11-09-2024 09:50 PM
Can anyone provide a ikev2 vpn configuration guide between cisco router and paloalto , the main part is that Palo is using NAT'd ip address as peer in front of the real peer ip
Solved! Go to Solution.
11-11-2024 07:14 PM - edited 11-11-2024 10:56 PM
Hi Thanks for the info , Actually I applied the config with the real ip itself but it did not work until i added both the peer ips (NAT'd and Real )at tje same time under the profile , Both the phases are up now .
crypto ikev2 profile IKEV2-PROFILE2-1
match identity remote address 104.153.x.x 255.255.255.255
match identity remote address 10.201.x.x 255.255.255.255
11-10-2024 12:01 AM
- FYI : https://www.mbtechtalker.com/palo-alto/
M.
11-10-2024 05:07 AM
what is your issue ?
MHM
11-10-2024 08:33 PM - edited 11-10-2024 09:54 PM
Hi , In my case the other side ( PA-5220 ) used NAT'd public peer ip address , and the real peer ip is behind the NAT ip address and i am using NAT ip as remote peer , Here are some debug output , I also try to enable NAT keepalive 20 under the profile , but still no luck
ify SA init message
059497: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Processing IKE_SA_INIT message
059498: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Checking NAT discovery
059499: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):NAT OUTSIDE found
059500: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):NAT detected float to init port 4500, resp port 4500
059501: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
059502: Nov 10 00:20:24.288 EST: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
059503: Nov 10 00:20:24.288 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Request queued for computation of DH secret
059504: Nov 10 00:20:24.288 EST: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
059505: Nov 10 00:20:24.289 EST: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
059506: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Completed SA init exchange
059507: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Check for EAP exchange
059508: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Generate my authentication data
059509: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Use preshared key for id 159.166.44.46, key len 16
059510: Nov 10 00:20:24.289 EST: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
059511: Nov 10 00:20:24.289 EST: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
059512: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Get my authentication method
059513: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):My authentication method is 'PSK'
059514: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Check for EAP exchange
059515: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Generating IKE_AUTH message
059516: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Constructing IDi payload: '159.166.44.X' of type 'IPv4 address'
059517: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
059518: Nov 10 00:20:24.290 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
059519: Nov 10 00:20:24.290 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Sending Packet [To 104.153.10.X:4500/From 159.166.44.X:4500/VRF i0:f0]
Initiator SPI : 718A40B7C742D288 - Responder SPI : 6DE3AB02354CBA78 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
059520: Nov 10 00:20:24.307 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Received Packet [From 104.153.10.X:4500/To 159.166.44.X:4500/VRF i0:f0]
Initiator SPI : 718A40B7C742D288 - Responder SPI : 6DE3AB02354CBA78 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
IDr AUTH NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr
059521: Nov 10 00:20:24.307 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Process auth response notify
059522: Nov 10 00:20:24.307 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Searching policy based on peer's identity '10.201.1.X' of type 'IPv4 address'
059523: Nov 10 00:20:24.308 EST: IKEv2-ERROR:(SESSION ID = 207034,SA ID = 1):: Failed to locate an item in the database
059524: Nov 10 00:20:24.308 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Verification of peer's authentication data FAILED
059525: Nov 10 00:20:24.308 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Auth exchange failed
059526: Nov 10 00:20:24.308 EST: IKEv2-ERROR:(SESSION ID = 207034,SA ID = 1):: Auth exchange failed
059527: Nov 10 00:20:24.309 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Abort exchange
059528: Nov 10 00:20:24.309 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Deleting SA
==========================
Thats the latest debug , Now having different output IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
059760: Nov 11 00:47:41.180 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Insert SA
059761: Nov 11 00:47:43.003 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Retransmitting packet
059762: Nov 11 00:47:43.003 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Sending Packet [To 104.153.14.x:500/From 159.166.44.x:500/VRF i0:f0]
Initiator SPI : 213F0CFF793E55F6 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
059763: Nov 11 00:47:46.706 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Retransmitting packet
# Show crypto ikev2 sa
Tunnel-id Local Remote fvrf/ivrf Status
1 159.166.44.x/500 104.153.14.x/500 none/none IN-NEG
Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 28800/0 sec
11-10-2024 11:32 PM
Ok' share config in asr of
Ikev2 policy' key' and profile
And what is palo public IP abd private IP.
Note:- for security not need all IP only last number.
From debug there is issue in profile match remote addresses and ikev2 key.
MHM
11-11-2024 11:44 AM
Thanks for quick response , here is the configs on my side , and the Palo peer NAT ip is 104.153.X.X and the real Peer ip is 10.1.X.X
crypto ikev2 keyring KR-X
peer site 1
address 104.153.X.X
pre-shared-key ************
crypto ikev2 profile IKEV2-PROFILE1
match identity remote address 104.153.X.X 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KR-X
lifetime 28800
Under Policy i have following proposal
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 20
11-11-2024 11:52 AM
@Haider-ATX from your logs - "Searching policy based on peer's identity '10.201.1.X' of type 'IPv4 address'" - the router is receiving the real IP address (10.201.x.x) of the peer gateway, so change your match statement on the IKEV2 profile to match the private/real IP address of the remote peer.
Example:-
crypto ikev2 profile IKEV2-PROFILE1
match identity remote address 10.201.X.X 255.255.255.255
11-11-2024 07:14 PM - edited 11-11-2024 10:56 PM
Hi Thanks for the info , Actually I applied the config with the real ip itself but it did not work until i added both the peer ips (NAT'd and Real )at tje same time under the profile , Both the phases are up now .
crypto ikev2 profile IKEV2-PROFILE2-1
match identity remote address 104.153.x.x 255.255.255.255
match identity remote address 10.201.x.x 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide