VyOS 1.1.6 to Palo Alto PAN-OS IPSEC VPN IKE stuck at init


#1

Hello All,

I’ve been using Vyos for the last 6 months and am mightily impressed by all it can do.

I’ve run into an issue with creating an IPSEC VPN with a Palo Alto Networks firewall. It seems to connect when the peer reboots or fails over his firewall cluster, but the VPN fails on rekeying.

To add insult to injury - IKE seems to stay in init mode throughout the life of the VPN. When the VPN fails… no packets seem to come back. I send out IKE but tcpdump doesn’t show anything coming back.

So essentially at this point we’re resetting the palo alto everytime to it’s failover to get the vpn back up until it times out.

We’re using main mode. The settings for IKE are AES-128, sha1, DH group2.

This used to work on an Cisco vASA firewall.

Has anyone seen this kind of behaviour before? and any ideas on how to troubleshoot?

Thanks for your time,
Ari


#2

Just in case anyone runs into this:

Palo Alto and Cisco ASA’s are “friendly” and the device id tags are known which makes the PA’s tag the vpn traffic as application default not requiring additional port allow rules in the ACL.

At PA’s suggestion we added a number of ciscovpn and openvpn known ports and protocols to the ACL which allowed the handshake to clear without error.

Interesting conundrum - didn’t know there were friendly and unfriendly vendors not to mention different tags.

Anyhow just an FYI in case anyone runs into this.
Ari


#3

Hello,
it can be due to PFS settings,
i advice post question on https://phabricator.vyos.net as we will drop forums soon(it will stay in RO mode)
Also it will be nice to have logs from devices, do you have access to mentioned Palo Alto device ?


#4

Hi Ari,

Im in the process of setting up an IPSec VPN between a Vyatta endpoint and a Palo Alto. I assume the tunnel interface you created on the PA was in a particular zone. Did you apply the “ciscovpn” and “openvpn” applications to the security policy to get the tunnels to complete their handshake?

Sorv


#5

Correct - A new security policy was created for this specific VPN tunnel including those additional tweaks.