This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Site to Site VPN IPSec issue between PA and Azure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site to Site VPN IPSec issue between PA and Azure

Go to solution
informatiq
L1 Bithead

‎03-24-2017 07:20 AM

Hello,

 

I have some problem to configure a VPN between my Palo Alto and Azure.

I follow this tutorial : https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-VPN-Tunnel-Between-a-Pa...

 

So I have this configuration:

Tunnel Interface: It’s an IP in /32 include in the subnet of the Azure gateway (in /29)

 

Interface Tunnel.PNG

 

 

IKE Gateway: My firewall is behind NAT

 IKE Gateway General.PNG

IKE Gateway Advanced Options.PNG

 

 IKE Crypto Profile:

 

IKE Crypto Profile.PNG

 

 

IPsec Crypto Profile:

 

IPSec crypto profile.PNG

 

 

IPsec Tunnel:

 

IPSec Tunnel General.PNG

 

 

IPSec Tunnel Proxy ID.PNG

 

 

Static Route: Destination address is my server subnet

 

Route Static Srv.PNG

 

 

Status of the IPsec tunnels are red (so Phase 1 and Phase 2 of the negotiation don’t succeed):IPSec Tunnel Status.PNG

 

 To test and send data through the VPN, I try to connect in RDP to a VM in Azure. But my PC can’t access to the server.

 

The firewall can’t ping the public IP of Azure. With a traceroute, I can see that packets go on Internet.

 

This is system logs from the firewall with “vpn” as a filter:Log system VPN.PNG

 

 In traffic log, the application is “incomplete” with end session reason “aged-out”:

 

Log Traffic vers SRv.PNG

 

 Results with some commands in the CLI:

show vpn ike-sa gateway GW-IKE-Azure = “IKE gateway GW-IKE-Azure not found”

test vpn ike-sa gateway GW-IKE-Azure = “Initiate IKE SA: Total 1 gateways found. 1 ike sa found”

show session all filter application ike = “No Active Sessions”

debug ike pcap on

view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap =

 

debug ike pcap on.PNG

 

 

 The Azure configuration is:

The connection is configured as Site-to-Site connection

The address range is in /23 with 2 subnet: one in /24 (for VMs) and the second in /29 (for the subnet gateway).

I have a VM subnet with one server install.

 

Have you got any idea to solve the problem?

Thank you in advance for your help.

 

 

 

 

 

1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TranceforLife
L6 Presenter
In response to informatiq

‎03-27-2017 03:01 PM - edited ‎03-27-2017 03:05 PM

Heys,

 

Would be nice to see a full log output:

 

> tail lines 200 mp-log ikemgr.log

 

It is been some time since my last set-up but just a quick update/tips on this:

 

- make sure Palo in the "passive" mode. So it will not be able to initiate a VPN but we could not make it working when its disabled.

- IKEv2 initiate 2 tunnels: IKE tunnel ( old name of IKEv1 Phase 1) and CHILD_SA (old name of IKEv1 Phase 2). Default lifetime for  IKE Tunnel is 86400 or 28800 seconds (depends of the vendor) for CHILD_SA is 3600 seconds hence your tunnel will be always re-established every hour. But it takes couple seconds not minutes. 

- disable no-pfs on IPSec Crypto

- disable "Liveness Check" on the IKE Gateway configuration.

 

Make sure that all other setting are compatible with Azure. Please see below:

 

IPsec Parameters

Note:

Although the values listed below are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

 

IKE Phase 1 setup

 

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption AlgorithmsAES256 AES128 3DESAES256 3DES
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time)28,800 seconds10,800 seconds

IKE Phase 2 setup

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)3,600 seconds3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)102,400,000 KB-
IPsec SA Encryption & Authentication Offers (in the order of preference)1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/ASee Route-based Gateway IPsec Security Association (SA) Offers(below)
Perfect Forward Secrecy (PFS)NoYes (DH Group1, 2, 5, 14, 24)
Dead Peer DetectionNot supportedSupported

 

After doing all this tunnel still stable for the past 3 days.

 

You can clear the tunnel couple times to see if everything is working correctly:

 

> clear vpn ike-sa gateway (for IKE Tunnel)

> clear vpn ipsec-sa tunnel (for CHILD_SA)

 

Hope it helps!

 

more info here:

 

https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/m-p/98936#M44162

View solution in original post

1 person found this solution to be helpful.
0 Likes Likes
8 REPLIES 8

Go to solution
narayan
L0 Member

‎03-24-2017 01:55 PM - edited ‎03-24-2017 01:58 PM

Can you follow this for IKEv2 and let me know if it works:

 

https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-IPsec-VPN-for-Microsoft-...

 

 There doesn't seem to be much difference between the two...you may need to uncheck the liveliness check and the DH group to no-pfs.

 

 

0 Likes Likes

Go to solution
informatiq
L1 Bithead
In response to narayan

‎03-27-2017 12:30 AM

Hello,

 

Thank you for your answer.

 

I make modifications, but it doesn't work. I have the same error message in systems logs :

erreur.PNG

 

 

 

 

0 Likes Likes

Go to solution
informatiq
L1 Bithead
In response to informatiq

‎03-27-2017 07:50 AM

I have just had a new error message:error2.PNG

 

 

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to informatiq

‎03-27-2017 03:01 PM - edited ‎03-27-2017 03:05 PM

Heys,

 

Would be nice to see a full log output:

 

> tail lines 200 mp-log ikemgr.log

 

It is been some time since my last set-up but just a quick update/tips on this:

 

- make sure Palo in the "passive" mode. So it will not be able to initiate a VPN but we could not make it working when its disabled.

- IKEv2 initiate 2 tunnels: IKE tunnel ( old name of IKEv1 Phase 1) and CHILD_SA (old name of IKEv1 Phase 2). Default lifetime for  IKE Tunnel is 86400 or 28800 seconds (depends of the vendor) for CHILD_SA is 3600 seconds hence your tunnel will be always re-established every hour. But it takes couple seconds not minutes. 

- disable no-pfs on IPSec Crypto

- disable "Liveness Check" on the IKE Gateway configuration.

 

Make sure that all other setting are compatible with Azure. Please see below:

 

IPsec Parameters

Note:

Although the values listed below are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

 

IKE Phase 1 setup

 

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption AlgorithmsAES256 AES128 3DESAES256 3DES
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time)28,800 seconds10,800 seconds

IKE Phase 2 setup

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)3,600 seconds3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)102,400,000 KB-
IPsec SA Encryption & Authentication Offers (in the order of preference)1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/ASee Route-based Gateway IPsec Security Association (SA) Offers(below)
Perfect Forward Secrecy (PFS)NoYes (DH Group1, 2, 5, 14, 24)
Dead Peer DetectionNot supportedSupported

 

After doing all this tunnel still stable for the past 3 days.

 

You can clear the tunnel couple times to see if everything is working correctly:

 

> clear vpn ike-sa gateway (for IKE Tunnel)

> clear vpn ipsec-sa tunnel (for CHILD_SA)

 

Hope it helps!

 

more info here:

 

https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/m-p/98936#M44162

1 person found this solution to be helpful.
0 Likes Likes

Go to solution
itounsi
L0 Member
In response to TranceforLife

‎05-02-2017 07:35 AM

Hi all,

 

I need your help to configure a vpn between PA3020 and Azure with dynamic gateway.

 

I have a problem "ike-nego-p1-fail "  --> ( description contains 'IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: X.X.X.X[500]-X.X.X.X[500] cookie:6a4facbf0c032fc8:0000000000000000. Due to timeout.' )

 

 and ( eventid eq ike-nego-p1-delete ) -->  and  and ( description contains 'IKE phase-1 SA is deleted SA: SA: X.X.X.X[500]-X.X.X.X[500] cookie:6a4facbf0c032fc8:0000000000000000.' )

 

 

 

0 Likes Likes

Go to solution
niyengar
L2 Linker
In response to itounsi

‎05-02-2017 02:57 PM

Hi,

   My guess is that you need an alternative authentication method in the IKE gateway setup: Local Identification portion.

 

You can use email or fqdn and as long as they match on both sides it doesn't matter what it is...

The guess is here that NAT is breaking IKE

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to itounsi

‎05-11-2017 06:14 AM

Make sure you have Layer 3 communication between the peer. Before setting up the tunnel, please ping the remote peer ip. If Layer 3 is good, make sure your policy is allowing ike, IPSec etc application on the untrust interface (zone). 

0 Likes Likes

Go to solution
JennyHuang36
L1 Bithead

‎06-07-2017 04:40 PM

Hi, I got question regarding 96415 fixed in 7.1.6. However, I am still seeing the issue in 7.1.6.

What should I do, should I upgrade to 8.0.0+Please assist. Thank you.

 

96415
Fixed an issue where the firewall failed to pass traffic in strongSwan and Azure IPSec tunnels while using IKEv2 because it did not send a Delete payload during a Phase 2 Child SA re-keying. With this fix, the firewall correctly sends a Delete payload during re-keying if it is the node that initiated the re-keying.

0 Likes Likes
  • 1 accepted solution
  • 30735 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks