Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-30-2018 02:10 AM
Hello,
I configure a VPN tunnel between two firewalls Palo alto Networks . The tunnel status is up but the other network is unreacheable.
I configure the tunnel on the trust zone . I restart the firewalls without result . The first PA-500 with PANOS 7.1.0 and the second with PANOS 8.0.3
Should I do an upgrade to the OS? Or there is any suggestion to do ?
I will appreciate your helps.
Thank you
05-30-2018 02:49 AM
Hi @ra7oub4,
Did you configure routes to the tunnel interface ? Any information in the logs ?
Eitherway, both PAN-OS versions are rather old and I would recommend upgrading.
7.1.0 was released in March 2016.
8.0.3 was released in June 2017.
A good resource with a lot of info :
Cheers !
-Kiwi.
05-30-2018 03:07 AM
Hello @kiwi
Thank you for your reply . Yes I configure the necessary route . I follow all the steps listed in this article
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535
In the logs, I found this information :
IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA: x.x.x.x[500]-y.y.y.y[500] message id:0x00000000.
IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA
IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x982EEEEA
Have you any suggestion to do . Thanks
05-30-2018 06:04 AM
Hi @ra7oub4,
I'm leaning towards some negotiation issues... doublecheck if settings are the same on both ends.
Also try increasing the debug level for more information :
Cheers,
-Kiwi.
06-01-2018 08:59 AM
HI,
You mentioned you applied your tunnel interface to the "Trust" zone. Is there a possibility that your VPN traffic is being NATted?
What happens if you make a new zone for the tunnel interface?
Thanks,
Luke.
06-06-2018 04:24 AM
Hello @kiwi @LukeBullimore
Thank you for your response . I try to configure the VPN in another Zone called VPNZone without result.
I found this logs in the monitor tab:
IKE protocol IPSec SA delete message sent to peer.
IKE daemon configuration load phase-2 succeeded
IKE daemon configuration load phase-1 succeeded
IKE daemon configuration load phase-1 aborted
IKE daemon configuration load phase-2 aborted
Installed SA: 1.1.1.1[500]-2.2.2.2[500] SPI:0xBC2E363C/0xCAE56096 lifetime 3600 Sec lifesize unlimited
I will appreciate all your help
Thank you!
06-06-2018 06:20 AM
After configuring the new zone, did you create a security policy rule to allow traffic? e,g,
from: VPNZone
source: any
to: any
destination: any
application:any
service: any
action: allow
06-06-2018 09:39 AM
Hello ,
Yes, I configured this security rule without result .
I allow trafic:
From :
VPNZone
InternalZone
source: any
TO:
InternalZone
VPNZone
destination: any
application:any
service: any
action: allow
Should I modify the destination to any?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
