VPN SITE TO SITE PALO ALTO NETWORKS

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

VPN SITE TO SITE PALO ALTO NETWORKS

Hello,

 

I configure a VPN tunnel between two firewalls Palo alto Networks . The tunnel status is up but the other network is unreacheable.

I configure the tunnel on the trust zone . I restart the firewalls without result . The first PA-500 with PANOS 7.1.0 and the second with PANOS 8.0.3

Should I do an upgrade to the OS? Or there is any suggestion to do ?

 

I will appreciate your helps.

 

Thank you

Highlighted
Community Team Member

Hi @ra7oub4,

 

Did you configure routes to the tunnel interface ? Any information in the logs ?

 

Eitherway, both PAN-OS versions are rather old and I would recommend upgrading.

 

7.1.0 was released in March 2016.

8.0.3 was released in June 2017.

 

A good resource with a lot of info :

https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-and-tunneling-resource-list/ta-p/6772...

 

Cheers !

-Kiwi.

Highlighted
L2 Linker

Hello @kiwi

 

Thank you for your reply . Yes I configure the necessary route . I follow all the steps listed in this article 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535 

 

In the logs, I found this information :

IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA: x.x.x.x[500]-y.y.y.y[500] message id:0x00000000.
IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA
IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x982EEEEA

 

Have you any suggestion to do . Thanks

Highlighted
Community Team Member

Hi @ra7oub4,

 

I'm leaning towards some negotiation issues... doublecheck if settings are the same on both ends.

Also try increasing the debug level for more information :

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-...

https://live.paloaltonetworks.com/t5/Management-Articles/Advanced-VPN-IPSec-troubleshooting-8-0-enab...

 

Cheers,

-Kiwi.

Highlighted
L5 Sessionator

HI,

 

You mentioned you applied your tunnel interface to the "Trust" zone. Is there a possibility that your VPN traffic is being NATted?

 

What happens if you make a new zone for the tunnel interface?

 

Thanks,

Luke.

 

Highlighted
L2 Linker

Hello @kiwi @LukeBullimore

 

Thank you for your response . I try to configure the VPN in another Zone called VPNZone without result.

 

I found this logs in the monitor tab:

 

IKE protocol IPSec SA delete message sent to peer.
IKE daemon configuration load phase-2 succeeded
IKE daemon configuration load phase-1 succeeded
IKE daemon configuration load phase-1 aborted
IKE daemon configuration load phase-2 aborted
Installed SA: 1.1.1.1[500]-2.2.2.2[500] SPI:0xBC2E363C/0xCAE56096 lifetime 3600 Sec lifesize unlimited

 

I will appreciate all your help

 

Thank you!

Highlighted
L5 Sessionator

After configuring the new zone, did you create a security policy rule to allow traffic? e,g,

 

from: VPNZone

source: any

to: any

destination: any

application:any

service: any

action: allow

Highlighted
L2 Linker

Hello ,

 

Yes, I configured this security rule without result . 

 

I allow trafic:

 

From : 

VPNZone

InternalZone

source: any

TO: 

InternalZone

VPNZone

destination: any

application:any

service: any

action: allow

 

Should I modify the destination to any?

 

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!