PA-VM deployed in AWS encounters IKE Phase-1 negotiation failures due to missing identification
5919
Created On 03/18/20 16:04 PM - Last Modified 04/06/20 17:28 PM
Symptom
Unable to establish IPsec tunnel on PA-VM. IKE Phase-1 is down despite of correct configuration for Security Association, passphrase, security policy, etc.
- Initiate IKE phase 1 negotiation for the VPN tunnel from the remote end and monitor ikemgr logs on PA-VM using below CLI: (if peer end is PANW firewall use command “test vpn ike-sa” to initiate P1 negotiation)
> tail follow yes mp-log ikemgr.log
2020-02-04 11:42:27.256 -0800 [INFO]: { 1: }: received Vendor ID: DPD
2020-02-04 11:42:27.256 -0800 [INFO]: { 1: }: received Vendor ID: PANOS - the new
generation of firewall
2020-02-04 11:42:27.256 -0800 [PERR]: { 1: }: peer identifier (type ipaddr
[20.20.1.4]) does not match remote IKE1
2020-02-04 11:42:27.256 -0800 [PERR]: { 1: }: 10.10.11.4[500] -
3.232.179.118[500]:(nil) invalid ID payload.
2020-02-04 11:42:27.256 -0800 [INFO]: { 1: }: received Vendor ID: PANOS - the new
generation of firewall
2020-02-04 11:42:27.256 -0800 [PERR]: { 1: }: peer identifier (type ipaddr
[20.20.1.4]) does not match remote IKE1
2020-02-04 11:42:27.256 -0800 [PERR]: { 1: }: 10.10.11.4[500] -
3.232.179.118[500]:(nil) invalid ID payload.
- Above log snippet shows that IDENTITY is not configured on the PA-VM firewall where Untrust IPs are NAT’d in AWS cloud.
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: 8.0.1 / -
- Deployment: AWS
Cause
- Customers accustomed to non-cloud firewalls often time use the same approach to configure IPSec VPN in AWS environments which would not work as expected. VM series in AWS has a required field to include peer identification and local identification ip addresses. IPSec phase I ike negotiation will fail if this configuration is missing or mismatched
- IKE Gateways should be configured with Local and Peer Identification having actual untrust interface IP’s
Resolution
- Navigate to Firewall WebUI > Network > Network Profile > IKE Gateways > Configure Local Identification as the private/public IP configured on local Interface and configure Peer Identification as private/public IP address of the peer end.
- This can also be configured as a pair of public IP’s, just make sure that the pair of IP’s configured on the local end matches the peer end configuration.