Tuesday, 8 October 2013

IPSec VPNs and IKE

One to watch out for when you're setting up a site-site VPN - IKE versions. You may get very little in the way of debug output from your VPN gateways/endpoints if your IKE versions don't match, it may just be a NO-PROPOSAL-CHOSEN notify message from one of the gateways. But the sure way to check for a mis-match is (as always) with a packet capture:

Check the IKE version in the INIT packet:

















And then the IKE version in any corresponding reply:














This particular VPN was a site-site VPN for an Azure Virtual Network to a Palo Alto firewall and the mistake that we'd made was to use the "Dynamic Routing" option when creating the VPN Gateway within Azure.
With dynamic routing set, Azure defaults to using IKEv2 but with static routing it will switch to IKEv1 and your Phase 1 and Phase 2 SAs will come alive as if by magic!
Further info on Azure VPN parameters here :
http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx

Update:

Somewhere between the previous version of PANOS and what we are currently running (v 5.0.8) the log messages on our Palo Alto have been updated to be clearer when it comes to IKE version mismatches. What we see now is the following output in the system logs :

- 0:10.11.12.1[500] - 13.14.15.16[500]:0xf34075b8:unknown ikev2 peer

Further Update:

After recently re-visiting Azure I hit the same problem as previously but now in a different manner. Azure also supports the use of Point to Site VPNs which you can setup at the same time as a Site to Site VPN when creating a new Virtual Network.



However, if you chose to create both at the same time, at the point you come to create a Gateway you will not have the option of choosing between Static and Dynamic routing. This is because Point to Site VPNs on Azure only support Dynamic routing so the Gateway will default to Dynamic routing.

No comments:

Post a Comment