Palo Alto Networks Knowledgebase: How to determine the correct value to put in the PAN IKE peer KEYID field?

How to determine the correct value to put in the PAN IKE peer KEYID field?

2271
Created On 02/07/19 23:50 PM - Last Updated 02/07/19 23:50 PM
VPNs
Resolution

When configuring a Cisco ASA key-id field, how do you determine the correct value to put in the PAN IKE peer KEYID field?

The Cisco-ASA allows any ASCII string input. This ASCII string key-id must be converted to hexadecimal before using it in the PAN’s dynamic IKE Peer KEYID field.

For example:

  • Cisco ASA isakmp key-id: foobar
  • PAN dynamic peer KEYID: 666f6f626172

Packet capture the traffic from the dynamic peer as it arrives at the PAN (debug ike pcap on; debug ike pcap off; scp export debug-pcap from ikemgr.pcap) and examine in wireshark.  The HEX and ASCII values in the first IKE packet from the dynamic peer is listed.

Hex to ASCII converter tool:

http://www.dolcevie.com/js/converter.html

Sonicwall, Juniper and Netscreen use  ASCII for the key ID as well.

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMQCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language