This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this solution

TranceforLife
L6 Presenter
In response to informatiq

‎03-27-2017 03:01 PM - edited ‎03-27-2017 03:05 PM

Heys,

 

Would be nice to see a full log output:

 

> tail lines 200 mp-log ikemgr.log

 

It is been some time since my last set-up but just a quick update/tips on this:

 

- make sure Palo in the "passive" mode. So it will not be able to initiate a VPN but we could not make it working when its disabled.

- IKEv2 initiate 2 tunnels: IKE tunnel ( old name of IKEv1 Phase 1) and CHILD_SA (old name of IKEv1 Phase 2). Default lifetime for  IKE Tunnel is 86400 or 28800 seconds (depends of the vendor) for CHILD_SA is 3600 seconds hence your tunnel will be always re-established every hour. But it takes couple seconds not minutes. 

- disable no-pfs on IPSec Crypto

- disable "Liveness Check" on the IKE Gateway configuration.

 

Make sure that all other setting are compatible with Azure. Please see below:

 

IPsec Parameters

Note:

Although the values listed below are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

 

IKE Phase 1 setup

 

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption AlgorithmsAES256 AES128 3DESAES256 3DES
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time)28,800 seconds10,800 seconds

IKE Phase 2 setup

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)3,600 seconds3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)102,400,000 KB-
IPsec SA Encryption & Authentication Offers (in the order of preference)1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/ASee Route-based Gateway IPsec Security Association (SA) Offers(below)
Perfect Forward Secrecy (PFS)NoYes (DH Group1, 2, 5, 14, 24)
Dead Peer DetectionNot supportedSupported

 

After doing all this tunnel still stable for the past 3 days.

 

You can clear the tunnel couple times to see if everything is working correctly:

 

> clear vpn ike-sa gateway (for IKE Tunnel)

> clear vpn ipsec-sa tunnel (for CHILD_SA)

 

Hope it helps!

 

more info here:

 

https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/m-p/98936#M44162

View solution in original post

1 person found this solution to be helpful.
0 Likes Likes
Who Me Too'd this solution
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks