Zywall 310 IKEv2 tunel (preshared key) with Palo Alto ?
Hi,
It is any guide how to to establish IKEv2 VPN tunnel (S2S with static external ip) with Palo Alto Gateway?. Or any other heavy secured tunnel.
I got only access to my Zywall 310 with latest firmware.
From what i know, both device have the same setup like P1, and P2, SA life time, same virtual network. but tunnel won't establish, i got in log
any tips?
It is any guide how to to establish IKEv2 VPN tunnel (S2S with static external ip) with Palo Alto Gateway?. Or any other heavy secured tunnel.
I got only access to my Zywall 310 with latest firmware.
From what i know, both device have the same setup like P1, and P2, SA life time, same virtual network. but tunnel won't establish, i got in log
2021-11-30 15:01:53 | info | IKE | [SA] : TS unacceptable |
any tips?
0
Accepted Solution
-
In my past experience,I thought it's issue about proxy id as well.
Here is PaloAlto KB : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
0
All Replies
-
Hi CMruk can you attach the logging (categories) IKE and any IPSEC and debugging logs from the 310 when the tunel build or connection fails??
get them with a router cli command
(unformatted here.. Router> show logging entries category ike begin 1 end 500 )Router> show logging entries category ike begin 1 end 500
These are always very helpful in diagnosing these issues.
Warwick
Hong Kong0 -
Hi @CMruk,
[SA] : TS unacceptable - It's configuration not match in phase 2.
This is related to the IPSec Phase 2 TS(traffic selector) settings.
The term of settings is different on settings page,
- "Proxy IDs" in Palo Alto.
- "local policy / remote policy" in ZyWALL.
Palo Alto and ZyWALL both support policy-based and route-based IPsec VPN.
For policy-based IPSec VPN,
On ZyWALL VPN connection settings,
- Select "Site-to-site" as Application Scenario
- Configure local policy and remote policy
On Palo Alto, configure IPv4 Proxy IDs,
- Local mapping to remote policy in ZyWALL.
- Remote mapping to local policy in ZyWALL.
- Protocol need to be "any"
0 -
In my past experience,I thought it's issue about proxy id as well.
Here is PaloAlto KB : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
0 -
Hi,
thank you for tips
this is my setup in P2
10.0.0.0/24 is my LAN
10.10.80.0/24 virtual VPN net
my log shows[SA] : TS unacceptable
this longing send to me form PaloAlto device'ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_I
</code></div><div class="Quote"><code>'vendor id payload ignored
</code></div><div class="Quote"><code>'IKEv2 child SA negotiation failed when processing traffic selector. cannot find matching IPSec tunnel for received traffic selector. received local TS: 10.10.80.0-10.10.80.255 protocol 0 port 0-65535, received remote TS: 10.0.0.0-10.0.0.255 protocol 0 port 0-65535.'
</code></div><div class="Quote"><code>'IKEv2 IKE SA negotiation is failed as responder, non-rekey. Failed SA: 89.XXX.XXX.XXX[500]-46.XXX.XXX.XXX[500]
I am stuck for now with this, i don't know PaloAlto but maybe another VPN like IKEv1 will not trigger this problems?
0 -
Do you have what's configured on Palo Alto.
Aren't you the administrator of the peer Palo Alto firewall ?
0 -
Hi @zyman2008,
i am not administrator Palo Alto, it,s another local government office which i have to cooperate for some centralized project.
I will try arrange IKEv1 setup in Monday, maybe with some luck
0 -
HI all,
Zywall 310 IPSec IKEv1 VPN with PaloAlto build successful and run like charm.
Thank you for tips.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight