For details on cookie usage on our site, read our Privacy Policy
Site-to-Site VPN from a Palo Alto Firewall in the AWS.
- LIVEcommunity
- Discussions
- Network Security
- VM-Series in the Public Cloud
- Site-to-Site VPN from a Palo Alto Firewall in the AWS.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Site-to-Site VPN from a Palo Alto Firewall in the AWS.
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-22-2018 11:55 PM
Folks,
We have provisioned a Palo Alto Firewall in one of the AWS VPC. This is essentially a single legged deployment and the function of this firewall will only be to act as a transit firewall.
This firewall will have VPN connectivity to the corporate firewall and to some other remote VPC's. Traffic filtering will be done on this Palo Alto Firewall.
The issue we are facing is that we do not see any VPN getting negotiated from this Palo Alto Firewall to either the remote VPC or to the corporate firewall. The Palo Alto firewall has a RFC1918 IP address on it's Eth1/1 interface and then this IP address has been allocated a Elastic IP on the AWS console. At present we are going step-by-step and looking at the errors on the Phase-1 IKE connections.
Our corporate firewall which is a Juniper does get the Phase-1 messages from this Palo Alto firewall but throws out an error saying "Rejected an IKE packet on ethernetx/y from a.b.c.d:500 to e.f.g.h:500 with cookies ********* and 00000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
a.b.c.d is the Elastic IP provided in AWS
e.f.g.h is the Public interface IP of the Juniper firewall.
Could someone throw some light on what could be the issue? Is there some way to work on this?
Thanks!!!
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-24-2018 12:14 AM
yes, all these options have been tried out with no success so far. We are still hunting the options here if there is something very basic that we missed.
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-24-2018 04:01 AM
BTW....I did not mention this. The VPC(which hosts the firewall) has 2 VPN's one to route the management subnet directly to the corporate and the second to route the Untrust interface to the corporate for actual data flow...
would that cause any harm?
Should I try to delete the management VPN and then give this a try?
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-24-2018 05:59 AM
one more point, we tried a debug on the Juniper end and it shows a message as below:
"Not found: 1st peer_ent that is used, with no peer IP, and right local IP."
by any chance could it be that some tweak needed on the PAN end to ensure that it sends the peer IP?
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-24-2018 01:00 PM
If you see the routable Public IP addresses on both devices that are terminating the Phase 1 IKE tunnel that is expected.
Your logs that show the private IP is expected as well because prior to egress the IP address isn't transalated.
If you are sure that both the Juniper and PAN have a publically routable IP address and it's not working then the next step would be to open a support ticket and probably with both vendors. I've seen nothing in this thread that tells me either the PAN or the Juniper is the culprit so a support ticket with both vendors would be the way to go depending on the software you are running.
If you are running a GA release of PAN-OS then you can definitely open a support ticket with PAN support as well.
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-28-2018 01:49 AM
Please check below points you had configured in paloalto properly,
1)NAT-travesal should enable.
2)In security policy ,you need to create policy from untrust to untrust, in case you have any-any deny rule.
3)Try to create a identification, local IP identification and you have to put the outside interface private ip(not the public ip)
Regards
Rashid
- IPSec tunnel not working in Next-Generation Firewall Discussions
- Palo Alto Networks next-generation firewalls Threat prevention signatures in Next-Generation Firewall Discussions
- Unable to create a support account in Next-Generation Firewall Discussions
- LDAP Integration with Redhat IPA in Palo Alto Firewall in Next-Generation Firewall Discussions
- Integrating 3rd Party feeds in Palo Alto firewall for blocking IOC's in Next-Generation Firewall Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
