Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11292
Views
50
Helpful
22
Replies

IPsec Site-to-Site VPN Palo Alto and Cisco Router

MrBeginner
Spotlight
Spotlight

‎11-20-2018 02:38 AM - edited ‎02-21-2020 09:30 PM

Hi ,

I would like to know how to integrate PaloAlto and cisco router for point to point IPsec.

I followed below link for paloalto and for cisco router is followed below attachment.But it is not working yet.

i am not using gre tunnel and i use IPsec only and apply ipsec to physical interface.

I want to how to put ipsec configuration in cisco router if PaloAlto is using ikev2.

Please share me ike with CA authentication.

https://blog.webernetz.net/ipsec-site-to-site-vpn-palo-alto-cisco-router/

I also confuse in Ike v2 Profile command.

crypto ikev2 profile RTR1-RTR2-PROFILE

match identity remote fqdn RTR2.TEST <== can i put ip address ?

identity local fqdn RTR1.TEST         <=== can i put ip address ,is it WAN address or local address ?

authentication remote rsa-sig         

authentication local rsa-sig         <=== why we should put this command ?

pki trustpoint CA-SVR

!

1 person had this problem
Labels:
Preview file
71 KB
22 Replies 22

Rob Ingram
VIP
VIP

‎11-20-2018 02:46 AM

Yes, you can use address instead of fqdn of the local and remote identities. E.g:-

crypto ikev2 profile RTR1-RTR2-PROFILE
match identity remote address 5.5.5.5
identity local address 1.1.1.1

IKEv2 uses asymetrical authentication methods, so you could use different methods. If you are using certificates on both devices, then you would specify local and remote method to be RSA-SIG.

HTH

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎11-20-2018 04:48 AM - edited ‎11-20-2018 05:15 AM

Hi,

I can use ike v1 how should i dow?

my router doen't support ikev2 and if i want to use CA what should i do ? let me know cisco C890 can support ike v 2 ? i got authenicatio fail error when connection establish.how to troubleshoot.

0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎11-20-2018 05:07 AM

The 890 series datasheet confirms it supports FlexVPN (which only supports IKEv2), so yes it should work. What firmware version are you running? If it's an old version upgrade it.

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎11-20-2018 05:51 AM - edited ‎11-20-2018 06:23 AM

Hi RJI,
now i can type. and configured.But cannot establish with Paloalto FW.
But now i got the below error.Please see my config.

ISAKMP: (0):peer matches *none* of the profiles

Preview file
2 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎11-20-2018 06:35 AM

My guess would be it's not matching the attributes used in the IKEv2 profile
Can you provide the full output of the IKEv2 debugs?

I assume the router and the PA firewall trust each other's certificates you are using for authentication?

0 Helpful

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎11-20-2018 03:08 PM

Hi,
I think certificate attributed error.but I don't know how to debug.
When create certificate Paloalto put local indentity cn is their ip and
cisco used cn=*.my.local. It is different ?
0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎11-20-2018 03:39 PM

Your router needs to trust the certificate issued by the PA firewall and vice versa. If you haven't exchanged certificates and imported it won't work.

Have you tried setting up the VPN initially using Pre-Shared Key to confirm the other settings are working as expected? Once that works you can attempt to get certificates to work.

Use the following commands to debug:-
debug crypto ikev2 packet
debug crypto ikev2 internal

HTH

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎11-20-2018 03:54 PM

Hi,
I already confirm with preshare key.it is working fine.I think certificate
error.let me know which part of certificate should same? Can you tell me
some guide for certificate authenicate process I mean subject name ?
May I know my ipsec profile configuration is correct? Because error message
show no match profile.

0 Helpful

MrBeginner
Spotlight
Spotlight
In response to MrBeginner

‎11-20-2018 06:48 PM

Hi,
Please see the debug error.
*Nov 21 02:40:30.696: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 376
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
KE Next payload: N, reserved: 0x0, length: 264
DH group: 14, Reserved: 0x0
N Next payload: NONE, reserved: 0x0, length: 36

*Nov 21 02:40:30.708: IKEv2-PAK:(SESSION ID = 30,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 453
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
KE Next payload: N, reserved: 0x0, length: 264
DH group: 14, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: CERTREQ, reserved: 0x0, length: 21
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 25
Cert encoding Hash and URL of PKIX
NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

*Nov 21 02:40:30.720: IKEv2-PAK:(SESSION ID = 30,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 1856
Payload contents:
CERT Next payload: CERTREQ, reserved: 0x0, length: 1356
Cert encoding X.509 Certificate - signature
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 25
Cert encoding X.509 Certificate - signature
NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: IDi, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED
IDi Next payload: AUTH, reserved: 0x0, length: 34
Id type: DER ASN1 DN, Reserved: 0x0 0x0
AUTH Next payload: SA, reserved: 0x0, length: 264
Auth method RSA, reserved: 0x0, reserved 0x0
SA Next payload: TSi, reserved: 0x0, length: 44
last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.100.100.0, end addr: 10.100.100.255
TSr Next payload: NONE, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.100.201.0, end addr: 10.100.201.255

*Nov 21 02:40:30.724: IKEv2-ERROR:% IKEv2 profile not found
*Nov 21 02:40:30.724: ISAKMP: (0):peer matches *none* of the profiles
*Nov 21 02:40:30.724: IKEv2-ERROR:(SESSION ID = 30,SA ID = 1):: Failed to locate an item in the database
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

*Nov 21 02:40:30.724: IKEv2-PAK:(SESSION ID = 30,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 80
Payload contents:
ENCR Next payload: NOTIFY, reserved: 0x0, length: 52

*Nov 21 02:40:30.724: IKEv2-ERROR:(SESSION ID = 30,SA ID = 1):: Auth exchange failed
0 Helpful

MrBeginner
Spotlight
Spotlight
In response to MrBeginner

‎11-20-2018 07:35 PM - edited ‎11-21-2018 09:28 PM

Hi,
Please see the other debug.
*Nov 21 03:34:16.740: IKEv2-INTERNAL:Got a packet from dispatcher

*Nov 21 03:34:16.740: IKEv2-INTERNAL:Processing an item off the pak queue

*Nov 21 03:34:16.740: IKEv2-INTERNAL:New ikev2 sa request admitted
*Nov 21 03:34:16.740: IKEv2-INTERNAL:Incrementing incoming negotiating sa count by one

0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎11-21-2018 12:54 AM

Did you use the CA Trustpoint to sign the certificate for the Router and the PA Firewall?
If not did you export the certificate and import to the PA firewall and vice versa?

The certificates must be trusted on both devices in order to work correctly.

Can you provide the output of "show crypto pki certificates" from the router
0 Helpful

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎11-21-2018 04:22 AM - edited ‎11-21-2018 04:30 AM

Hi ,
let me know how to work below command.if i put remote is fqdn or ipaddress tunnel is doesn't work.
if i put local identity is change to fqdn or ip address is doesn't work. when ip put below remote is any and local identity is dn ,my tunnel is up why ?
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote any
identity local dn
authentication local rsa-sig

authentication remote rsa-sig
pki trustpoint my-ca

 

Please see  the output of "show crypto pki certificates"

nete2-r1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 470000002019711F7CF8413BEB000000000020
Certificate Usage: General Purpose
Issuer:
cn=subca01
dc=my
dc=local
Subject:
Name: r1
cn=r1
hostname=r1
CRL Distribution Points:
ldap:///CN=subca01,CN=test02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 16:27:48 SGD Nov 21 2018
end date: 14:11:53 SGD Nov 20 2020
Associated Trustpoints: my-ca

CA Certificate
Status: Available
Certificate Serial Number (hex): 1800000002300AC8D5F1E463CD000000000002
Certificate Usage: Signature
Issuer:
cn=test
dc=my
dc=local
Subject:
cn=subca01
dc=my
dc=local
CRL Distribution Points:

Validity Date:
start date: 14:01:53 SGD Nov 20 2018
end date: 14:11:53 SGD Nov 20 2020
Associated Trustpoints: my-ca

0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎11-21-2018 04:42 AM

Well I imagine with "remote any" you are validating any device that attempts to authenticate. You could define a certificate map and match on a value found in the certificate which the PA Firewall is using. This would then only authenticate certificiates issued by that CA.

E.g.

crypto pki certificate map CERT_MAP 5
issuer-name co lab-ca
0 Helpful

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎11-21-2018 07:34 AM

Hi,
My understanding is remote any mean any host can communicate but they need
certificate, right? any host can communicate without certificate ?
Because PA can identify fqdn,DNS and ip address in ike profil.
co=issuer-name mean subect name that we put when we created trust point
my-ca?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents