Hi, Setting the KEYID in HEX for the peer id seems to bring the tunnel up. Testing traffic as I am doing both source and destination nat, and I am hitting the nat and security policy but need 3rd Party to confirm if they see any traffic. On the PA side I am seeing timeouts at the moment. I did have to set my nat policy as from zone trust to destination zone trust for the nat work work. I did have the destination nat set to the 3rd party zone but this did not nat correctly.
... View more
Hi Tom, I have got the 3rd party to run the command and they confirmed it is set as an ip address. output was: crypto isakmp identity key-id 213.61.xxx.xxx. I also managed to confirmed that that ip was was HEX format in the packet capture. I tried setting the peer id as KEYID and setting the value of the peer ip in HEX format. The PA did not like this in IKEv1 mode. I have asked to change this to IKEv2 with the below P1/P2 settings. lifetime = 28800 lifebyte = 0 enctype = AES encklen = 256 hashtype = SHA512 authmethod = PSK dh_group = DH20 NAT-T enabled Just waiting to confirm if this is working. Thanks, Hemal.
... View more
Hi All, 1st Post so hopefully i'm doing this correctly. I am trying to setup a VPN tunnel to a 3rd Party. We have a PA-3020 and they have a Cisco ASA. They do have another Cisco in-between both our devices which is performing NAT. Hence we have enabled NAT-T. The main issue I am having is that the tunnel is not coming up. The error message I get in the logs and debugs is: Expecting IP address type in main mode, but KEY_ID. ###.###.###.### - ###.##.###.###:(nil) invalid ID payload. We have the tunnel setup as follows: main mode and using ip addresses. ikev1 (lifetime = 28800:28800) (lifebyte = 0:0) enctype = AES:AES (encklen = 256:256) hashtype = SHA1:SHA1 authmethod = PSK:PSK dh_group = DH5:DH5 NAT-T enabled I am also performing source and destination nats as the ip ranges conflicts on both sides. We have set the Proxy IDs on both ends as the nat ranges. On the PA-3020 the local and peer ID have been set as the public ips of the peers. I have also tried their private ip (as they are natting) just as a test, and I am getting the same error. Also tried removing the IDs and same thing. I have read an article about How to determine the correct value to put in the PAN IKE peer KEYID field? But cannot seem to find the KEYID field (in hex or ascii) in the packet capture. Link: How to determine the correct value to put in the PAN IKE peer K... - Knowledge Base - Palo Alto Networks Any help on why I am getting the error would help as I am not sure what else to try. Thanks in advance
... View more