cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
615
Views
2
Helpful
7
Replies

IKEV2 IPsec VPN issue Between Cisco ASR and PaloAlto-5220

Haider-ATX
Level 1
Level 1

Can anyone provide a ikev2 vpn configuration guide between cisco router and paloalto , the main part is that Palo is using NAT'd ip address as peer in front of the real peer ip 

1 Accepted Solution

Accepted Solutions

Hi Thanks for the info , Actually I applied the config with the real ip itself but it did not work until i added both the peer ips (NAT'd and Real )at tje same time under the profile , Both the phases are up now  .
crypto ikev2 profile IKEV2-PROFILE2-1
match identity remote address 104.153.x.x 255.255.255.255
match identity remote address 10.201.x.x 255.255.255.255

View solution in original post

7 Replies 7

marce1000
VIP
VIP

 

                           - FYI : https://www.mbtechtalker.com/palo-alto/

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

what is your issue ?

MHM

Hi , In my case the other side ( PA-5220 ) used NAT'd public peer ip address , and the real peer ip is behind the NAT ip address and i am using NAT ip as remote peer , Here are some debug output , I also try to enable NAT keepalive 20 under the profile , but still no luck 

ify SA init message
059497: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Processing IKE_SA_INIT message
059498: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Checking NAT discovery
059499: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):NAT OUTSIDE found
059500: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):NAT detected float to init port 4500, resp port 4500
059501: Nov 10 00:20:24.283 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
059502: Nov 10 00:20:24.288 EST: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
059503: Nov 10 00:20:24.288 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Request queued for computation of DH secret
059504: Nov 10 00:20:24.288 EST: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
059505: Nov 10 00:20:24.289 EST: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
059506: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Completed SA init exchange
059507: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Check for EAP exchange
059508: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Generate my authentication data
059509: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Use preshared key for id 159.166.44.46, key len 16
059510: Nov 10 00:20:24.289 EST: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
059511: Nov 10 00:20:24.289 EST: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
059512: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Get my authentication method
059513: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):My authentication method is 'PSK'
059514: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Check for EAP exchange
059515: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Generating IKE_AUTH message
059516: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Constructing IDi payload: '159.166.44.X' of type 'IPv4 address'
059517: Nov 10 00:20:24.289 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
059518: Nov 10 00:20:24.290 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

059519: Nov 10 00:20:24.290 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Sending Packet [To 104.153.10.X:4500/From 159.166.44.X:4500/VRF i0:f0]
Initiator SPI : 718A40B7C742D288 - Responder SPI : 6DE3AB02354CBA78 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

059520: Nov 10 00:20:24.307 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Received Packet [From 104.153.10.X:4500/To 159.166.44.X:4500/VRF i0:f0]
Initiator SPI : 718A40B7C742D288 - Responder SPI : 6DE3AB02354CBA78 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
IDr AUTH NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr

059521: Nov 10 00:20:24.307 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Process auth response notify
059522: Nov 10 00:20:24.307 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Searching policy based on peer's identity '10.201.1.X' of type 'IPv4 address'
059523: Nov 10 00:20:24.308 EST: IKEv2-ERROR:(SESSION ID = 207034,SA ID = 1):: Failed to locate an item in the database
059524: Nov 10 00:20:24.308 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Verification of peer's authentication data FAILED
059525: Nov 10 00:20:24.308 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Auth exchange failed
059526: Nov 10 00:20:24.308 EST: IKEv2-ERROR:(SESSION ID = 207034,SA ID = 1):: Auth exchange failed
059527: Nov 10 00:20:24.309 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Abort exchange
059528: Nov 10 00:20:24.309 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Deleting SA

==========================
Thats the latest debug , Now having different output IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

059760: Nov 11 00:47:41.180 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Insert SA
059761: Nov 11 00:47:43.003 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Retransmitting packet

059762: Nov 11 00:47:43.003 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Sending Packet [To 104.153.14.x:500/From 159.166.44.x:500/VRF i0:f0]
Initiator SPI : 213F0CFF793E55F6 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

059763: Nov 11 00:47:46.706 EST: IKEv2:(SESSION ID = 207034,SA ID = 1):Retransmitting packet

# Show crypto ikev2 sa 
Tunnel-id Local Remote fvrf/ivrf Status
1 159.166.44.x/500 104.153.14.x/500 none/none IN-NEG
Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 28800/0 sec
 

Ok' share config in asr of

Ikev2 policy' key' and profile 

And what is palo public IP abd private IP.

Note:- for security not need all IP only last number.

From debug there is issue in profile match remote addresses and ikev2 key.

MHM

 

Thanks for quick response , here is the configs on my side , and the Palo peer NAT ip is 104.153.X.X and the real Peer ip is 10.1.X.X

crypto ikev2 keyring KR-X   

peer site 1
address 104.153.X.X
pre-shared-key ************

crypto ikev2 profile IKEV2-PROFILE1
match identity remote address 104.153.X.X 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KR-X
lifetime 28800

Under Policy i have following proposal 
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 20

@Haider-ATX from your logs - "Searching policy based on peer's identity '10.201.1.X' of type 'IPv4 address'" - the router is receiving the real IP address (10.201.x.x) of the peer gateway, so change your match statement on the IKEV2 profile to match the private/real IP address of the remote peer.

Example:-

crypto ikev2 profile IKEV2-PROFILE1
 match identity remote address 10.201.X.X 255.255.255.255

 

Hi Thanks for the info , Actually I applied the config with the real ip itself but it did not work until i added both the peer ips (NAT'd and Real )at tje same time under the profile , Both the phases are up now  .
crypto ikev2 profile IKEV2-PROFILE2-1
match identity remote address 104.153.x.x 255.255.255.255
match identity remote address 10.201.x.x 255.255.255.255