Site to Site VPN IPSec issue between PA and Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Site to Site VPN IPSec issue between PA and Azure

L1 Bithead

Hello,

 

I have some problem to configure a VPN between my Palo Alto and Azure.

I follow this tutorial : https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-VPN-Tunnel-Between-a-Pa...

 

So I have this configuration:

Tunnel Interface: It’s an IP in /32 include in the subnet of the Azure gateway (in /29)

 

Interface Tunnel.PNG

 

 

IKE Gateway: My firewall is behind NAT

 IKE Gateway General.PNG

IKE Gateway Advanced Options.PNG

 

 IKE Crypto Profile:

 

IKE Crypto Profile.PNG

 

 

IPsec Crypto Profile:

 

IPSec crypto profile.PNG

 

 

IPsec Tunnel:

 

IPSec Tunnel General.PNG

 

 

IPSec Tunnel Proxy ID.PNG

 

 

Static Route: Destination address is my server subnet

 

Route Static Srv.PNG

 

 

Status of the IPsec tunnels are red (so Phase 1 and Phase 2 of the negotiation don’t succeed):IPSec Tunnel Status.PNG

 

 To test and send data through the VPN, I try to connect in RDP to a VM in Azure. But my PC can’t access to the server.

 

The firewall can’t ping the public IP of Azure. With a traceroute, I can see that packets go on Internet.

 

This is system logs from the firewall with “vpn” as a filter:Log system VPN.PNG

 

 In traffic log, the application is “incomplete” with end session reason “aged-out”:

 

Log Traffic vers SRv.PNG

 

 Results with some commands in the CLI:

show vpn ike-sa gateway GW-IKE-Azure = “IKE gateway GW-IKE-Azure not found”

test vpn ike-sa gateway GW-IKE-Azure = “Initiate IKE SA: Total 1 gateways found. 1 ike sa found”

show session all filter application ike = “No Active Sessions”

debug ike pcap on

view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap =

 

debug ike pcap on.PNG

 

 

 The Azure configuration is:

The connection is configured as Site-to-Site connection

The address range is in /23 with 2 subnet: one in /24 (for VMs) and the second in /29 (for the subnet gateway).

I have a VM subnet with one server install.

 

Have you got any idea to solve the problem?

Thank you in advance for your help.

 

 

 

 

 

1 accepted solution

Accepted Solutions

Heys,

 

Would be nice to see a full log output:

 

> tail lines 200 mp-log ikemgr.log

 

It is been some time since my last set-up but just a quick update/tips on this:

 

- make sure Palo in the "passive" mode. So it will not be able to initiate a VPN but we could not make it working when its disabled.

- IKEv2 initiate 2 tunnels: IKE tunnel ( old name of IKEv1 Phase 1) and CHILD_SA (old name of IKEv1 Phase 2). Default lifetime for  IKE Tunnel is 86400 or 28800 seconds (depends of the vendor) for CHILD_SA is 3600 seconds hence your tunnel will be always re-established every hour. But it takes couple seconds not minutes. 

- disable no-pfs on IPSec Crypto

- disable "Liveness Check" on the IKE Gateway configuration.

 

Make sure that all other setting are compatible with Azure. Please see below:

 

IPsec Parameters

Note:

Although the values listed below are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

 

IKE Phase 1 setup

 

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption AlgorithmsAES256 AES128 3DESAES256 3DES
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time)28,800 seconds10,800 seconds

IKE Phase 2 setup

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)3,600 seconds3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)102,400,000 KB-
IPsec SA Encryption & Authentication Offers (in the order of preference)1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/ASee Route-based Gateway IPsec Security Association (SA) Offers(below)
Perfect Forward Secrecy (PFS)NoYes (DH Group1, 2, 5, 14, 24)
Dead Peer DetectionNot supportedSupported

 

After doing all this tunnel still stable for the past 3 days.

 

You can clear the tunnel couple times to see if everything is working correctly:

 

> clear vpn ike-sa gateway (for IKE Tunnel)

> clear vpn ipsec-sa tunnel (for CHILD_SA)

 

Hope it helps!

 

more info here:

 

https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/m-p/98936#M44162

View solution in original post

8 REPLIES 8

L0 Member

Can you follow this for IKEv2 and let me know if it works:

 

https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-IPsec-VPN-for-Microsoft-...

 

 There doesn't seem to be much difference between the two...you may need to uncheck the liveliness check and the DH group to no-pfs.

 

 

Hello,

 

Thank you for your answer.

 

I make modifications, but it doesn't work. I have the same error message in systems logs :

erreur.PNG

 

 

 

 

I have just had a new error message:error2.PNG

 

 

Heys,

 

Would be nice to see a full log output:

 

> tail lines 200 mp-log ikemgr.log

 

It is been some time since my last set-up but just a quick update/tips on this:

 

- make sure Palo in the "passive" mode. So it will not be able to initiate a VPN but we could not make it working when its disabled.

- IKEv2 initiate 2 tunnels: IKE tunnel ( old name of IKEv1 Phase 1) and CHILD_SA (old name of IKEv1 Phase 2). Default lifetime for  IKE Tunnel is 86400 or 28800 seconds (depends of the vendor) for CHILD_SA is 3600 seconds hence your tunnel will be always re-established every hour. But it takes couple seconds not minutes. 

- disable no-pfs on IPSec Crypto

- disable "Liveness Check" on the IKE Gateway configuration.

 

Make sure that all other setting are compatible with Azure. Please see below:

 

IPsec Parameters

Note:

Although the values listed below are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

 

IKE Phase 1 setup

 

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption AlgorithmsAES256 AES128 3DESAES256 3DES
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time)28,800 seconds10,800 seconds

IKE Phase 2 setup

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)3,600 seconds3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)102,400,000 KB-
IPsec SA Encryption & Authentication Offers (in the order of preference)1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/ASee Route-based Gateway IPsec Security Association (SA) Offers(below)
Perfect Forward Secrecy (PFS)NoYes (DH Group1, 2, 5, 14, 24)
Dead Peer DetectionNot supportedSupported

 

After doing all this tunnel still stable for the past 3 days.

 

You can clear the tunnel couple times to see if everything is working correctly:

 

> clear vpn ike-sa gateway (for IKE Tunnel)

> clear vpn ipsec-sa tunnel (for CHILD_SA)

 

Hope it helps!

 

more info here:

 

https://live.paloaltonetworks.com/t5/General-Topics/VPN-to-Azure-dropouts/m-p/98936#M44162

Hi all,

 

I need your help to configure a vpn between PA3020 and Azure with dynamic gateway.

 

I have a problem "ike-nego-p1-fail "  --> ( description contains 'IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: X.X.X.X[500]-X.X.X.X[500] cookie:6a4facbf0c032fc8:0000000000000000. Due to timeout.' )

 

 and ( eventid eq ike-nego-p1-delete ) -->  and  and ( description contains 'IKE phase-1 SA is deleted SA: SA: X.X.X.X[500]-X.X.X.X[500] cookie:6a4facbf0c032fc8:0000000000000000.' )

 

 

 

Hi,

   My guess is that you need an alternative authentication method in the IKE gateway setup: Local Identification portion.

 

You can use email or fqdn and as long as they match on both sides it doesn't matter what it is...

The guess is here that NAT is breaking IKE

Make sure you have Layer 3 communication between the peer. Before setting up the tunnel, please ping the remote peer ip. If Layer 3 is good, make sure your policy is allowing ike, IPSec etc application on the untrust interface (zone). 

L1 Bithead

Hi, I got question regarding 96415 fixed in 7.1.6. However, I am still seeing the issue in 7.1.6.

What should I do, should I upgrade to 8.0.0+Please assist. Thank you.

 

96415
Fixed an issue where the firewall failed to pass traffic in strongSwan and Azure IPSec tunnels while using IKEv2 because it did not send a Delete payload during a Phase 2 Child SA re-keying. With this fix, the firewall correctly sends a Delete payload during re-keying if it is the node that initiated the re-keying.

  • 1 accepted solution
  • 27249 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!