IKE Phase-1 negotiation failure due to missing identification for PA-VM deployed in Azure

Unable to establish IPsec tunnel on PA-VM. IKE Phase-1 is down despite of correct configuration for Security Association, passphrase, security policy, etc.
 

• Initiate IKE phase 1 negotiation for the VPN tunnel from the remote end and monitor ikemgr logs on PA-VM using below CLI:

(if peer end is PANW firewall use command “test vpn ike-sa” to initiate P1 negotiation)

> tail follow yes mp-log ikemgr.log
2020-02-04 11:42:27.256 -0800  [INFO]: {    1:     }: received Vendor ID: DPD
2020-02-04 11:42:27.256 -0800  [INFO]: {    1:     }: received Vendor ID: PANOS - the new  generation of firewall
2020-02-04 11:42:27.256 -0800  [PERR]: {    1:     }: peer identifier (type ipaddr [20.20.1.4]) does not match remote IKE1
2020-02-04 11:42:27.256 -0800  [PERR]: {    1:     }: 10.10.11.4[500] -   3.232.179.118[500]:(nil) invalid ID payload.

• Above log snippet shows that IDENTITY is not configured on the PA-VM firewall where Untrust IPs are NAT’d in Azure cloud.

• Platform:  VM-Series Firewall
• PAN-OS / Plugin Version: 9.0.1 / -
• Deployment: Azure

• Admins accustomed to non-cloud firewalls often time use the same approach to configure IPSec VPN in Azure environments which would not work as expected.  VM series in Azure has a required field to include peer identification and local identification ip addresses. IPSec phase I ike negotiation will fail if this configuration is missing or mismatched

• IKE Gateways should be configured with Local & Peer Identification having actual untrust interface IP’s

1. Navigate to Firewall WebUI > Network > Network Profile > IKE Gateways > Configure Local Identification as the private IP configured on Untrust Interface and configure Peer Identification as IP address of the terminating peer end.
2. This can also be configured as a pair of public IP’s, just make sure that the pair of IP’s configured on the local end matches the peer end configuration.