Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-29-2018 10:48 PM - edited 08-29-2018 11:21 PM
Unable to make VPN work. Both "IKE Info" and "Tunnel Info" are red light in IPSec Tunnel.
The peer is a Juniper vSRX.
Normal configuration with trust, untrust and VPN zone in both firewall. Each zone has its own subnet.
Both firewall can ping each other untrust interface.
Workstations behind the firewalls can ping firewall's untrust interface too (default route + source NAT)
Security policy for VPN zone to VPN zone set to allow any.
debug ike gateway and tunnel were on
ikemgr.log show "SA dying from state INI_IKE_SA_INIT_SENT, caller ikev2_abort" after 10 times retry.
test and show vpn ike-sa gateway show
State: "INIT send <= Idle <== Idle <== Idle"
reason: ikev2_initiator_start
I think this is what SA keep trying.
I have no idea how to solve this.
08-30-2018 04:56 AM
looks like they're not playing ball
verify all ike settings from a fresh perspective to make sure all parameters are correct (peer ip is accurtate, negotiation settings are good etc )
From the PA you can manually initiate by using > test vpn ike-sa gateway <gateway> (and > test vpn ipsec-sa gateway <gw> for phase2 )
if there's a similar command on the juniper you should try that too, being able to compare 'inbound' system logs may grant more visibility in your issue than staring at debug logs (inbound system logs wil tell you what the remote end is doing wrong, if no system logs show up, the remote end is not talking or is being blocked)
08-30-2018 06:49 AM
Hello,
I found a few articles that talk about VPN's between Juniper and PAN. They might be worth checking out?
Hope that helps.
08-30-2018 06:32 PM
Hello. I think I overlook the type of VPN - "Route-based" and "Policy-based".
I don't even know I'm using which type. Policy-based require setup "Proxy ID" and I don't have any of it.
Found some info in https://blog.webernetz.net/route-vs-policy-based-vpn-tunnels/
Mention that PaloAlto don't support Policy-based VPN. Is that true?
08-30-2018 11:24 PM
hi @jeremylo
We are route based, which means that how the tunnel is set up and how traffic is put into it are 2 separate processes
a policy based system combines those 2 functions
This in itself is not a big issue, as ProxyIDs fix that 'incompatibility'
A route based VPN solution simply requires you to set up a VPN profile (peer, crypto, ..) and then add routes on the VirtualRouter that point to the tunnel interface for all the subnets at the other end of the tunnel
A policy-based system combines the subnets that need to speak to each other in the VPN decision process, which can be simulated by creating matching subnet pairs in ProxyID which would tell the remote (policy-based) system the routing pairs
So the statement that we don't support policy based VPN is false (at the bottom of the article you can see they included a chart where we are marked as supporting policy based 😉 ). We aren't policy based but we do provide the proxyID functionality to make us compatible
for the Juniper SRX use the 'bind-interface' option when configuring the ipsec vpn to make it route based
09-06-2018 12:53 AM
Reason found. The vSRX was faulty. Setup and use the new version vSRX has no problem
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
