An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.
How can the engineer remediate this issue?
A.
Add a Security policy to allow UDP/500.
B.
Add a Security policy to allow the IKE application.
C.
Add a Security policy to allow the IPSec application.
Looks like should be C according to below
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0
The ipsec application contains the following sub-apps:
ike
ipsec-ah
ipsec-esp
ipsec-esp-udp(NAT-T)
The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.
A: Add a Security policy to allow UDP/500 - will not work as stated from others when NAT-T is enabled it will also use UDP4500
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
"To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode."
B: Add a Security policy to allow the IKE application. - will not work as per the above
D:Add a Security policy to allow UDP/4501 - will not work as per the above
C: Add a Security policy to allow the IPSec application. - having checked on PANOS 10.2 the IPSec application has 4 sub(?) applications
- ike (Standard Ports: tcp/500, udp/500)
- ipsec-ah (Standard Ports: IP Protocol 51)
- ipsec-esp (Standard Ports: IP Protocol 50)
- ipsec-esp-udp (Standard Ports: udp/4500, udp/4501)
Phase 1 - IKE
Phase 2 - IPSec
If IKE traffic is being dropped that means Phase 1 is not coming up and you have bigger problems. At this point no need to even troubleshoot Phase 2 - IPSec.
In Objects > Applications it can be seen that ike app uses tcp/500 and/or udp/500 and that it doesn't depend on any other app (for example ipsec). Since PA is always recommending to use app ID I would choose B.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
MrR0bot
Highly Voted 2 years agoRowdy_47
Highly Voted 2 years agoRowdy_47
3 days, 7 hours agoMocix
1 year, 2 months agoPacheco
1 year agom70855712
Most Recent 2 weeks, 2 days agoCro13
5 months, 1 week agoali_sh85
7 months agoali_sh85
7 months, 1 week agonolox
8 months, 3 weeks agoMarshpillowz
1 year agoJRKhan
1 year, 1 month agoMetgatz
1 year, 2 months agoMetgatz
1 year, 2 months agosov4
1 year, 6 months agojhoncena
1 year, 10 months agokewokil120
1 year, 11 months agoRowdy_47
1 year, 12 months agoTheIronSheik
2 years agoGohanF2
2 years ago