Zywall 310 IKEv2 tunel (preshared key) with Palo Alto ?

CMruk · November 2021

Hi,

It is any guide how to to establish IKEv2 VPN tunnel (S2S with static external ip) with Palo Alto Gateway?. Or any other heavy secured tunnel.
I got only access to my Zywall 310 with latest firmware.
From what i know, both device have the same setup like P1, and P2, SA life time, same virtual network. but tunnel won't establish, i got in log

2021-11-30 15:01:53

info

IKE

[SA] : TS unacceptable

any tips?

WJS · December 2021

In my past experience,I thought it's issue about proxy id as well.
Here is PaloAlto KB : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0

Image: https://us.v-cdn.net/6029482/uploads/editor/1a/f4broeeesej7.png

warwickt · December 2021

Hi CMruk can you attach the logging (categories) IKE and any IPSEC and debugging logs from the 310 when the tunel build or connection fails??

get them with a router cli command

Router> show logging entries category ike begin 1 end 500

(unformatted here.. Router> show logging entries category ike begin 1 end 500 )

These are always very helpful in diagnosing these issues.

Warwick
Hong Kong

zyman2008 · December 2021

Hi @CMruk,
[SA] : TS unacceptable - It's configuration not match in phase 2.

This is related to the IPSec Phase 2 TS(traffic selector) settings.
The term of settings is different on settings page,
- "Proxy IDs" in Palo Alto.
- "local policy / remote policy" in ZyWALL.

Palo Alto and ZyWALL both support policy-based and route-based IPsec VPN.

For policy-based IPSec VPN,
On ZyWALL VPN connection settings,
- Select "Site-to-site" as Application Scenario
- Configure local policy and remote policy

Image: https://us.v-cdn.net/6029482/uploads/editor/9f/tm6zregop489.jpg

On Palo Alto, configure IPv4 Proxy IDs,
- Local mapping to remote policy in ZyWALL.
- Remote mapping to local policy in ZyWALL.
- Protocol need to be "any"
ipsec tunnel

WJS · December 2021

In my past experience,I thought it's issue about proxy id as well.
Here is PaloAlto KB : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0

CMruk · December 2021

Hi,
thank you for tips
this is my setup in P2

Image: https://us.v-cdn.net/6029482/uploads/editor/ze/uj04uy3dyvoz.jpg

10.0.0.0/24 is my LAN
10.10.80.0/24 virtual VPN net

my log shows

[SA] : TS unacceptable

this longing send to me form PaloAlto device

'ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_I

</code></div><div class="Quote"><code>'vendor id payload ignored

</code></div><div class="Quote"><code>'IKEv2 child SA negotiation failed when processing traffic selector. cannot find matching IPSec tunnel for received traffic selector. received local TS: 10.10.80.0-10.10.80.255 protocol 0 port 0-65535, received remote TS: 10.0.0.0-10.0.0.255 protocol 0 port 0-65535.'

</code></div><div class="Quote"><code>'IKEv2 IKE SA negotiation is failed as responder, non-rekey. Failed SA: 89.XXX.XXX.XXX[500]-46.XXX.XXX.XXX[500]

I am stuck for now with this, i don't know PaloAlto but maybe another VPN like IKEv1 will not trigger this problems?

zyman2008 · December 2021

Do you have what's configured on Palo Alto.
Aren't you the administrator of the peer Palo Alto firewall ?

CMruk · December 2021

Hi @zyman2008,
i am not administrator Palo Alto, it,s another local government office which i have to cooperate for some centralized project.

I will try arrange IKEv1 setup in Monday, maybe with some luck

CMruk · December 2021

HI all,
Zywall 310 IPSec IKEv1 VPN with PaloAlto build successful and run like charm.

Thank you for tips.

Zywall 310 IKEv2 tunel (preshared key) with Palo Alto ?

Accepted Solution

All Replies

Categories

Security Highlight

Security Help Center