Trouble with IPSec Site2Site VPN

Reply
Highlighted
L1 Bithead

Trouble with IPSec Site2Site VPN

I am a beginner in the Palo Alto World.

I want to setup a Site2Site VPN to a customer.
The customer has a Palo Alto System running.

I cannot get the tunnel up.

The admin of the customer and me are troubleshooting the problems, but so far nothing is working.

The customer site seems to be ok, because he has some other site2site VPNs running.

My firewall is connected via Ethernet 1/1 to Fritzbox Router. I have Global Protect running, so the connection to internet is setup correctly so far. My Router has a port forwarding for (TCP442, UDP4500,4501,500 and ESP Protocol to the Firewall.

IPSec Crypto and IKE Crypto is correctly set up and checked multiple times.

Parameter of IKE Gateway is

Address Type IP4
Interface ethernet1/1 (connected to Fritzbox)
Local IP: -> Here is my 1. question : IP Adress of Firewall (Router), or public IP?
Peer IP Address Type IP
Peer Address: x.x.x.x IP Address of customer
Authentication: Pre-Shared Key
Pre-shared key: xxxxxxxxxx
Local identification: None -> Should here be my public ip? If yes, what has the customer to set up.
Peer Identifikation: None -> Should here be the Address of the customer?

Advanced Option:

Enable passive mode: off
Enable NAT Traversal: Should it be on or off.

IPSec Tunnels
3 ProxyIDs


If it do test vpn through cli i get following messages:

In case public ip address as local address
2020-10-07 07:50:30.965 +0200 [INFO]: { 1: }: Gateway-GW: IKEv2 SA test initiate start. 2020-10-07 07:50:30.965 +0200 [PNTF]: { 1: }:
====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway Prominent-GW <==== ====> Initiated SA: PublicIP[500]-CustomerIP[500] SPI:f3fd987d11f3e10f:0000000000000000 SN:43 <====
logfiles end here

In case of IP Address of router as local ip address
2020-10-07 07:57:51.550 +0200 [INFO]: { 1: }: Gateway-GW: IKEv2 SA test initiate start.
2020-10-07 07:57:51.550 +0200 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway Gateway-GW <==== ====> Initiated SA: 192.168.178.7[500]-CustomerIP[500] SPI:b66c331180c0f75f:0000000000000000 SN:44 <====
2020-10-07 07:57:51.601 +0200 [PWRN]: { 1: }: 192.168.178.7[500] - CustomerIP[500]:0x10344480 [Prominent-GW:44] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2020-10-07 07:57:57.051 +0200 [PWRN]: { 1: }: 192.168.178.7[500] - CustomerIP[500]:0x10344640 [Prominent-GW:44] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2020-10-07 07:58:07.062 +0200 [PWRN]: { 1: }: 192.168.178.7[500] - CustomerIP[500]:0x10344480 [Prominent-GW:44] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.

For testing i allowed everything in security policy.

So how can i find the issue. Any suggestion to troubleshoot this problem.

Thank you for your help.


Accepted Solutions
Highlighted
L1 Bithead

Finally it was a mismatch in the Ike Crypt setting. And also a communication timeout issue with PA-220. Seemed like the PA was to slow to response. After Dead peer detection was deactivated, it worked.

View solution in original post


All Replies
Highlighted
L3 Networker

Hi,

 

sincei port forwarding enabled, local IP would be the firewall ip local id is same as what you set on the other side as peer id. Your Peer-id set it to customer public ip, NAT traversal is also not needed,
Try to turn off the firewall on your Fritzbox.
If that didn’t help, turn on ike passive mode on your firewall and make the other side initiate the connection.

Highlighted
Cyber Elite

@c.keller 

Local identification: None -> Should here be my public ip? If yes, what has the customer to set up.

Your local identification can be literally anything you want it to be, as long as the other side has it setup as their peer identification. This can be done by any option as long as you have it configured correctly on the other end. IP Address is the most common followed by FQDN, but as long as what you are sending is what the other end is expecting it'll work.
Peer Identifikation: None -> Should here be the Address of the customer?

The Peer Identification needs to be whatever the other end has set as their local identification, so you need to get this information from the customer. Usually, it's the IP Address or the FQDN, but it can be any option supported. 

 

Again, the IP Address is the most common ID to use but it isn't the only one. There's a couple caveats with the other methods, but as long as both peers are sending/expecting the same information it should work fine (baring running into these caveats like FQDN use when set to aggressive mode, ect).You can leave these options set to none and you want them to match on each node. 

Highlighted
L1 Bithead

@BPry Thanks for the quick answer.

 

The customer is a big company and they can not change things on PA as quickly i can. 

At the moment they have Peer IP set to my public ip. The local and peer identification is set to none.

The NAT-T option is set to false.

 

I tried a lot of different things in the past week, without success.

 

If i use public ip in the as Ethernet1/1 (I have to add a subinterface to Ethernet1/1 and use public IP Address). Global Protect breaks and i think no communication works. But if i use firewall IP address with interface, i think customers firewall does not allow it.

I think the IP will not be translated to my public ip and the tunnel does not get up.

 

Is there a chance to do something, without changing the customer part?

 

I wondering, is this not common to have the PA to a router? Because i saw in the other rules to different companies, that they use alway public ip as peer  (customer PA) with local and peer identifier set to none. 

Highlighted
L1 Bithead

Thanks to your answer. Will try the firewall switch off.

Highlighted
L1 Bithead

Another quick question: Do Global Protect interfere with site2site vpn? This is a suggestion by the customer?

Highlighted
L1 Bithead

@Abdul-Fattah : Firewall off had no effect.

Highlighted
L3 Networker

@c.keller 

if you set the ID to none by default the firewall will use the IP, so make sure that the customer side Peer-ID and your Local-ID match. 

if the problem with the Identification you will recieve a notification in the logs.

what system logs is your firewall reporting regarding the IPsec?

is the firewall receiving or trying to make a connection to the other end?, check sessions and traffic logs.

Highlighted
L1 Bithead

Finally it was a mismatch in the Ike Crypt setting. And also a communication timeout issue with PA-220. Seemed like the PA was to slow to response. After Dead peer detection was deactivated, it worked.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!