Palo Alto IPsec VPN

-

Configuration

1. Tunnel interface

if no dynamic routing is required, tunnel interface can have no IP address

2. (Optional) IKE Crypto profile, PA comes with default IKE Crypto files.

4. (Optional) IPSec Crypto profile, PA comes with default IPSec Crypto files.

5. IKE gateways
Specify peer IP address, IKE version, VPN physical interface/IP, pre-shared key, IKE identity (default non is IP address), and IKE Crypto Profile.

6. IPSec tunnel
Specify tunnel interface, IKE gateway, IPSec Crypto Profile and Proxy IDs 

7. Route
route remote subnet to tunnel interface

8. Security Policy
consider to add bidirectional Security policies for VPN traffic and encryption domain traffic .

   rule for VPN traffic is not required  if it covers by the intrazone-default  rule. 
   rule for encryption domain traffic is also not required if tunnel interface is in Trust zone and  covers by the intrazone-default rule.


Verify - CLI

show vpn tunnel
    has Phase II info: proposal, proxy-id, Gateway Name etc., no SPI info.





show vpn ike-sa
show vpn ike-sa gateway ?
show vpn ike-sa gateway [match]
 has Phase I info: proposal, peer public IP, tunnel ID (TnID), IPSec tunnel name, Gateway Name  etc...












Another example, note gateway name, IPsec tunnel name and proxy-ID name in red. Also note the tunnelID (TnID)

admin@PA1026> show vpn ike-sa gateway ASAv
There is no IKEv1 phase-1 SA found.
There is no IKEv1 phase-2 SA found.

IKEv2 SAs
Gateway ID      Peer-Address           Gateway Name                                                    Role SN       Algorithm             Established     Expiration      Xt Child  ST
----------      ------------           ------------                                                    ---- --       ---------             -----------     ----------      -- -----  --
1               192.168.2.201          ASAv                                                            Init 1        PSK/DH14/A256/SHA256  Dec.15 13:53:24 Dec.15 21:53:24 0  2      Established
IKEv2 IPSec Child SAs
Gateway Name                                                    TnID     Tunnel                                                          ID       Parent   Role SPI(in)  SPI(out) MsgID    ST             
------------                                                    ----     ------                                                          --       ------   ---- -------  -------- -----    --             
ASAv                                                            2        VPN-ASA:DMZ-LAN                                                 1        1        Init ADF3366D C7279586 00000001 Mature         
ASAv                                                            1        VPN-ASA:LAN-LAN                                                 5        1        Init A0A67AC7 E9988448 00000005 Mature         
Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.

admin@PA1026>





show vpn ipsec-sa
show vpn ipsec-sa tunnel ?
    has Phase II info: Proposal, peer public IP, tunnel and gateway name and SPI, no proxy-ID info.






show vpn flow name ?
show vpn flow tunnel-id 

 has all detail info, including VPN interface name and traffic sent/received from the tunnel.

admin@PA440-2(active)> show vpn flow
> name        Show for given VPN tunnel
> tunnel-id   Show specific tunnel information
  |           Pipe through a command
  <Enter>     Finish input
admin@PA440-2(active)> show vpn flow tunnel-id 1
tunnel  VPN-FG70F
        id:                     1
        type:                   IPSec
        gateway id:             2
        local ip:               192.168.2.36
        peer ip:                192.168.2.33
        inner interface:        tunnel.1
        outer interface:        ethernet1/1
        state:                  active
        session:                46567
        tunnel mtu:             1423
        soft lifetime:          3570
        hard lifetime:          3600
        lifetime remain:        3397 sec
        lifesize remain:        N/A
        latest rekey:           203 seconds ago
        monitor:                off
          monitor packets seen: 0
          monitor packets reply:0
        en/decap context:       35
        local spi:              9754FDBF
        remote spi:             E243630A
        key type:               auto key
        protocol:               ESP
        auth algorithm:         SHA256
        enc  algorithm:         AES256
        traffic selector:
          protocol:             0
          local ip range:       0.0.0.0 - 255.255.255.255
          local port range:     0 - 65535
          remote ip range:      0.0.0.0 - 255.255.255.255
          remote port range:    0 - 65535
        anti replay check:      yes
        anti replay window:     1024
        copy tos:               no
        enable gre encap:       no
        initiator:              no
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       0
        receive sequence:       0
        encap packets:          0
        decap packets:          0
        encap bytes:            0
        decap bytes:            0
        encap IPv4 packets:     0
        decap IPv4 packets:     0
        encap IPv4 bytes:       0
        decap IPv4 bytes:       0
        encap IPv6 packets:     0
        decap IPv6 packets:     0
        encap IPv6 bytes:       0
        decap IPv6 bytes:       0
        key acquire requests:   0
        owner state:            0
        owner cpuid:            s1.0dp0
        ownership:              1
admin@PA440-2(active)>


admin@PA440-2(active)> show vpn flow tunnel-id 1 | match cap\|ip
                                   show vpn flow tunnel-id 1 | match ip\|packets

        local ip:               192.168.2.36
        peer ip:                192.168.2.33
        en/decap context:       35
          local ip range:       0.0.0.0 - 255.255.255.255
          remote ip range:      0.0.0.0 - 255.255.255.255
        enable gre encap:       no
        encap packets:          0
        decap packets:          0
        encap bytes:            0
        decap bytes:            0
        encap IPv4 packets:     0
        decap IPv4 packets:     0
        encap IPv4 bytes:       0
        decap IPv4 bytes:       0
        encap IPv6 packets:     0
        decap IPv6 packets:     0
        encap IPv6 bytes:       0
        decap IPv6 bytes:       0
        ownership:              1
admin@PA440-2(active)>


Verify - GUI

Network>IPSec Tunnels, click "Tunnel Info" to see more info. 



Bring up tunnel from PA FW

test vpn ike-sa gateway xxxx

test vpn ipsec-sa tunnel 


clear vpn ike-sa gateway ?
clear vpn ipsec-sa tunnel ?



admin@PA-VM-916> show vpn flow tunnel-id 1 | match packets\|ip

        local ip:               192.168.2.42
        peer ip:                192.168.2.41
          monitor packets seen: 0
          monitor packets reply:0
          local ip range:       10.1.0.0 - 10.1.0.255
          remote ip range:      10.100.8.0 - 10.100.8.255
        replay packets:         0
        packets received
        encap packets:          226
        decap packets:          61137
        ownership:              1


Proxy ID:
When proxy ID is configured on PA, VPN comes up doesn't matter ASA is policy-based or routed-based. 
When proxy ID is NOT configured on PA, VPN only comes up when ASA is routed-based VPN.


https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC



=============

System logs
  subtype eq vpn

CLI to check management-plane VPN related log:
less mp-log ikemgr.log    <<Phase1
use "/" to search, n" to next
less mp-log tund.log       << Phase2

grep pattern "142.115.26.122" mp-log ikemgr.log
tail lines 200 mp-log ikemgr.log


================CLI Configuration=============



  • Enter config mode and create the Tunnel Interface.
    configure
set network interface tunnel units tunnel.1

  • Assign the Tunnel Interface to a new zone called "vpn_zone".
    set zone vpn_zone network layer3 tunnel.1

  • Assign the Tunnel Interface to the default Virtual Router.
    set network virtual-router default interface tunnel.1

  • Create a Static Route for the VPN traffic.
    set network virtual-router default routing-table ip static-route vpn interface tunnel.1 destination 192.168.2.0/24

  • Create an IKE Crypto Profile.
    set network ike crypto-profiles ike-crypto-profiles ike_profile hash sha1 dh-group group14 encryption aes-256-cbc lifetime seconds 28800

  • Create an IPSec Crypto Profile.
    set network ike crypto-profiles ipsec-crypto-profiles ipsec_profile esp authentication sha1 encryption aes-256-cbc
set network ike crypto-profiles ipsec-crypto-profiles ipsec_profile lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles ipsec_profile dh-group group14

  • Create an IKE Gateway.
    set network ike gateway ike_gateway authentication pre-shared-key key [key]
set network ike gateway ike_gateway protocol ikev1 ike-crypto-profile ike_profile
set network ike gateway ike_gateway local-address interface ethernet1/1 ip 1.1.1.1/24
set network ike gateway ike_gateway peer-address ip 2.2.2.2

  • Create firewall rules for the VPN traffic.
    set rulebase security rules vpn_inbound to any from any source 192.168.2.0/24 destination 192.168.1.0/24 source-user any category any application any service any hip-profiles any action allow
set rulebase security rules vpn_outbound to any from any source 192.168.1.0/24 destination 192.168.2.0/24 source-user any category any application any service any hip-profiles any action allow

  • Create the IPSec Tunnel and commit the changes.
    set network tunnel ipsec vpn_to_nsx_edge auto-key ike-gateway ike_gateway
set network tunnel ipsec vpn_to_nsx_edge auto-key proxy-id subnets local 192.168.1.0/24 remote 192.168.2.0/24 protocol any
set network tunnel ipsec vpn_to_nsx_edge auto-key ipsec-crypto-profile ipsec_profile
set network tunnel ipsec vpn_to_nsx_edge tunnel-interface tunnel.1 tunnel-monitor enable no
set network tunnel ipsec vpn_to_nsx_edge disabled no
commit




    • ===========Tunnel Monitoring=============

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK

    Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSec tunnel in question by sending a PING down the tunnel to the configured destination. 

    Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes.

    Tunnel monitor requires VPN tunnel interface has IP configured.

    The firewall will try to negotiate new IPSec keys to accelerate the recovery.

    When monitor is down, it seems doesn't bring down tunnel, instead, it re-key a new phase2 tunnel. user may see cross tunnel connection stability issue  (system log has lots phase2 rekey

    use "show vpn flow " to see monitor status.


    =======DPD============
    Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.

    DPD is used to detect if the peer device still has a valid IKE-SA. Periodically, it will send a “ISAKMP R-U-THERE” packet to the peer, which will respond back with an “ISAKMP R-U-THERE-ACK” acknowledgement.

    The DPD is "not persistent" and is only triggered by a Phase 2 rekey. This means if Phase 2 is up, Palo Alto Networks will not check to see if IKE-SA is active



    Comments

    Post a Comment

    Popular posts from this blog

    Firepower FMC and FTD troubleshooting

    -
     1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
    Read more

    ASA IKEv1 VPN troubleshooting Steps and Tips

    -
      1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
    Read more

    Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

    -
      Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
    Read more