Re: Site-2-Site IKEv2 VPN between Cisco IOS router and PaloAlto firewall - Page 2

cciesec2011 · ‎10-28-2020

Has anyone here successfully get Site-2-Site VPN between a Cisco IOS router and PaloAlto working with IKEv2? I am at a loss here. Cisco TAC support is not very helpful. The TAC guy who help me is not very good with VPN. After going back and forth with him, I essentially give up. Cisco TAC support is not very good these days. Here we go:

The configuration is very straight forward, nothing mystery about it. The thing is that if I replace the Cisco IOS router with an ASA device with the same EXACT configurationi, VPN IKEv2 will work fine between ASA and PaloAlto so I know the configuration on the PaloAlto is good.

Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin. The configuration is below:

crypto ikev2 proposal PaloAlto
encryption aes-cbc-256
integrity sha512
group 20
!
crypto ikev2 policy PaloAlto
proposal PaloAlto
!
crypto ikev2 keyring PaloAlto
peer PaloAlto
address 1.1.1.1
pre-shared-key 123456
!

crypto ikev2 profile PaloAlto
match identity remote address 1.1.1.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring PaloAlto

crypto ipsec transform-set PaloAlto esp-aes 256 esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set PaloAlto
set pfs group20
set ikev2-profile PaloAlto
match address PaloAlto

ip access-list extended PaloAlto

permit ip host 192.168.1.1 192.168.246.0 0.0.0.255
permit ip host 192.168.1.2 192.168.246.0 0.0.0.255

interface GigabitEthernet0/0
ip address 4.2.2.251 255.255.255.248
duplex auto
speed auto
crypto map vpn

ip route 0.0.0.0 0.0.0.0 4.2.2.254

Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin

Any ideas?

MHM Cisco World · ‎10-30-2020

.....

cciesec2011 · ‎10-30-2020

What you have does NOT apply in my situation because I have ONLY 1 VPN termination on that Cisco router with the Paloalto VPN and nothing else. DMVPN is a cisco "only" solution and has nothing to do with my situation here. Yes, I am very well aware of the DMVPN because I had to do that in my CCIE lab many years ago and passed

Look more like a bug with Cisco IOS to me, unless I upgrade to 16.x which I can not because platform 2921 does not run 16.x. But thank you.

MHM Cisco World · ‎10-30-2020

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

Please read this doc.,

Especially about router vs asa local address

Aref Alsouqi · ‎10-30-2020

I don't see any issue with your router configuration that would prevent the tunnel from working. The only thing I see on the output you posted that doesn't look right is the keyring PaloAlto command under the crypto ikev2 profile, that should read keyring local PaloAlto, but I think that is simply a typo. I would suggest to enable crypto debug on the router, as well as on the Palo Alto firewall.

On the router use the command debug crypto ikev2, and on the Palo Alto use:

debug ike gateway <the VPN gateway name> on

debug ike tunnel <the VPN IPsec Tunnel name> on

tail follow yes mp-log keymgr.log

Clear the tunnel and watch the debugs on both ends, hopefully you will see what is wrong and trying to fix it.

To see the tunnel status on Cisco:

show crypto ikev2 sa det

On Palo Alto:

show vpn ike-sa and show vpn ipsec-sa

Once you finish troubleshooting the issue, turn off the debugs. On Palo Alto repeat those debug commands replacing on with off.

If you don't spot any issue, please share the Palo Alto sanitized screenshots of the tunnel configuration, including the IKE Crypto profile, IPSec Crypto profile, IKE Gateway, IPSec Tunnel, and virtual router and security policies related configuration.

cciesec2011 · ‎11-01-2020

@Aref Alsouqi: Are you working for Cisco, LOL? There is NO such command "keyring local PaloAlto" you mentioned? The Cisco TAC engineer kept fighting with me on this until I showed him that there is NO "local". I don't even have AAA enable on the router:

c2921(config)#crypto ikev2 profile PaloAlto
c2921(config-ikev2-profile)#keyring ?
WORD Keyring name
aaa AAA based pre-shared keys

c2921(config-ikev2-profile)#keyring

I know how to troubleshoot on both the router and the PaloAlto side. As a matter of fact, I had both PaloAlto and Cisco on the phone at the same time, PaloAlto blamed the issue on the Cisco side and vice versa. PaloAlso support stated that Cisco sent them the wrong data but the cisco TAC engineer had no clue. After a few weeks of back and forth with Cisco, I finally gave up, until @marce1000 showed me the bug ID. It could have saved me a lot of times. The TAC engineer from Cisco was pretty much useless.

Aref Alsouqi · ‎11-04-2020

I unfortunately don't lol. This is interesting, I tried it on my lab and I got the local option:

VPN-ROUTER(config)#crypto ikev2 profile PaloAlto
VPN-ROUTER(config-ikev2-profile)#keyring ?
  aaa    AAA based keyring
  local  Local keyring

Regarding the troubleshooting, I would rely on debugs on both ends and try to parse any error that would help suggesting what the root cause is.

cciesec2011 · ‎11-05-2020

@Aref Alsouqi wrote:
I unfortunately don't lol. This is interesting, I tried it on my lab and I got the local option:
VPN-ROUTER(config)#crypto ikev2 profile PaloAlto
VPN-ROUTER(config-ikev2-profile)#keyring ?
  aaa    AAA based keyring
  local  Local keyring
Regarding the troubleshooting, I would rely on debugs on both ends and try to parse any error that would help suggesting what the root cause is.

Which version of IOS are you running?

Aref Alsouqi · ‎11-09-2020

That was on 15.7(3)M3 on my lab, however, I remember always seeing that option on hardware as well.