02-06-2019 09:43 AM
Hello,
We have a successful tunnels to our VPC and traffic is passing. We used the AWS downloaded cofing to guide us on the PAN side. Now when I change the ike and ipsec settings to different ciphers, say from aes128 to aes256 the tunnel stays up and is extablished but we cannot pass traffic.
Anyone else run into this?
Thanks in advance!
02-06-2019 02:02 PM
On our side we are running a physical PAN with 8.0.14 code. On the AWS side its the built in AWS connectors.
02-06-2019 02:08 PM
I've never seen any issue like that with our VM-Series firewalls. I don't deal with the Physical firewalls but the IPsec/IKE enginee should be the same.
Have you tried clearing the tunnel and reestabling the IPsec tunnel? if so and that didn't resolve the issue I would suggest opening up a case with support.
02-07-2019 08:38 AM
Thanks for the suggestion. It didnt worl so I opened a support case. I'll post the solution when we find one.
02-07-2019 08:42 AM
Did you set proper MTU set on the tunnel? 1427
02-07-2019 08:46 AM
Yep as well as leaving it default. No Joy.
02-07-2019 10:47 AM
Ok so wierd settings, who knows where the real issue is since AWS is a blackbox.
IKE settings:
These are OK as aes-256-cbc, sha256, DH group14
IPsec settings:
aes-256-cbc, sha1, DH group 14.
So it was the SHA version on the IPSec config that was causing the issues. Wont do sha256 but still estabilishes the tunnel.
Gotta love interoperatability....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
