log ikemgr.log
2017-07-11 16:13:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:13:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:13:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).

2017-07-11 16:15:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).

2017-07-11 16:16:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:04.175 -0700 ikemgr: panike_daemon phase 1 started, config size 17633
2017-07-11 16:19:04.178 -0700 ikemgr: panike_daemon phase 1 step 2 finished
2017-07-11 16:19:04.329 -0700 ikemgr: panike_daemon phase 1 step 4 finished
2017-07-11 16:19:04.329 -0700 pan IKE cfg phase-1 triggered.
2017-07-11 16:19:04 [INFO]: loading new config from /tmp/.rtoFSH
2017-07-11 16:19:05.130 -0700 ikemgr: panike_daemon phase 1 step 5 finished
2017-07-11 16:19:05.130 -0700 ikemgr: panike_daemon phase 1 config change detected
2017-07-11 16:19:05.130 -0700 ikemgr: panike_daemon phase 1 finished with status 1
2017-07-11 16:19:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:25.090 -0700 ikemgr: panike_daemon phase 2 started
2017-07-11 16:19:25.090 -0700 pan IKE cfg phase-2 triggered.
2017-07-11 16:19:25 [INFO]: VPN tunnel IPSec_Tunnel:ASA_LAN_TO_LAN(S2S_VPN_To_ASA) changed, deleting SA
2017-07-11 16:19:25 [INFO]: VPN tunnel IPSec_Tunnel:ASA_LAN_TO_LAN(S2S_VPN_To_ASA) changed, deleting SA
2017-07-11 16:19:25.091 -0700 ikemgr: panike_daemon phase 2 finished
2017-07-11 16:19:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:24:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).

TranceforLife · ‎07-11-2017

Hi,

Disable DPD for now. Enable debug mode so we can get more info:

> debug ike global on debug

xxxxxxxxxx> debug ike global show

sw.ikedaemon.debug.global: debug

then

> test vpn ike-sa gateway (your gateway)

then

> tail follow yes mp-log ikemgr.log

Configure debug back to "normal" mode:

> debug ike global on normal

PAN-Expert · ‎07-12-2017

What version is PA-200 running?

Unlock your full community experience!

S2S VPN Between PA and Cisco ASA

S2S VPN Between PA and Cisco ASA

Show your appreciation!