Palo in AWS to Azure VPN Gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo in AWS to Azure VPN Gateway

L0 Member

Hi All, I am trying to setup a site-to-to site VPN between Palo (v9.0.1) and Azure VPN gateway.

 

I have a question and an issue that I am trying to resolve...

 

NAT-T should be enabled in the gateway settings since AWS NATs everything?

 

This is the error I keep getting...

 

2022-05-06 15:09:24.235 -0700 [INFO]: { 3: }: received IKE request 21.50.80.20[500] to 10.10.50.20[500], found IKE gateway TEST_VPN
2022-05-06 15:09:24.235 -0700 [PNTF]: { 3: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway TEST_VPN <====
====> Initiated SA: 10.10.50.20[500]-21.50.80.20[500] SPI:e6a2d4b06fcdec78:a017e7a7durt67ug SN:654 <====
2022-05-06 15:09:24.235 -0700 [DEBG]: { 3: }: received Notify type NAT_DETECTION_SOURCE_IP
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: received Notify type NAT_DETECTION_DESTINATION_IP
2022-05-06 15:09:24.236 -0700 [INFO]: { 3: }: NAT detected: behind NAT
2022-05-06 15:09:24.236 -0700 [PWRN]: { 3: }: 10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored
2022-05-06 15:09:24.236 -0700 [PWRN]: { 3: }: 10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored
2022-05-06 15:09:24.236 -0700 [PWRN]: { 3: }: 10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored
2022-05-06 15:09:24.236 -0700 [PWRN]: { 3: }: 10.10.50.20[500] - 21.50.80.20[500]:0x555555a4c640 vendor id payload ignored
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: see whether there's matching transform
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: found same ID. compare attributes
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: OK; advance to next of my transform type
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: see whether there's matching transform
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: found same ID. compare attributes
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: OK; advance to next of my transform type
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: see whether there's matching transform
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: found same ID. compare attributes
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: OK; advance to next of my transform type
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: see whether there's matching transform
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: found same ID. compare attributes
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: OK; advance to next of my transform type
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: success
2022-05-06 15:09:24.236 -0700 [DEBG]: { 3: }: update request message_id 0x0
2022-05-06 15:09:24.240 -0700 [INFO]: { 3: }: 10.10.50.20[4500] - 21.50.80.20[4500]:0x7fffd4109fc0 authentication result: success
2022-05-06 15:09:24.240 -0700 [PNTF]: { 3: }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway TEST_VPN <====
====> Initiated SA: 10.10.50.20[4500]-21.50.80.20[4500] message id:0x00000001 parent SN:654 <====
2022-05-06 15:09:24.240 -0700 [DEBG]: { 3: }: update request message_id 0x1
2022-05-06 15:09:24.240 -0700 [INFO]: { 3: }: 10.10.50.20[4500] - 21.50.80.20[4500]:(nil) closing IKEv2 SA TEST_VPN:954, code 15
2022-05-06 15:09:24.240 -0700 [PNTF]: { 3: }: ====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway TEST_VPN <====
====> Failed SA: 10.10.50.20[4500]-21.50.80.20[4500] SPI:e6a2d4b06fcdec78:a017e7a7durt67ug SN 954 <====
2022-05-06 15:09:24.240 -0700 [DEBG]: { 3: }: SA dying from state RES_IKE_AUTH_RCVD, caller ikev2_abort
2022-05-06 15:09:24.240 -0700 [DEBG]: { 3: }: SA deleted: state DYING, caller ikev2_abort
2022-05-06 15:09:24.240 -0700 [DEBG]: { 3: }: stop retransmit for sa 0x7fffd406bb70 (DEAD), CID 0, child 0x7fffd406bb70
 
Any help would be appreciated...
1 REPLY 1

Hi @PaulZharyuk ,

You need to put the private IP addresses as IKE peer ID when defining the IKE Gateway.

 

Astardzhiev_0-1655369419774.png

 

If you don't define anything (leave the default of none), firewalls will use IP addresses as peer identifiers. But when behind NAT device will send the private address as local peer (because that is assigned on its interface), while the remote peer will expect to see the public IP (because you have defind the public IP as remote peer).

 

For that reason when behind NAT, in addition to NAT-T you need to change IKE peer identification to use the private addresses.

 

P.S. I hope you have upgraded your firewall as 9.0 is out of support since March.

  • 2268 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!