This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Site-to-Site VPN - Palo alto to Cisco Router issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN - Palo alto to Cisco Router issue

Go to solution
netsupport1
L2 Linker

‎12-16-2014 09:19 PM

Hi guys,

I'm doing a POC for S2S VPN but i cannot get it to work, I'm sure this is a simple thing i have overlooked, a ping from PC2 to PC1, the ping is encapsulated and encrypted ESP on the way over to PC1, but the return traffic is not..... i have the following topology;

11.png

Now i have set up a site to site VPN from the PA to R2 with the following attributes;

1.png

2.png

3.png

4.png

5.png

6.png

And with a ping from PC2 to PC1, IKE phase 1 and 2 come up.....but the ping fails

7.png

8.png

10.png

9.png

12.png

13.png

And the capture of the ping....outbound ESP, return traffic ICMP...

14.png

Confi on the Cisco router;

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco address 192.168.3.2

!

!

crypto ipsec transform-set Myset esp-aes esp-sha-hmac

!

crypto map Mymap 1 ipsec-isakmp

set peer 192.168.3.2

set transform-set Myset

match address 100

!

!

!

interface FastEthernet0/0

ip address 192.168.3.100 255.255.255.0

duplex auto

speed auto

crypto map Mymap

!

!

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!

Any ideas guys?

0 Likes Likes
10 REPLIES 10

Go to solution
sbabu
L0 Member

‎12-17-2014 08:07 AM

Hi,

This looks like configuration issue. You created static route for "172.16.2.0/24" pointing towards tunnel.1. However, you created tunnel between PA and R2 router. So you need to create static route for 172.16.1.0/24 and next hop as tunnel interface and redistribute this static route into OSPF. Also you need to remove the static route which configured for "172.16.2.0/24".

Regards,

P.Sarath

Go to solution
Dz3015
L4 Transporter
In response to sbabu

‎12-17-2014 08:57 AM

Agreed, according to the drawing the wrong subnet is pointed at the tunnel.

Go to solution
sbabu
L0 Member

‎12-17-2014 08:59 AM

Also I believe ACL configuration on the Cisco device is not correct. You mentioned same subnet in ACL source and destination.

"access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.1.0 0.0.0.255"

Regards,

P.Sarath

0 Likes Likes

Go to solution
netsupport1
L2 Linker

‎12-17-2014 02:28 PM

So sorry guys, i documented the topo wrong, the two LAN subnets are swapped;

15.png

So the static is correct i believe, 172.16.1.0/24 to tunnel .1

Thank you all so so much for your help thus far, sorry about the bum steer!

regards

0 Likes Likes

Go to solution
parmas
L2 Linker
In response to netsupport1

‎12-17-2014 02:47 PM

So I think your problem is a typo in the ACL configured on the router. Make sure you have it like this:

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255


Thanks,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks