11-20-2018 02:38 AM - edited 02-21-2020 09:30 PM
Hi ,
I would like to know how to integrate PaloAlto and cisco router for point to point IPsec.
I followed below link for paloalto and for cisco router is followed below attachment.But it is not working yet.
i am not using gre tunnel and i use IPsec only and apply ipsec to physical interface.
I want to how to put ipsec configuration in cisco router if PaloAlto is using ikev2.
Please share me ike with CA authentication.
https://blog.webernetz.net/ipsec-site-to-site-vpn-palo-alto-cisco-router/
I also confuse in Ike v2 Profile command.
crypto ikev2 profile RTR1-RTR2-PROFILE
match identity remote fqdn RTR2.TEST <== can i put ip address ?
identity local fqdn RTR1.TEST <=== can i put ip address ,is it WAN address or local address ?
authentication remote rsa-sig
authentication local rsa-sig <=== why we should put this command ?
pki trustpoint CA-SVR
!
11-20-2018 02:46 AM
11-20-2018 04:48 AM - edited 11-20-2018 05:15 AM
Hi,
I can use ike v1 how should i dow?
my router doen't support ikev2 and if i want to use CA what should i do ? let me know cisco C890 can support ike v 2 ? i got authenicatio fail error when connection establish.how to troubleshoot.
11-20-2018 05:07 AM
11-20-2018 05:51 AM - edited 11-20-2018 06:23 AM
11-20-2018 06:35 AM
11-20-2018 03:08 PM
11-20-2018 03:39 PM
11-20-2018 03:54 PM
11-20-2018 06:48 PM
11-20-2018 07:35 PM - edited 11-21-2018 09:28 PM
Hi,
Please see the other debug.
*Nov 21 03:34:16.740: IKEv2-INTERNAL:Got a packet from dispatcher
*Nov 21 03:34:16.740: IKEv2-INTERNAL:Processing an item off the pak queue
*Nov 21 03:34:16.740: IKEv2-INTERNAL:New ikev2 sa request admitted
*Nov 21 03:34:16.740: IKEv2-INTERNAL:Incrementing incoming negotiating sa count by one
11-21-2018 12:54 AM
11-21-2018 04:22 AM - edited 11-21-2018 04:30 AM
Hi ,
let me know how to work below command.if i put remote is fqdn or ipaddress tunnel is doesn't work.
if i put local identity is change to fqdn or ip address is doesn't work. when ip put below remote is any and local identity is dn ,my tunnel is up why ?
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote any
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint my-ca
Please see the output of "show crypto pki certificates"
nete2-r1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 470000002019711F7CF8413BEB000000000020
Certificate Usage: General Purpose
Issuer:
cn=subca01
dc=my
dc=local
Subject:
Name: r1
cn=r1
hostname=r1
CRL Distribution Points:
ldap:///CN=subca01,CN=test02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 16:27:48 SGD Nov 21 2018
end date: 14:11:53 SGD Nov 20 2020
Associated Trustpoints: my-ca
CA Certificate
Status: Available
Certificate Serial Number (hex): 1800000002300AC8D5F1E463CD000000000002
Certificate Usage: Signature
Issuer:
cn=test
dc=my
dc=local
Subject:
cn=subca01
dc=my
dc=local
CRL Distribution Points:
Validity Date:
start date: 14:01:53 SGD Nov 20 2018
end date: 14:11:53 SGD Nov 20 2020
Associated Trustpoints: my-ca
11-21-2018 04:42 AM
11-21-2018 07:34 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide