SITE TO SITE IKEv1 IPSEC VPN

ipsecvpn.JPG




We  have  a network similar  to the diagram  shown above ,,
And  we  want  to configure IPSEC  IKv1 VPN between 2  sites .  we  have  A cisco  4321 Router at Branch A and  A Palo Alto firewall on  the  other end  …

After  doing  the well known configuration provided by Cisco at

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

we found  that  we  still could not  form  a successful a tunnel  between sites ,,   ..  
we  think that  there  a hope or a firewall somewhere in the  WAN path  blocking or  filtering
the  IKEv1  traffic  and  ICMP

so  the Questino consist of  two  parts :-

First :-   Kindly  provide  us  with  your suggestion regarding the proper an optimim configuration for the
Devices  at  both ends

Second :-   In  the  WAN  how  could  we  specify  the hop that  filter that traffic exactly ?
                          We  want  to prove that one hop is blocking or filtering IKv1 and ICMP traffic
              Then how could we find and prove that it  prevents specific data traffic  ?
Mohammed NaeemAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Here is one of the best guides I could see for this. You need both Phase I and Phase 2 setups at both ends and a pre-shared key as part of the initial setup.

https://indeni.com/blog/how-to-do-an-ipsec-vpn-configuration-between-pan-firewall-and-cisco-asa/?utm_term=&utm_campaign=Indeni+Crowd&utm_source=adwords&utm_medium=ppc&hsa_tgt=dsa-419150047603&hsa_grp=56844656347&hsa_src=g&hsa_net=adwords&hsa_mt=b&hsa_ver=3&hsa_ad=262590849495&hsa_acc=3847623796&hsa_kw=&hsa_cam=1344787853&gclid=EAIaIQobChMIuaPLgJf53AIV3rXACh2MCgZVEAAYASAAEgIJvvD_BwE

We use Juniper routers for site to site VPN connections and I am not very familiar with Palo Alto.
N. SpearsSr.Net.EngCommented:
The link you shared shows a vpn configuration for a router to an ASA. Meaning you conifgured a policy based VPN.You should instead configure a route based vpn using VTI interfaces. The Palo Alto can be configued with route based vpn also. As for verification if ike is being blocked in the wan. If the wan is public internet. I highly doubt its being blocked.

On the Cisco router:


debug crypto ipsec
debug crypto isakmp

See what errors its throwing. Should tell you exactly why the vpn isn't coming up.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

nociSoftware EngineerCommented:
Some simple checks phase 1:    uses UDP (protocol 17)  port 500.    
A tool like ike-scan ( http://www.nta-monitor.com/ike-scan/ ) can be used to verify it works....
Also logging on the firewalls should be able to provide a clue about what happens
wireshark could be used to check any traffic on the public part for anomalies. (like no remote host etc. etc.)

phase 2 uses   EPS (protocol 50)    or if NAT-T is used, UDP (protocol 17) / port 4500.
if traffic flows it works.. (wireshark can be used to verify if packets travel).

are 172.16.1.x  & 172.17.1.x placeholders for internet addresses or actual addresses.
If those are actual addresses that also get natted to a different set across an internet connection then NAT-T is required.
arnoldCommented:
please do the following:

Site A:
WAN IP
LAN SEGMENT

Key lietime
encryption/..

Site B:
WAN I
LAN SEGMENt

Do both locations have statiC IP

for the cisco the WAN IP of the other site is the PEER ID.


look at the debug to log why the VPN connection fails and at which point, Initial or second phase negotiation or does it fail to match ......

See if the following helps.

https://live.paloaltonetworks.com/t5/Configuration-Articles/IPSec-site-to-site-between-Palo-Alto-Networks-firewall-and-Cisco/ta-p/65789

using your info, recreate the drawing with your info and then match the example with your own needs.

Potentially while adding entry a typo entering the data from the example versus adapting the config to your circumstance.
Mohammed NaeemAuthor Commented:
Hi ,

thanks for your reply ..


We’ve   applied  the model  “ Static Virtual Tunnel Interface with IPsec “
Literally as shown in the Cisco Link that you provide to us .
Here is  a pdf file that describes  the model the we’ve done .



And  successfully  we brought up the tunnel ,  and the crypto session status is UP-Active ..
But a new problem raised to the surface .
The  problem that  we  could  ping  the server “ 10.0.36.21” from the site 1 router “ ASR 1001-1” successfully , but  we could not  ping from the server reside in Site 1 “ server 1 “ directly to  “ Server 2 “
Also  the ping  failed  when applied  using  the command

Ping  10.0.36.21  source  FastEthernet3/3  though it was successful when
Applied  using  the command

Ping 10.0.36.21  source  tunnel  0  

The  strange  thing  that  we  did not  face this  problem when  ping  applied from  Site 2 to
Site 1  ,,

We  could  ping  successfully  from server2   to  server1   .

Would you suggest us solutions for this problem  ???
IPsec-Virtual-Tunnel-Interface---Cis.pdf
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.