An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.
How can the engineer remediate this issue?
A.
Add a Security policy to allow UDP/500.
B.
Add a Security policy to allow the IKE application.
C.
Add a Security policy to allow the IPSec application.
Looks like should be C according to below
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0
The ipsec application contains the following sub-apps:
ike
ipsec-ah
ipsec-esp
ipsec-esp-udp(NAT-T)
The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.
A: Add a Security policy to allow UDP/500 - will not work as stated from others when NAT-T is enabled it will also use UDP4500
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
"To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode."
B: Add a Security policy to allow the IKE application. - will not work as per the above
D:Add a Security policy to allow UDP/4501 - will not work as per the above
C: Add a Security policy to allow the IPSec application. - having checked on PANOS 10.2 the IPSec application has 4 sub(?) applications
- ike (Standard Ports: tcp/500, udp/500)
- ipsec-ah (Standard Ports: IP Protocol 51)
- ipsec-esp (Standard Ports: IP Protocol 50)
- ipsec-esp-udp (Standard Ports: udp/4500, udp/4501)
In Objects > Applications it can be seen that ike app uses tcp/500 and/or udp/500 and that it doesn't depend on any other app (for example ipsec). Since PA is always recommending to use app ID I would choose B.
I believe it is B. because as mentioned above NAT-T is enabled so ,packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
MrR0bot
Highly Voted 1 year, 12 months agoRowdy_47
Highly Voted 1 year, 11 months agoMocix
1 year, 1 month agoPacheco
11 months, 1 week agoCro13
Most Recent 4 months, 1 week agoali_sh85
6 months agoali_sh85
6 months, 1 week agonolox
7 months, 2 weeks agoMarshpillowz
11 months, 3 weeks agoJRKhan
1 year agoMetgatz
1 year, 1 month agoMetgatz
1 year, 1 month agosov4
1 year, 5 months agojhoncena
1 year, 9 months agokewokil120
1 year, 10 months agoRowdy_47
1 year, 11 months agoTheIronSheik
1 year, 11 months agoGohanF2
1 year, 11 months agoDenskyDen
1 year, 12 months ago