I built a site-to-site VPN between GCP and a PA3250, which is not working. Surely, I'm missing something.
The GCP vpn points to the same interface and IP that other VPNs successfully use on the Palo.
I added a Sec policy to allow the GCP IP and the Palo IP to set up Phase 1. However, the Palo drops the inbound IKE-SA-INIT packets. They are getting caught by the INTRAZONE Default rule.
I've verified the IP addresses, the IKE paramters, the PSK, and the Sec policy. In fact I've rebuilt this a few times by completely deleting everything on the GCP side and the related configs in the Palo.
To test I set up a VPN from the same GCP project to a different PA3250 with a different IP address and that tunnel works flawlessly.
Everytime I've rebuilt the VPNs I get a different public IP from GCP. So, it's not an issue with their IP addresses.
What appears to be happening, but I can't verify is that the PA3250 with the issue Policy Denies the packets and just drops all subsequent packets from that address. Like it's cached somewhere. As a test I deleted the VPN config from both sides before leaving yesterday. I created them from scratch this morning, about 14 hours later, with the same results. The first packet gets denied and nothing else.
When I run test vpn ike-sa gateway ******** from the cli, a packet capture shows that the outbound packet from the Palo gets dropped.
I've scoured both PA3250s for the difference, but only come up with the Palo IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!