SITE TO SITE IKEv1 IPSEC VPN

Mohammed Naeem
Mohammed Naeem used Ask the Experts™
on
ipsecvpn.JPG




We  have  a network similar  to the diagram  shown above ,,
And  we  want  to configure IPSEC  IKv1 VPN between 2  sites .  we  have  A cisco  4321 Router at Branch A and  A Palo Alto firewall on  the  other end  …

After  doing  the well known configuration provided by Cisco at

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

we found  that  we  still could not  form  a successful a tunnel  between sites ,,   ..  
we  think that  there  a hope or a firewall somewhere in the  WAN path  blocking or  filtering
the  IKEv1  traffic  and  ICMP

so  the Questino consist of  two  parts :-

First :-   Kindly  provide  us  with  your suggestion regarding the proper an optimim configuration for the
Devices  at  both ends

Second :-   In  the  WAN  how  could  we  specify  the hop that  filter that traffic exactly ?
                          We  want  to prove that one hop is blocking or filtering IKv1 and ICMP traffic
              Then how could we find and prove that it  prevents specific data traffic  ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Here is one of the best guides I could see for this. You need both Phase I and Phase 2 setups at both ends and a pre-shared key as part of the initial setup.

https://indeni.com/blog/how-to-do-an-ipsec-vpn-configuration-between-pan-firewall-and-cisco-asa/?utm_term=&utm_campaign=Indeni+Crowd&utm_source=adwords&utm_medium=ppc&hsa_tgt=dsa-419150047603&hsa_grp=56844656347&hsa_src=g&hsa_net=adwords&hsa_mt=b&hsa_ver=3&hsa_ad=262590849495&hsa_acc=3847623796&hsa_kw=&hsa_cam=1344787853&gclid=EAIaIQobChMIuaPLgJf53AIV3rXACh2MCgZVEAAYASAAEgIJvvD_BwE

We use Juniper routers for site to site VPN connections and I am not very familiar with Palo Alto.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
The link you shared shows a vpn configuration for a router to an ASA. Meaning you conifgured a policy based VPN.You should instead configure a route based vpn using VTI interfaces. The Palo Alto can be configued with route based vpn also. As for verification if ike is being blocked in the wan. If the wan is public internet. I highly doubt its being blocked.

On the Cisco router:


debug crypto ipsec
debug crypto isakmp

See what errors its throwing. Should tell you exactly why the vpn isn't coming up.
Sr.Net.Eng
Top Expert 2011
Commented:
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

nociSoftware Engineer
Distinguished Expert 2018

Commented:
Some simple checks phase 1:    uses UDP (protocol 17)  port 500.    
A tool like ike-scan ( http://www.nta-monitor.com/ike-scan/ ) can be used to verify it works....
Also logging on the firewalls should be able to provide a clue about what happens
wireshark could be used to check any traffic on the public part for anomalies. (like no remote host etc. etc.)

phase 2 uses   EPS (protocol 50)    or if NAT-T is used, UDP (protocol 17) / port 4500.
if traffic flows it works.. (wireshark can be used to verify if packets travel).

are 172.16.1.x  & 172.17.1.x placeholders for internet addresses or actual addresses.
If those are actual addresses that also get natted to a different set across an internet connection then NAT-T is required.
Distinguished Expert 2017

Commented:
please do the following:

Site A:
WAN IP
LAN SEGMENT

Key lietime
encryption/..

Site B:
WAN I
LAN SEGMENt

Do both locations have statiC IP

for the cisco the WAN IP of the other site is the PEER ID.


look at the debug to log why the VPN connection fails and at which point, Initial or second phase negotiation or does it fail to match ......

See if the following helps.

https://live.paloaltonetworks.com/t5/Configuration-Articles/IPSec-site-to-site-between-Palo-Alto-Networks-firewall-and-Cisco/ta-p/65789

using your info, recreate the drawing with your info and then match the example with your own needs.

Potentially while adding entry a typo entering the data from the example versus adapting the config to your circumstance.

Author

Commented:
Hi ,

thanks for your reply ..


We’ve   applied  the model  “ Static Virtual Tunnel Interface with IPsec “
Literally as shown in the Cisco Link that you provide to us .
Here is  a pdf file that describes  the model the we’ve done .



And  successfully  we brought up the tunnel ,  and the crypto session status is UP-Active ..
But a new problem raised to the surface .
The  problem that  we  could  ping  the server “ 10.0.36.21” from the site 1 router “ ASR 1001-1” successfully , but  we could not  ping from the server reside in Site 1 “ server 1 “ directly to  “ Server 2 “
Also  the ping  failed  when applied  using  the command

Ping  10.0.36.21  source  FastEthernet3/3  though it was successful when
Applied  using  the command

Ping 10.0.36.21  source  tunnel  0  

The  strange  thing  that  we  did not  face this  problem when  ping  applied from  Site 2 to
Site 1  ,,

We  could  ping  successfully  from server2   to  server1   .

Would you suggest us solutions for this problem  ???
IPsec-Virtual-Tunnel-Interface---Cis.pdf

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial