Phase 2 on Site-to-Site IPsec VPN b/w Fortigate 300C and Palo Alto on AWS not working.

syed · ‎06-09-2017

Issue Phase 2 not working for Site-to-Site IPsec VPN b/w Fortigate and Palo Alto .The same confguration from paloalto is working without any issue with Cisco Router and ASA.

Using Main Mode not Aggressive mode any help will be highly appreciated.

Topology:

======

x.x.x.x---PaloAlto-eth-1/1---------wan------Fortigate300C

Configuration:

=========

Fortigate-300C

$ show full-configuration vpn ipsec phase1-interface cisco

config vpn ipsec phase1-interface

edit "cisco"

set type static

set interface "v410-outside"

set ip-version 4

set ike-version 1

set local-gw y.y.y.y

set nattraversal enable

set keylife 86400

set authmethod psk

set mode main

set peertype any

set mode-cfg enable

set proposal 3des-sha1

set add-route enable

set localid-type address

set negotiate-timeout 30

set fragmentation enable

set dpd enable

set forticlient-enforcement disable

set comments "VPN: cisco (Created by VPN wizard)"

set npu-offload enable

set dhgrp 5

set wizard-type custom

set xauthtype disable

set mesh-selector-type disable

set remote-gw 34.211.168.x

set monitor ''

set assign-ip enable

set mode-cfg-ip-version 4

set unity-support enable

set add-gw-route disable

set psksecret ENC CsFrC/6tLWACXFM90iISbYgK5LE6+zHMknq8S1FGQH/TTR2S5LcoGbdX6QSUDTxjYkXxEWOOwUjxCxUAkHaUPW7hCQt9fW2EHPe9dIffmrNlrbt/1APHC81VgHJir3trCUjVq4+qEzGYH25zTVia7IqLyNK9kFV1XkWZbP4VDCdReohoBfGre94QhtMmyXf0ZtpwJA==

set keepalive 10

set distance 15

set priority 0

set auto-negotiate enable

set dpd-retrycount 3

set dpd-retryinterval 5

$ show full-configuration vpn ipsec phase2-interface cisco

config vpn ipsec phase2-interface

edit "cisco"

set phase1name "cisco"

set proposal 3des-sha1

set pfs enable

set dhgrp 5

set replay enable

set keepalive enable

set auto-negotiate enable

set keylife-type seconds

set encapsulation tunnel-mode

set comments "VPN: cisco (Created by VPN wizard)"

set keylifeseconds 3600

$ show full-configuration firewall policy 6

config firewall policy

edit 6

set uuid 82a62378-400d-51e7-4702-73c93f53dd7b

set srcintf "v863-inside"

set dstintf "cisco"

set srcaddr "cisco_local"

set dstaddr "cisco_remote"

set rtp-nat disable

set action accept

set status enable

set schedule "always"

set schedule-timeout disable

set service "ALL"

set utm-status disable

set logtraffic utm

set logtraffic-start disable

set capture-packet disable

set auto-asic-offload enable

set wanopt disable

set webcache disable

set session-ttl 0

set vlan-cos-fwd 255

set vlan-cos-rev 255

set wccp disable

set disclaimer disable

set natip 0.0.0.0 0.0.0.0

set match-vip disable

set diffserv-forward disable

set diffserv-reverse disable

set tcp-mss-sender 0

set tcp-mss-receiver 0

set comments "VPN: cisco (Created by VPN wizard)"

set label ''

set global-label ''

set block-notification disable

set replacemsg-override-group ''

set srcaddr-negate disable

set dstaddr-negate disable

set service-negate disable

set timeout-send-rst disable

set captive-portal-exempt disable

set traffic-shaper ''

set traffic-shaper-reverse ''

set per-ip-shaper ''

set nat disable

$ show full-configuration firewall policy 7

config firewall policy

edit 7

set uuid 82b08bf6-400d-51e7-311f-c80937989395

set srcintf "cisco"

set dstintf "v863-inside"

set srcaddr "cisco_remote"

set dstaddr "cisco_local"

set rtp-nat disable

set action accept

set status enable

set schedule "always"

set schedule-timeout disable

set service "ALL"

set utm-status disable

set logtraffic utm

set logtraffic-start disable

set capture-packet disable

set auto-asic-offload enable

set wanopt disable

set webcache disable

set session-ttl 0

set vlan-cos-fwd 255

set vlan-cos-rev 255

set wccp disable

set disclaimer disable

set natip 0.0.0.0 0.0.0.0

set match-vip disable

set diffserv-forward disable

set diffserv-reverse disable

set tcp-mss-sender 0

set tcp-mss-receiver 0

set comments "VPN: cisco (Created by VPN wizard)"

set label ''

set global-label ''

set block-notification disable

set replacemsg-override-group ''

set srcaddr-negate disable

set dstaddr-negate disable

set service-negate disable

set timeout-send-rst disable

set captive-portal-exempt disable

set traffic-shaper ''

set traffic-shaper-reverse ''

set per-ip-shaper ''

set nat disable

$ show full-configuration firewall address cisco_local_subnet_1

config firewall address

edit "cisco_local_subnet_1"

set uuid 828176e0-400d-51e7-880c-2eed704b2793

set type ipmask

set comment ''

set visibility enable

set associated-interface ''

set color 0

set subnet 173.192.75.160 255.255.255.224

$ show full-configuration firewall address cisco_remote_subnet_1

config firewall address

edit "cisco_remote_subnet_1"

set uuid 8295e6e8-400d-51e7-334f-c26778b87cc5

set type ipmask

set comment ''

set visibility enable

set associated-interface ''

set color 0

set subnet 172.31.64.0 255.255.240.0

$ show full-configuration router static

config router static

edit 2

set dst 172.31.64.0 255.255.240.0

set distance 10

set weight 0

set priority 0

set device "cisco"

set comment "VPN: cisco (Created by VPN wizard)"

set blackhole disable

set dynamic-gateway disable

set virtual-wan-link disable

$ show system interface

name name

cisco static 0.0.0.0 0.0.0.0 up disable tunnel

ssl.firewall001 static 0.0.0.0 0.0.0.0 up disable tunnel

v410-outside static 173.192.36.x 255.255.255.252 up disable vlan

v863-inside static 173.192.75.x 255.255.255.224 up disable vlan

$ get vpn ike gateway

name: cisco

version: 1

interface: v410-outside 22

addr: 173.192.36.y:4500 -> 34.211.191.x:4500

created: 1s ago

IKE SA created: 1/1 established: 1/1 time: 150/150/150 ms

IPsec SA created: 1/1

id/spi: 54402 24bb8b6b348be7f0/698c605ca60cb804

direction: initiator

status: established 1-0s ago = 150ms

proposal: 3des-sha1

key: 5ec78c99665a2eb5-cb4d993a387e4d66-f8f4204b625871e6

lifetime/rekey: 86400/86099

DPD sent/recv: 00000000/00000000

Palo-Alto:

======

Exiting configuration mode

admin@PA-VM> show config running

config {

mgt-config {

users {

admin {

phash $1$whhpfefg$sqWvYGgEilFCqG/6pcIwY0;

permissions {

role-based {

superuser yes;

}

public-key

}

shared {

application;

application-group;

service;

service-group;

botnet {

configuration {

http {

dynamic-dns {

enabled yes;

threshold 5;

}

malware-sites {

enabled yes;

threshold 5;

}

recent-domains {

enabled yes;

threshold 5;

}

ip-domains {

enabled yes;

threshold 10;

}

executables-from-unknown-sites {

enabled yes;

threshold 5;

}

other-applications {

irc yes;

}

unknown-applications {

unknown-tcp {

destinations-per-hour 10;

sessions-per-hour 10;

session-length {

maximum-bytes 100;

minimum-bytes 50;

}

unknown-udp {

destinations-per-hour 10;

sessions-per-hour 10;

session-length {

maximum-bytes 100;

minimum-bytes 50;

}

report {

topn 100;

scheduled yes;

}

devices {

localhost.localdomain {

network {

interface {

ethernet {

ethernet1/1 {

layer3 {

ipv6 {

neighbor-discovery {

router-advertisement {

enable no;

}

ndp-proxy {

enabled no;

}

ip {

172.31.87.Y/20;

}

lldp {

enable no;

}

interface-management-profile ping-ssh-https;

}

ethernet1/2 {

layer3 {

ipv6 {

neighbor-discovery {

router-advertisement {

enable no;

}

ndp-proxy {

enabled no;

}

ip {

172.31.70.210/20;

}

lldp {

enable no;

}

interface-management-profile ping-ssh-https;

}

tunnel {

units {

tunnel.1 {

comment fortinet;

ipv6 {

enabled no;

interface-id EUI-64;

}

loopback {

units {

loopback.1 {

adjust-tcp-mss {

enable no;

}

ip {

192.168.208.91/32;

}

profiles {

monitor-profile {

default {

interval 3;

threshold 5;

action wait-recover;

}

interface-management-profile {

ping-ssh-https {

https yes;

ssh yes;

ping yes;

}

ike {

crypto-profiles {

ike-crypto-profiles {

default {

encryption 3des;

hash sha1;

dh-group group5;

lifetime {

hours 8;

}

Suite-B-GCM-128 {

encryption aes-128-cbc;

hash sha256;

dh-group group19;

lifetime {

hours 8;

}

Suite-B-GCM-256 {

encryption aes-256-cbc;

hash sha384;

dh-group group20;

lifetime {

hours 8;

}

ipsec-crypto-profiles {

default {

esp {

encryption 3des;

authentication sha1;

}

dh-group group5;

lifetime {

hours 1;

}

Suite-B-GCM-128 {

esp {

encryption aes-128-gcm;

authentication none;

}

dh-group group19;

lifetime {

hours 1;

}

Suite-B-GCM-256 {

esp {

encryption aes-256-gcm;

authentication none;

}

dh-group group20;

lifetime {

hours 1;

}

global-protect-app-crypto-profiles {

default {

encryption aes-128-cbc;

authentication sha1;

}

gateway {

Fortinet {

authentication {

pre-shared-key {

key -AQ==UL/Mnp9OorxxbXCt9VkX8kMn64c=ot2WINmmjlwRtCEjzPSFDA==;

}

protocol {

ikev1 {

dpd {

enable yes;

}

ikev2 {

dpd {

enable yes;

}

local-address {

ip 172.31.87.Y/20;

interface ethernet1/1;

}

protocol-common {

nat-traversal {

enable yes;

}

fragmentation {

enable no;

}

passive-mode no;

}

peer-address {

ip 173.192.36.Z;

}

local-id {

id 172.31.87.Y;

type ipaddr;

}

peer-id {

id 173.192.36.X;

type ipaddr;

}

qos {

profile {

default {

class {

class1 {

priority real-time;

}

class2 {

priority high;

}

class3 {

priority high;

}

class4 {

priority medium;

}

class5 {

priority medium;

}

class6 {

priority low;

}

class7 {

priority low;

}

class8 {

priority low;

}

virtual-router {

default {

protocol {

bgp {

enable no;

dampening-profile {

default {

cutoff 1.25;

reuse 0.5;

max-hold-time 900;

decay-half-life-reachable 300;

decay-half-life-unreachable 900;

enable yes;

}

routing-options {

graceful-restart {

enable yes;

}

rip {

enable no;

}

ospf {

enable no;

}

ospfv3 {

enable no;

}

interface [ ethernet1/1 ethernet1/2 loopback loopback.1 tunnel.1];

ecmp {

algorithm {

ip-modulo;

}

routing-table {

ip {

static-route {

STATIC-ROUTE {

nexthop {

ip-address 172.31.80.1;

}

bfd {

profile None;

}

path-monitor {

enable no;

failure-condition any;

hold-time 2;

}

interface ethernet1/1;

metric 10;

admin-dist 10;

destination 0.0.0.0/0;

route-table {

unicast;

}

fortinet {

path-monitor {

enable no;

failure-condition any;

hold-time 2;

}

bfd {

profile None;

}

interface tunnel.1;

metric 10;

destination 173.192.75.160/27;

route-table {

unicast;

}

tunnel {

ipsec {

Fortinet-Fortigate {

auto-key {

ike-gateway {

Fortinet;

}

proxy-id {

Fortinet-Fortigate {

protocol {

any;

}

local 172.31.64.0/20;

remote 173.192.75.160/27;

}

tunnel-monitor {

enable no;

}

tunnel-interface tunnel.1;

anti-replay no;

}

deviceconfig {

system {

type {

dhcp-client {

send-hostname yes;

send-client-id no;

accept-dhcp-hostname no;

accept-dhcp-domain no;

}

update-server updates.paloaltonetworks.com;

update-schedule {

threats {

recurring {

weekly {

day-of-week wednesday;

at 01:02;

action download-only;

}

timezone US/Pacific;

service {

disable-telnet yes;

disable-http yes;

}

hostname PA-VM;

dns-setting {

servers;

}

setting {

config {

rematch yes;

}

management {

hostname-type-in-syslog FQDN;

initcfg {

type {

dhcp-client {

send-hostname yes;

send-client-id no;

accept-dhcp-hostname no;

accept-dhcp-domain no;

}

public-key

}

vsys {

vsys1 {

application;

application-group;

zone {

untrust {

network {

layer3 [ ethernet1/1 loopback.1 tunnel.1];

}

trust {

network {

layer3 ethernet1/2;

}

service;

service-group;

schedule;

rulebase {

security {

rules {

ubtrust-trust {

to trust;

from untrust;

source any;

destination any;

source-user any;

category any;

application any;

service application-default;

hip-profiles any;

action allow;

}

import {

network {

interface [ ethernet1/1 ethernet1/2 loopback.1 tunnel.1];

}

admin@PA-VM> show vpn gateway

GwID Name Peer-Address/ID Local Address/ID Protocol Proposals

---- ---- --------------- ---------------- -------- ---------

9 Fortinet 173.192.36.X(ipaddr:173.192.3 172.31.87.Y(ipaddr:172.31.87 Auto(aggr) [PSK][DH5][3DES][SHA1]28800-sec

logs:

admin@PA-VM> tail follow yes mp-log ikemgr.log

2017-06-09 02:14:06.952 -0700 [PERR]: { 9: }: mode config 6 from 173.192.36.X[4500], but auth method is PSK.

2017-06-09 02:14:11.002 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:14.953 -0700 [PERR]: { 9: }: mode config 6 from 173.192.36.X[4500], but auth method is PSK.

2017-06-09 02:14:16.053 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:21.103 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:26.154 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:30.954 -0700 [PERR]: { 9: }: mode config 6 from 173.192.36.X[4500], but auth method is PSK.

2017-06-09 02:14:31.205 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:36.255 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:41.306 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:46.356 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:51.407 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:14:56.457 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:15:01.508 -0700 [PNTF]: { 9: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=889301917a1453d9 4a3ea1f10d53a2aa (size=16).

2017-06-09 02:15:02.958 -0700 [INFO]: { 9: }: IKE ISAKMP KEY_DELETE recvd: cookie:889301917a1453d9:4a3ea1f10d53a2aa.

2017-06-09 02:15:03.959 -0700 [PNTF]: { 9: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====

====> Initiated SA: 172.31.87.Y[500]-173.192.36.X[500] cookie:e071c365a4bad487:b29ba8d398ce0521 <====

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: received Vendor ID: RFC 3947

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: received Vendor ID: DPD

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: received Vendor ID: FRAGMENTATION

2017-06-09 02:15:03.959 -0700 [INFO]: { 9: }: Selected NAT-T version: RFC 3947

2017-06-09 02:15:04.000 -0700 [INFO]: { 9: }: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 172.31.87.Y[4500]-173.192.36.X[4500] cookie:889301917a1453d9:4a3ea1f10d53a2aa <====

2017-06-09 02:15:04.000 -0700 [INFO]: { 9: }: ====> PHASE-1 SA DELETED <====

====> Deleted SA: 172.31.87.Y[4500]-173.192.36.X[4500] cookie:889301917a1453d9:4a3ea1f10d53a2aa <====

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: Hashing 172.31.87.Y[500] with algo #2

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: NAT-D payload #0 doesn't match

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: Hashing 173.192.36.X[500] with algo #2

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: NAT-D payload #1 verified

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: NAT detected: ME

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: Hashing 173.192.36.X[500] with algo #2

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: Hashing 172.31.87.Y[500] with algo #2

2017-06-09 02:15:04.012 -0700 [INFO]: { 9: }: Adding remote and local NAT-D payloads.

2017-06-09 02:15:04.065 -0700 [PNTF]: { 9: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====

====> Established SA: 172.31.87.Y[4500]-173.192.36.X[4500] cookie:e071c365a4bad487:b29ba8d398ce0521

echo · ‎07-24-2017

Lots of things seem different when just viewing quickly. Eg the Proxy-ID seems to be 0.0.0.0/0 on FG side but has been specified smaller on PA side. Then PA has set local and remote ID, which are not present in FG. Why is NAT-T used at all if the connection is between two public IPv4 addresses? This seems unnecessary, although since Phase1 seems to work, it can be left so. In logs, mode config is mentioned which may mean that one side is waiting for some configuration as if it were a dial-up-type client VPN or something. But maybe it already works for you after that long time.