Palo Alto PCNSA – Chapter 10 – Site-to-site-VPN part 2
- 10.9 IPsec troubleshooting
In this video we are covering PC NSA 210 and this is our chapter ten, side to side VPN. Now this is the 9th video of chapter ten which is 10. 9 IPsec troubleshooting. Now when you troubleshoot IPsec, really you need to go and just do all comparing, comparing between one configuration to another configuration. I’m just open the configuration that we did in the previous lesson on 10. 8 and I’ve got configuration of IPsec correctly, working correctly from both firewall A and Firewall B. Now as you see, first information is going to be about interface eight status. Like it should be green. If you’re monitoring that interface then we have Ike phase one status green is working and phase two, if this is red then this was going to be red anyway. And if phase one is red, phase two is going to be red. So you’re not going to have phase two green and phase one red.
It just goes on the layers kind of. So if there’s a problem, if you see a red somewhere they’re not working. What you need to do is kind of like inspect all these. So inspect what configuration you have under Ike crypto. So these for example, they have to match the encryption authentication diffie Hellman group they have to match on Firewall B. For example, if you go in Internet Key exchange cryptography, check these that they do match, right? And if they don’t match on the parameters here then they’re going to create association. And then we look at the IPsec tunnels, we look at what is the tunnel information here. For example, if for example, you can’t find any problems here, you need to look at the Go to monitor, then logs.
Then under the system you should see some system log about VPN, right? So you’re going to see there’s a problem tunnel status for example, if it’s green it means that it’s working. You can have IPsec phase two established. If it’s red it’s not available or it has expired. And then we have IP gateway status. If it’s working you have a green one, if it’s not, then you have a red one and same is going to be the tunnel interface. But the tunnel interface could be red if you are not monitoring. So these two, they could be green while the interface is red if you are not monitoring the interface. Now these are some of the VPN error messages that we could have. For example issue if you have a wrong IP and no connection, the remote gateway IP address is wrong or there is no IP connectivity between the two public interfaces.
So for example, you can’t ping the other side. There’s some reason you can’t reach the other side of the public interface. No matching P one or P two, phase one or phase two proposals. You can see that you have the haggle that we were talking on the other lesson they have to match, for example, the encryption, the hashing, whatever the diffi hellman key they have to match. So if there is no match, then you’re going to have a P one timeout mismatch peer ID. The P one timeout peer Identifier does not match. This value entered for peer ID does not match then we have a PFS group mismatch. This is a phase two timeout and if problem maybe for the Diffie hellman groups are mismatched, then we have a mismatched proxy ID.
For example the values if the proxy ID are mismatched then you have a P two timeout. Here is an issue that we had earlier. So for example, Ike phase two negotiation failed when proposing proxy ID. So phase two proxy ID problem and if you look at the phase two proxy ID problem, the values for the local and remote proxies are incorrect. Let’s actually try and do that and bring this problem phase two proxy ID bad. So what we’re going to do is go to IPsec tunnels and in here we’re going to put the wrong proxy ID and we’ll see that problem. If I go to proxy ID, just change this to something that is not in local. So for one to three, for example, I’ll say one, two, three, this doesn’t exist. So we’re going to have or let’s just change the remote actually.
So one, two, three here and we put our normal local proxy ID and click OK and commit it and we’re going to see the negotiation is going to be phase two mismatch. Okay? Now the commit has completed successfully. If we go back and look, the phase two is red. Now phase one is green and the interface status is green, but the phase two is red. If I go to firewall A, that should be the same. So if I go to IPsec tunnels and that’s going to be the same phase two. And as we see there is a problem here. So now we can monitor. So if I go to monitor and under logs system and let me refresh this, it’s refreshing anyway. And you see the Ike phase two negotiation failed when processing proxy ID cannot find matching phase II tunnel for receiving proxy ID.
So it’s saying to you as the receiving proxy ID is wrong. Now if you look at, if you look at the proxy ID was phase II timeout, the values for local and remote proxy IDs are not correct. So that was the problem because we changed the proxy ID under IPsec tunnels and we can go through all of these change in for example, change in Diffi hellman group put in the wrong IP address and so on. So if I fix the proxy ID here to 1921-921-6810 and that’s correct one now. So if I commit this and after commit this, they will work right? Okay. Now the commit has completed successfully. If I close this and check to see the tunnel is back up. So if you go to monitor. So if I go to firewall a and we were looking at the monitor, if I refresh this, then it’s going to be fine with the VPN connection.
- 10.10 Lab Site-to-Site VPN
In this video we are covering Pcnsa 210 and this is our chapter ten site to side VPN section. Now this is the 10th video of chapter ten which is ten point ten lab side to side VPN. Now everything that we learned in chapter ten on site to side VPN section, we’re going to put it in the lab, we’re going to put it in practice. So what we’re going to do in this lab, we’re going to create and configure a tunnel interface to use it in the side to side side VPN connection. We’re going to need a logical layer, three tunnel interface for our VPN configuration. We’re going to configure an Ike gateway, an Ike crypto profile that’s for phase one of the tunnel of VPN tunnel. And then we’re going to configure an IPsec crypto profile and IPsec tunnel. And then we’re going to test the connectivity.
This is a lab topology that we’ll be using to demonstrate for you side to side VPN. And I do have two firewalls. I have Firewall A which is connected to their own site, inside zone IP address 1921-6810 and Firewall B which is connected to site B for example. And inside zone IP address is ten one 100:24. I’m managing Firewall A and Firewall B from my management station and this is the IP address that I’m managing the firewall A and this is the IP address that I’m managing firewall B. Now these are the public address for Firewall A and Firewall B and these are the interfaces. And I’m going to create a tunnel because we do need a tunnel for VPN configuration but we don’t really need to give an IP address. But I am going to give an IP address because I want to monitor these tunnels.
So if you do want to monitor the tunnels, you do need to give an IP address as well. Okay, perfect. So I’m going to show you my firewalls now. So if I switch to my firewalls, so this is my firewall. Let’s go to firewall A first. And you can see that’s firewall A and I’m managing it from 192-168-1254. So if you look at the lab, two five four firewall A and if I go to firewall B, this is my Firewall B and I’m managing from two five three management interface. So if you look, that’s the IP address. I’m managing it. Okay. So we’re going to actually do the configuration on both firewalls. So you’re going to see it twice. Pretty much every configuration you’re going to see it twice. I have removed from the previous lesson everything that we did with IPsec tunnels.
So everything is clean, ready to go. Okay, so when we configure IPsec VPN tunnels, first thing that we need to do, we need to create this virtual interface, tunnel interface. So to do that, well, all the configuration that we need to do is going to be under the network. So we need to go to the interfaces to configure the tunnel. Then we need to configure the Ike cryptography, then I key gateways, IPsec crypto and then the IPsec tunnel. So four things after the tunnel so everything under the network. So to configure this virtual interface, virtual tunnel interface for our VPN configuration we need to go to network interfaces, tunnel and then click add. Now tunnel interfaces are read only we can’t change the name but we give an identification.
Like for example I’m going to use 55, I’ll just pick that number. It can be any number you want to and this number doesn’t have to match on both of the firewalls in the comments I’m not going to write anything but obviously in the production you write your own comments. The tunnel interface, it does require to be part of the virtual router and a security zone. So those are two requirements. You don’t need to give an IP address unless you’re monitoring or you’re using dynamic routing protocols on the virtual router I’m going to put it as a part of the VR lab. VR and the security zone I’m going to create a new security zone called VPN. So I’ll just type VPN here and that’s it, this section. Then I need to go to the IPV four configuration and not give an IP address.
So if you look at my lab you see the IP address I’m going to use for this tunnel. It’s one 7216 twelve one so add one 7216 twelve 1424 that’s my tunnel configured on firewall A. On firewall B I’m going to do the same thing, just different IP address. So go to network then interfaces and then tunnel and then click Add. And in there I’m going to put interface name. Obviously I can’t change it, the number I’m going to put 55. But like I said it can be any number you want. Virtual router well, is its own virtual router, even though the name are the same, but actually it’s a different it’s its own virtual router for Firewall B. And it needs to have, for example, a static route or dynamic route. How to get to the public address of Firewall a security zone. Well, again, in this one I’m going to create a new zone and that zone is going to be called VPN and click.
OK. And for this tunnel interface, if I look at the lab, this is IP address one 7216 twelve two. So I go to IPV four and give it an address. So one 7216 twelve 2424 okay, this is done. So the tunnel interface, the first step is done on the both firewalls. So firewall B has got twelve two, firewall A has got twelve one. Next thing I need to configure if I scroll down in firewall A I need to configure Ike crypto. So internet key exchange? Cryptography. Now already I have some default ones but I’m going to make my own one. So click Add and this is the five parameters that actually they have to match for it to create this tunnel. So the name I’m going to put it as a Firewall A and they’re going to be diffie Hellman group is going to be two, shaw two, AES two, sorry, Shaw two five six I should say two five six and AES two five six.
This is the parameters I’m going to put. So here diffi Hellman group two authentication is going to be Shard two five six and then for encryption that’s integrity and that’s confidentiality encryption. AES two five six and that’s it. And I’m going to do the same configuration on the other side. Let me just copy this name so I don’t need to write it again. So this is my firewall A configured. Now I will go to firewall B and do the same configuration. So I’ll go further down, I key crypto, click add and then this is a B one and same group. Diffie Hellman group is going to be two authentication. That’s for Integrity two five six, shah and confidentiality, AES two five six. And the timers, if you saw the timers it’s 8 hours and we can go down to three minutes if you want to.
But the key lifetime if you want to renegotiate phase one then it’s going to be every 8 hours. Okay, so here is configuration for route B or Firewall B and this is configuration for firewall A. So it’s exactly the same really, there’s no difference. The next thing we’re going to configure so in Firewall A, ike Internet Key Exchange gateways. So here I’m going to create a brand new one. So I’m going to say give it a name. So firewall A, Ike gateway and now you can see the version. We can have version one or version two or version two only preferred mode. Now I’m going to use version one only on both sides and address type is going to be IPV four. The interface, this is the local interface so you can look at the lab. The local interface is Ethernet one one and that’s the IP address.
So I’ve got Ethernet eleven and the IP address is 2030-1132. And then the neighbor, I can identify the name by the IP address, fully qualified domain name or dynamic. I’m going to use IP address. So if you look the IP address is two or three. This is the public. Yeah, one 1340, so two or 3011 340, that’s the neighbor’s IP address. And I can authenticate these two by either certificates. So these two peers by either certificates or pre shared key. And I’m going to use a pre shared key. So Palo Alto I’ll put as a password and local identification and peer identification. Again I can do it with a fully qualified domain name, IP address key ID I’m not going to use.
So just none. And then under the advanced options I have enabled passive mod. If I select that this firewall is not going to initiate any IPsec tunnel in negotiation or Ike negotiation enable Nat traversal. This is for example, if you don’t want the Nat to do what it does. Network address translation. Okay, so exchange mode. We have two well, we have auto main and aggressive. Main is going to go through proposals and agreements, while aggressive is just going to send everything in one go. I’m going to leave it to auto and the crypto profile, ike crypto profile, I’ll put the one that I just created, this 25 six.
That’s it, that’s my Ikea gateway done. So the phase one complete. I’ll do the firewall B, same thing, go to Ike gateways, click a new one. So add and under name I’ll just put it as a firewall B. Then I’ll put Ike gateway and same thing the interface is going to be. So if you look at the lab topology, 40 is the IP address. So there’s going to be 40 and the neighbor is going to be two or 3011 320. So I’m identifying the neighbors with IP address. So the neighbor for this firewall is going to be this. And we share Palo Alto. The key. So that’s going to be the authentication with the key pre shared key. And then under advanced options, again the Ike crypto profile, I’ll put the one that we created, firewall B, group two, shot two five six, AES two, five six, done. So the phase one is done on both sides.
So if you click on both sides we have it. And now we need to do IPsec cryptography. So again the five parameters they have to match, they go through the haggle bit. So I click add, going to put the new one. And this is going to be your firewall A. This is IPsec crypto, crypto, sorry. And we’re going to use ESP encapsulation security payload rather than, ah, well, yeah, you need to watch the videos if you want to know a bit more about them, the encryption and authentication. So that’s confidentiality is going to be as, two, five six and integrity is going to be Shaw two five six and diffi hellman group two. We’re going to leave it to default and lifetime is every 1 hour we’re going to do phase two, change it. Well renegotiate, that’s it. And I’m going to do the same configuration for firewall B.
So if I go to IPsec crypto and add new one here, this is going to be firewall B and it’s going to be IPsec crypto. And again ESP and two, five six, everything. So AES two five six and Shaw two, five six and click. OK, so now it’s done. We have the phase one and phase two. So we just need to put everything back together. So to put everything together, we need to go under the IPsec tunnels and create a tunnel there. So I’ll click add and well we’re going to say firewall a IPsec tunnel tunnel. And the tunnel interface, no tunnel, let me spell it correctly, tunnel. And the tunnel interface is going to be well, tunnel 55 that we put there. And the IK gateway is the one that we created FWA and the profile the one that we just created.
To be able to monitor this tunnel we need to press show advanced options and then we put tunnel monitor and then we put the destination IP address of the tunnel. So the destination IP address is going to be 170, 216, twelve two is the neighbor, the tunnel and then the proxy ID is to identify what network is the neighbor going to be sending. So we’re going to put here I’ll put a net ID, local ID. So the local network you can see is 1921-6810 and the neighbors is ten, 10. So let’s go. The local is 1921-681-0424 and the neighbor is ten dot one, dot one, one, dot zero, four slash 24. Here can be the most mistakes could happen here in the proxy ID if you not identifying the correct neighbor’s addresses and so on.
I click. OK. And I’m done. In fireball A is done. So at the moment I have not committed, but you can see the interface status is down. The phase one is down, phase two is down. So go to fireball B and I’ll do the same configuration. So go to IPsec tunnels, click add and I’m going to call this Fireball B. IPsec tunnel and tunnel interface again, same what we created the gateway, it’s what we just created. And the crypto profile or IPsec crypto profile is the one that we just created. And again here we’re going to show advanced options so we can see the tunnel monitor and for this one you can see the tunnel IP address of the neighbor is this.
So I need to put the neighbor’s IP address, one nine, 7216, twelve, one and the proxy ID I’m going to put like for example net ID, local address so local inside zone address and then remote zone address. So I’m going to be sending anything from the network ten, 10, 424 while the remote is 1921-681-0494. That’s it. We have configured the IPsec tunneling everything correctly. Now we’re just going to commit on both sides and this should go green. So commit here and I will go in firewall A and I’ll commit in firewall A as well. Okay, on Firewall A commit has completed successfully. So this is good and I can see all greens, which is good. I’ll look at the firewall b. The commit has completed successfully. I got some warning here, no threat license and so on.
But everything about the tunnel is success. So again here is green as well which means the interface is up. Phase one is up, phase two is up. So if I click on the tunnel information, okay, as you can see the name local IP address. So you can zoom this one or expand this. So we can see it nicely, the local IP address, the Peer IP address, monitors and so on. So you can see that it’s actually working. As well as we can look at the layer. Phase One. This is a configuration for Phase One. It’s when we created, when they does expire and so on. And we can look at the monitor and logs and then we look at the system logs. So this is going to show us about the VPN. We can even filter just to see the VPNs.
So if I click on the VPN here, that will filter only the VPN and apply this filter and you can see everything that happened through the VPN. So up to here, because this was previously when we were doing the troubleshooting video. Now you can see that it has worked and then you can see that VPN has been set up. Okay, so we can actually go to the open party and I’m already logged in to the party and we can look at some of the VPN commands. For example, like show VPN ike ESA. This will show us bit more information about what Ike SA. We have just need to make these letters a bit smaller so we can actually see a bit better things. So appearances and I’ll change the font to something small.
So eight for example. Okay, well that’s too small. Okay, so let me change the font back to ten maybe. Okay, so let me repeat that command again. You can see the tunnel, the gateway role initiator Responder role algorithm. And you can see that pretty much the, the configuration that they’re actually working. If you need to troubleshoot, the best place to go to is actually here under the system. And look at the VPN. If we have a problem, they’re going to appear here. Okay, let’s make a problem. Let’s make one problem very quickly and then we wrap it up. So if I go to IPsec tunnels and it’s all working fine now, and if I change maybe the Peer ID, so I’ll put the Peer ID as something else, something wrong.
So Proxy ID and remote instead of Ten, for example, let’s put 20 that made a mistake here, right? And I’ll click this and I’ll commit it. Now the commit has completed successfully. We can look at it. If I close this, you can see the interface is still up. The phase One is still okay. But phase two, now there’s a problem. That’s why it’s red. So if I go to firewall B, it’s going to be the same thing. Just refresh this and you will see this one is going to go red. The reason is we know the reason because we changed the Proxy ID. But to see the problem, if you don’t know the problem, you have to go to Monitor and then under logs you have to go to System and then under the system you can either just filter to the VPN or if I just look anything, it will be here. It says look, it says IK.
Phase two negotiation failed when processing proxy ID cannot find matching phase two tunnel for receiving proxy ID. So it’s already telling us that there is phase two is not working. And phase one, it was fine, it’s all green. Phase two is not working and there’s a problem with the proxy ID. So because it’s a proxy ID problem, then you have to go and fix that proxy ID. So once we go and fix it very quickly and then we can wrap it up. So proxy ID change this to what is supposed to be instead of 20, I’ll put ten and I’ll commit it quickly. And then this should go green again. Okay, excellent. Now the commit has completed successfully. Close this and you can see that’s gone green. And it should be on the firewall B as well. So if I go to networks and IPsec tunnels, this should go green. There we go.