cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2935
Views
50
Helpful
22
Replies
Highlighted
RJI Advisor
Advisor

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

Hi,
Yes, only a host with a certificate that is valid can authenticate. I imagine the PA was actually sending the certificate dn as the identity and not it's ip address, that's why it worked. The certificate map is probably not be required in your scenario, you'd only need that if you had multiple CA's or different values in the certificate and wanted to use aaa authorization.

Run "show crypto ikev2 sa detailed" - that will show you the remote/local identities (assuming there is an IKEv2 SA). Ultimately what is configured on each end (address or fqdn or cert dn) needs to be configured on the router for it to match the correct IKEv2 Profile.

HTH
Highlighted
Participant

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

Hi ,
Let me know
match identity remote any is equal below command in ikev1 ,correct?

crypto isakmp key cisco address 0.0.0.0 0.0.0.0
May i know any effect ? Please see sa detail i changed public IP.

r1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
4 3.17.33.2/500 33.51.12.25/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/6646 sec
CE id: 0, Session-id: 2
Status Description: Negotiation done
Local spi: 99E56446246823D1 Remote spi: EF340A7342C3616B
Local id: cn=r1,hostname=r1
Remote id: cn=33.51.12.25
Local req msg id: 0 Remote req msg id: 1312
Local next msg id: 0 Remote next msg id: 1312
Local req queued: 0 Remote req queued: 1312
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No

Highlighted
RJI Advisor
Advisor

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

No, this command "crypto isakmp key cisco address 0.0.0.0 0.0.0.0" is defining a PSK of cisco matching any ip address. The IKEv2 equivalent is:-

crypto ikev2 keyring KEYRING
peer ANY
address 0.0.0.0
pre-shared-key local xxxxxx
pre-shared-key remote xxxxxx

"match identity remote any" equivalent is:-

crypto isakmp profile ISAKMP_PROFILE
match identity address 0.0.0.0 0.0.0.0
Highlighted
Participant

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

Hi RJI,
May i know now my configuration is someting wrong,because i use local two router and connect LAN cable directly and put together but still not working .let me know it is my configuration error or certificate error ?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.11.22 16:21:11 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...

Current configuration : 10034 bytes
!
! Last configuration change at 08:14:59 UTC Thu Nov 22 2018
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
crypto pki trustpoint my-ca
enrollment terminal
serial-number none
ip-address none
subject-name cn=r2
revocation-check none
rsakeypair my-ca 2048
!
!
crypto pki certificate chain my-ca
certificate 550000002048525E5817BDF388000000000020
30820585 3082046D A0030201 02021355 00000020 48525E58 17BDF388 00000000
0020300D 06092A86 4886F70D 01010B05 00304B31 15301306 0A099226 8993F22C
64011916 056C6F63 616C3116 3014060A 09922689 93F22C64 01191606 63727970
746F311A 30180603 55040313 11637279 70746F2D 43415356 522D4341 2D31301E
170D3138 31313232 31353031 33305A17 0D323031 31323231 35313133 305A300D
310B3009 06035504 03130272 32308201 22300D06 092A8648 86F70D01 01010500
0382010F 00308201 0A028201 01009393 FD9FECF6 CA379064 4735A5A5 5C96C462
D82D2BC6 22DECD8D 5A09862D CCB20E11 431C1D58 42E02580 055BCB8F 5313009F
A68B866E 8505F1BA FFAD36D9 03158DF7 09B2EA82 4DB152BD 856F3CB6 8874DF20
36DFC59A 66397F6A C1086CC4 C15DA1BF DC0DE460 DEC087BC 1BAD733E DE5EF6C9
476C3C81 D378ECFD D6624CF0 1C767A1D 63CBD55C 3749C2A3 76335D23 21175271
BCDA015B 080D559F DFDAFF3C 435F2D18 9514A941 2B154342 E0135F01 42D4006C
77E06D3A 02646A29 E553A119 4C2D3036 ACF0F2B6 A998ED96 836D4CCB 76B72073
38C783D4 4E2DE794 A5EC21B6 5ECEF923 650D6AA7 5C1FE73A 7E1F7365 F70A0284
9DFD524C 0DC34655 FAC07B6C 2FFD0203 010001A3 82029E30 82029A30 0E060355
1D0F0101 FF040403 0205A030 1D060355 1D0E0416 0414A5EA BD841801 1FB51F6D
C7AD795F 67330DF0 784C301F 0603551D 23041830 168014CF CB254DBD 6E4EC98F
19178C4D 30D9A7A7 4DD04430 81CE0603 551D1F04 81C63081 C33081C0 A081BDA0
81BA8681 B76C6461 703A2F2F 2F434E3D 63727970 746F2D43 41535652 2D43412D
312C434E 3D434153 56522C43 4E3D4344 502C434E 3D507562 6C696325 32304B65
79253230 53657276 69636573 2C434E3D 53657276 69636573 2C434E3D 436F6E66
69677572 6174696F 6E2C4443 3D637279 70746F2C 44433D6C 6F63616C 3F636572
74696669 63617465 5265766F 63617469 6F6E4C69 73743F62 6173653F 6F626A65
6374436C 6173733D 63524C44 69737472 69627574 696F6E50 6F696E74 3081C406
082B0601 05050701 010481B7 3081B430 81B10608 2B060105 05073002 8681A46C
6461703A 2F2F2F43 4E3D6372 7970746F 2D434153 56522D43 412D312C 434E3D41
49412C43 4E3D5075 626C6963 2532304B 65792532 30536572 76696365 732C434E
3D536572 76696365 732C434E 3D436F6E 66696775 72617469 6F6E2C44 433D6372
7970746F 2C44433D 6C6F6361 6C3F6341 43657274 69666963 6174653F 62617365
3F6F626A 65637443 6C617373 3D636572 74696669 63617469 6F6E4175 74686F72
69747930 3C06092B 06010401 82371507 042F302D 06252B06 01040182 371508C6
9D6A81EB 9E5184C5 8F3C82F7 E70482F1 DE7B813C A0C23581 96ED3002 01640201
05303106 03551D25 042A3028 06082B06 01050507 03010608 2B060105 05070306
06082B06 01050508 02020608 2B060105 05070302 303F0609 2B060104 01823715
0A043230 30300A06 082B0601 05050703 01300A06 082B0601 05050703 06300A06
082B0601 05050802 02300A06 082B0601 05050703 02300D06 092A8648 86F70D01
010B0500 03820101 001405CC 13A78759 E912178F 27E60A2E A7D2215F 260ABD50
EDC6B64F DB32FCDB 7D933C65 80DD3F17 9A9D3EB3 D087F7D3 D8125594 9880BF11
8E00F91C 6E8C31F0 C15B3B33 75564215 07BEA261 6D0D1E9F 83E7F7C8 22494D24
F4F83645 96483742 5A93BFBC BD9A95F3 2F0ED3E3 CCA212F2 75EF886F 2A2A9D1A
6D1C8105 4D7C9997 B878E4E4 E40BBEAF 04F55A8B 1FB740B1 AFEF9A49 14F8D723
65A92209 2047CA04 BB2EFB8B FE4F8E9A 2F225A84 03FB8C5B 429BBFE8 EF59F211
EDD3CAE5 5A05B030 1F430215 B336BCED FC558F1F 04ED24F9 C09DA83E 54F0FB8A
0879368A C9DB7FCD 9E35947B 2EB88B95 47A89B66 9615617A 3950B93E AD2311EE
FF8A97ED 4CEF3F13 47
quit
certificate ca 3E4E0CD6A71F67A54DB01767A4C7F840
30820389 30820271 A0030201 0202103E 4E0CD6A7 1F67A54D B01767A4 C7F84030
0D06092A 864886F7 0D01010B 0500304B 31153013 060A0992 268993F2 2C640119
16056C6F 63616C31 16301406 0A099226 8993F22C 64011916 06637279 70746F31
1A301806 03550403 13116372 7970746F 2D434153 56522D43 412D3130 1E170D31
38313030 38313030 3830395A 170D3233 31303038 31303138 30385A30 4B311530
13060A09 92268993 F22C6401 1916056C 6F63616C 31163014 060A0992 268993F2
2C640119 16066372 7970746F 311A3018 06035504 03131163 72797074 6F2D4341
5356522D 43412D31 30820122 300D0609 2A864886 F70D0101 01050003 82010F00
3082010A 02820101 00D94878 02AE1D45 51F10F77 7D72B857 44BD1E25 6DB04B80
CAF4E6D4 180B6BB7 6D1D5285 FBA950CD 39B06455 5261C425 F40A0505 90F0A064
8C71F324 6EE14E25 E5222822 9D9AF938 209582B4 875F8111 0126C0B5 2AE428A4
6FADC132 5AF1AEF2 BA4EB028 C0E2C998 F8EC1CF0 CF4B47BF CAE60A40 DE206EAC
E8DA93BB A6085C1A A19AB462 4D88CC7B 56E24BEF D0329F8C 8DBE911F 48A66DE3
FA91050F CC673FD3 B1F60D4D D9DEB174 DFB41284 D014E15C 6167D7A8 948D784B
E47CC476 D7035FC7 166685D6 0A4D0295 8BC55E3C 2F71A4D1 3D0A1545 920A193A
20D0C8F1 AB0B55EC DA9BC63D 0374D8FB DE3FAE38 340ADFC0 733D5545 717227F5
9AA3669F 4FCC6DC4 73020301 0001A369 30673013 06092B06 01040182 37140204
061E0400 43004130 0E060355 1D0F0101 FF040403 02018630 0F060355 1D130101
FF040530 030101FF 301D0603 551D0E04 160414CF CB254DBD 6E4EC98F 19178C4D
30D9A7A7 4DD04430 1006092B 06010401 82371501 04030201 00300D06 092A8648
86F70D01 010B0500 03820101 0001CDD9 DD89375A 933F38CD 95C6D5B0 CC561964
EB633F76 D2BC67B3 5381A728 FD116961 9AB1E5F6 4E566C80 433F2D15 3BF335E6
34CBE47C 2A22588C FB12174B AC8DEFB0 FB846DBF D7519E4B 062D24E9 50140CA8
70433981 9659D5CB 03D43AC1 102AE9BB F5BB64C8 B05ABD17 E57FFF66 C53EA78C
2607DBED CF8BC055 45B05F10 12EBA2D0 E1AD19A1 2514A5CB 7A0C7D92 61022125
0BFA954A 4ACBCABF A8C1B6D0 2049DF6F 3F5E89CD 8DF81456 63BE49E1 4DF608D8
A31ECC50 904A18FA 7D6C546A ED9D90E3 20BAFDBF 2BE455C8 6E040096 801F3DD6
9B55EF5A 7638C3AF 5789D98D F41A0F64 7DEE65AE 869EBDBF 71F511EF 08265706
451FA5A9 99A5E181 937F2223 74
quit
!
!
!
!
!
ip auth-proxy max-login-attempts 6
ip admission max-login-attempts 6
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C892FSP-K9 sn FGL22369110
!
!

!
crypto ikev2 proposal aes-cbc-256-proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy1
match address local 10.1.14.80
proposal aes-cbc-256-proposal
!
!
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote any
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint my-ca
!
!
!
!
!
crypto isakmp policy 5
encr aes 256
hash sha256
group 14
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 10.1.14.70
set transform-set ESP-AES-SHA
set pfs group14
set ikev2-profile profile1
match address 103
!
!
!
!
!
!
interface Loopback0
ip address 10.100.100.1 255.255.255.0
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
switchport trunk allowed vlan 1,2,200-203,1001-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
!
interface GigabitEthernet9
ip address 10.1.14.80 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
no ip address
!
interface Vlan202
ip address 10.100.202.65 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.14.1
ip route 0.0.0.0 0.0.0.0 10.1.14.70
ip route 10.100.201.0 255.255.255.0 10.1.14.70
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
access-list 103 permit ip 10.100.100.0 0.0.0.255 10.100.201.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!

!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

Router#
Highlighted
RJI Advisor
Advisor

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

I'll have a look tonight, I am out of the office shortly. In the meantime, checkout this post, it should provide some pointers how to configure FlexVPN with certificates.

Participant

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

hi ,
i thought it is my certificate error when phase 1 .
i got below error when i test in local.Please below my CA.


PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 5500000022714B1CD619EFCABB000000000022) is not yet valid Validity period starts on 01:44:08 SGD Nov 23 2018 *Nov 22 19:12:17: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed

 


R1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 5500000021CB515F84C900A61C000000000021
Certificate Usage: General Purpose
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
Name: r1
cn=r1
CRL Distribution Points:
ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:41:07 SGD Nov 23 2018
end date: 01:51:07 SGD Nov 23 2020
Associated Trustpoints: my-ca

CA Certificate
Status: Available
Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
Certificate Usage: Signature
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Validity Date:
start date: 18:08:09 SGD Oct 8 2018
end date: 18:18:08 SGD Oct 8 2023
Associated Trustpoints: my-ca

 

.

Everyone's tags (1)
Highlighted
RJI Advisor
Advisor

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

Hi,
It says certificate not yet valid. I would check the clock on your routers, I would imagine the date is out by 1 day.

The certificate start date: 01:41:07 SGD Nov 23 2018 which is the day after your post on Nov 22, you might find the certificate is now valid and it works.....or you have another issue.
Highlighted
Participant

Re: IPsec Site-to-Site VPN Palo Alto and Cisco Router

Hi,

May if i put some information in my ca trustpoint as below what will happening ? It will go in authentication ?

ip domain-name crypto.local

crypto key generate rsa general-key modulus 2048 
crypto pki trustpoint my-ca
enrollment terminal
serial-number none
ip-address none

fqdn r1.crypto.local
subject-name cn=r1.crypto.local
revocation-check none
rsakeypair my-ca 2048
crypto pki authenticate my-ca

 

and if I am using certificate map i will map as below.

crypto pki certificate map my-ca 10
issuer-name co cn= crypto 

 if i am not using certificate map i will use as below

crypto ikev2 profile profile1
description IKEv2 profile
!

match address local dn
match identity remote any
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca