Zywall 310 IKEv2 tunel (preshared key) with Palo Alto ?

CMruk
CMruk Posts: 14
First Comment Friend Collector Third Anniversary
 Freshman Member
edited December 2021 in Security
Hi,

It is any guide how to to establish IKEv2 VPN tunnel (S2S with static external ip)  with Palo Alto Gateway?. Or any other heavy secured tunnel.
I got  only access to my Zywall 310 with latest firmware.
From what i know, both  device have the same setup  like P1, and P2, SA life time, same virtual network. but tunnel won't establish, i got  in log

2021-11-30 15:01:53
      info     
IKE
[SA] : TS unacceptable

any tips?



Accepted Solution

All Replies

  • warwickt
    warwickt Posts: 111
    5 Answers First Comment Friend Collector Third Anniversary
     Ally Member
    Hi CMruk can you attach the logging (categories) IKE and any IPSEC and debugging logs from the 310 when the tunel build or connection fails??

    get them with a router cli command

    Router> show logging entries category ike begin 1 end 500
    (unformatted here.. Router> show logging entries category ike begin 1 end 500 )



    These are always very helpful in diagnosing these issues.

    Warwick
    Hong Kong
  • zyman2008
    zyman2008 Posts: 158
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    Hi @CMruk,
    [SA] : TS unacceptable - It's configuration not match in phase 2.

    This is related to the IPSec Phase 2 TS(traffic selector) settings.
    The term of settings is different on settings page,
    - "Proxy IDs" in Palo Alto.
    - "local policy / remote policy" in ZyWALL.

    Palo Alto and ZyWALL both support policy-based and route-based IPsec VPN.

    For policy-based IPSec VPN,
    On ZyWALL VPN connection settings,
    - Select  "Site-to-site" as Application Scenario
    - Configure local policy and remote policy


    On Palo Alto, configure IPv4 Proxy IDs,
    - Local mapping to remote policy in ZyWALL.
    - Remote mapping to local policy in ZyWALL.
    - Protocol need to be "any"
    ipsec tunnel

  • CMruk
    CMruk Posts: 14
    First Comment Friend Collector Third Anniversary
     Freshman Member
    edited December 2021
    Hi,
    thank you for tips
    this is my setup in P2



    10.0.0.0/24 is my LAN
    10.10.80.0/24 virtual VPN net


    my log shows
    [SA] : TS unacceptable 



    this longing  send to me form PaloAlto device
    'ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_I
    </code></div><div class="Quote"><code>'vendor id payload ignored
    </code></div><div class="Quote"><code>'IKEv2 child SA negotiation failed when processing traffic selector. cannot find matching IPSec tunnel for received traffic selector. received local TS: 10.10.80.0-10.10.80.255 protocol 0 port 0-65535, received remote TS: 10.0.0.0-10.0.0.255 protocol 0 port 0-65535.'
    </code></div><div class="Quote"><code>'IKEv2 IKE SA negotiation is failed as responder, non-rekey. Failed SA: 89.XXX.XXX.XXX[500]-46.XXX.XXX.XXX[500]

    I am stuck for now with this, i don't know PaloAlto but maybe another VPN like IKEv1 will  not trigger this problems?




  • zyman2008
    zyman2008 Posts: 158
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    Do you have what's configured on Palo Alto.
    Aren't you the administrator of the peer Palo Alto firewall ?

  • CMruk
    CMruk Posts: 14
    First Comment Friend Collector Third Anniversary
     Freshman Member
    edited December 2021
    Hi @zyman2008,
    i am not administrator Palo Alto, it,s another local government office which i have to cooperate for some centralized project.

    I will try arrange IKEv1 setup in Monday, maybe with some luck :)
  • CMruk
    CMruk Posts: 14
    First Comment Friend Collector Third Anniversary
     Freshman Member
    HI all,
    Zywall 310 IPSec IKEv1 VPN with PaloAlto build successful and run like charm.

    Thank you for tips.

Security Highlight