When trying to establish a cross-vendor or business to business IPSec tunnel, finding an exact match in settings can be difficult.
Palo Alto can provide some great troubleshooting debug tools if you know where to look.
To activate debugging for VPNs, SSH to the Palo Alto firewall, and active debugging with these commands:
# Debug the IPSec tunnel debug ike tunnel <IP-Sec-Tunnel:Proxy-ID> on debug # Debug the IKE debug ike gateway <IKE-Gateway> on debug # Open log file and update automatically with new content tail follow yes mp-log ikemgr.log
In a recent set-up, there was a proposal mismatch in the system logs that provided little detail. The Palo Alto was responding to a VPN initialisation from a peer.
The debug logs by SSH’ing provided a good clue to what was going wrong:
2021-08-18 10:54:35.438 +0100 [DEBG]: { 8: 81}: see whether there's matching transform
2021-08-18 10:54:35.438 +0100 [DEBG]: { 8: 81}: transform ID doesn't match: my [20], peer [18], skip to next ...
2021-08-18 10:54:35.438 +0100 [DEBG]: { 8: 81}: no peer transform matched; try next my transform proposal
2021-08-18 10:54:35.438 +0100 [DEBG]: { 8: 81}: none of my proposal matched
2021-08-18 10:54:35.438 +0100 [PERR]: { 8: 81}: no proposal chosen
The line transform ID doesn't match: my [20], peer [18], skip to next ... gave away the issue.
Comparing the table on IANAs IKEv2 Parameters, it shows that 20 corresponded to ‘ENCR_AES_GCM_16’, and 18 corresponded to ‘ENCR_AES_GCM_8’. I asked our peer to switch to ‘ENCR_AES_GCM_16’ and the VPN established on the next connection attempt.
If you still have the SSH windows open, you’ll see the latest output of the connection attempt, and be able to determine if it was successful or not.
Ctrl + C will exit the log file flow, and remember to turn off the debugs once finished:
# Debug the IPSec tunnel debug ike tunnel <IP-Sec-Tunnel:Proxy-ID> off # Debug the IKE debug ike gateway <IKE-Gateway> off
Leave a Reply