IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the differences within the configuration and some listings from common CLI outputs for both firewalls.

I am using exactly the same lab environment as in my last blogpost. Please refer to it for any details about the IP addressing scheme, etc. I am still running at PAN-OS version 8.0.3 and FortiOS v5.4.5, build1138.
To use IKEv2 for an IPsec VPN tunnel you must only change the phase 1 settings on both endpoints, such as shown in the following screenshots for the Palo Alto Networks as well as for the Fortinet firewall:

Palo Alto IKE Gateway with “IKEv2 only mode”.

Advanced tab with the Crypto Profile and the Liveness Check.

Fortinet IKE Version set to “2”.

For the sake of completeness here is my Fortinet configuration in CLI mode. It also shows the two default routes as well as the two VPN routes:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

config vpn ipsec phase1-interface     edit "pa"         set interface "wan1"         set ip-version 6         set ike-version 2         set keylife 28800         set peertype any         set proposal aes256-sha512         set dhgrp 20         set nattraversal disable         set remote-gw6 2003:51:6012::2         set psksecret ENC noYsWA0We7N6wcl4NKacI01p6Uiuua+HJVYMn5f0tUpJrqCt56xLETuX98ra5Tskd9GWy2p90jJI5RsCdH7BoMcddK4lGZSXn3WuHw456vkt0N3gsb6xGiH0/tj17Pfem5LpcBRDlufFvaKpfUcFp0TFnJR783kKwpCg5IZOWjFk8UR53XkyOsvFuLN+m/C2QY7aNA==     next end config vpn ipsec phase2-interface     edit "pa"         set phase1name "pa"         set proposal aes256-sha512         set dhgrp 20         set auto-negotiate enable         set keylifeseconds 3600     next     edit "pa6"         set phase1name "pa"         set proposal aes256-sha512         set dhgrp 20         set auto-negotiate enable         set src-addr-type subnet6         set dst-addr-type subnet6         set keylifeseconds 3600     next end config router static     edit 1         set gateway 80.154.108.225         set device "wan1"     next     edit 2         set dst 192.168.110.0 255.255.255.0         set device "pa"     next end config router static6     edit 1         set gateway 2003:51:6012::1         set device "wan1"     next     edit 2         set dst 2003:51:6012:110::/64         set device "pa"     next end

After committing the changes and some initial traffic the VPN tunnel comes up. The Palo GUI shows the “IKEv2” mode while the Fortinet does not list the used mode:

Palo Alto IKEv2 Tunnel Mode.

Fortinet IPsec Monitor.

The CLI outputs from both firewalls changed a bit compared to the IKEv1 output. For example, the Palo lists the “Child SAs” in the ike-sa detail part and the “traffic selectors” in the vpn flow. Formerly they were called “proxy-id”.
Here are some outputs from the Palo Alto:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207

weberjoh@pa> show vpn ike-sa detail gateway fg   IKE Gateway fg, ID 23 2003:51:6012::2 => 2003:51:6012::4   Current time: Jun.27 09:43:53   IKE SA:   SPI:  257D196A85066784:4175CD992C3C06F4  Init         State:      Established         SN:         6         Authentication:  PSK         Proposal:   AES256-CBC/SHA512/DH20         ID local:   ipaddr:2003:51:6012::2            remote:  ipaddr:2003:51:6012::4         ID_i:       :         ID_r:       :         NAT:        Not detected         Message ID: rx 9, tx 2352         Liveness check: sending informational packet after idle 5 seconds           Created:    Jun.27 06:28:21, 3 hours 15 minutes 32 seconds ago         Expires:    Jun.27 14:28:21, rekey in 3 hours 44 minutes 15 seconds (25187 sec)     Child SA 18508:         Tunnel 32   fg:fg         Type:       ESP       Resp         State:      Mature         Message ID: 00000006         Parent SN:  6         SPI:        DDB5F90D : 3D713140  <= ESP: 3D71313E         Algorithm:  AES256/SHA512/DH20         TS local:   Proto:any, 0.0.0.0-255.255.255.255, Ports:any         TS remote:  Proto:any, 0.0.0.0-255.255.255.255, Ports:any         Created:    Jun.27 08:50:35, 53 minutes 18 seconds ago         Expires:    Jun.27 09:50:35     Child SA 18692:         Tunnel 33   fg:fg6         Type:       ESP       Init         State:      Mature         Message ID: 00000766         Parent SN:  6         SPI:        FECCD6C8 : 3D713141  <= ESP: 9CB1B757         Algorithm:  AES256/SHA512/DH20         TS local:   Proto:any, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, Ports:any         TS remote:  Proto:any, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, Ports:any         Created:    Jun.27 09:05:49, 38 minutes 4 seconds ago         Expires:    Jun.27 10:05:49, rekey in 12 minutes 27 seconds (3031 sec)       weberjoh@pa> weberjoh@pa> weberjoh@pa> show vpn ipsec-sa tunnel fg:fg   GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB) --------------  ----   ------------           ---------------                                ---------          -------  -------- ------------ 23              32     2003:51:6012::4        fg:fg(fg)                                      ESP/A256/SHA512    C18C3620 3D713142 3479/0   Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.     weberjoh@pa> weberjoh@pa> weberjoh@pa> show vpn ipsec-sa tunnel fg:fg6   GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB) --------------  ----   ------------           ---------------                                ---------          -------  -------- ------------ 23              33     2003:51:6012::4        fg:fg6(fg)                                     ESP/A256/SHA512    FECCD6C8 3D713141 891/0   Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.     weberjoh@pa> weberjoh@pa> weberjoh@pa> show vpn tunnel name fg:fg   TnID   Name                           Gateway              Local Proxy IP       Ptl:Port   Remote Proxy IP      Ptl:Port   Proposals ----   ----                           -------              --------------       --------   ---------------      --------   --------- 32     fg:fg                          fg                   0.0.0.0/0            0:0        0.0.0.0/0            0:0        ESP tunl [DH20][AES256][SHA512] 3600-sec 0-kb   Show IPSec tunnel config: Total 1 tunnels found.     weberjoh@pa> weberjoh@pa> weberjoh@pa> show vpn tunnel name fg:fg6   TnID   Name                           Gateway              Local Proxy IP       Ptl:Port   Remote Proxy IP      Ptl:Port   Proposals ----   ----                           -------              --------------       --------   ---------------      --------   --------- 33     fg:fg6                         fg                   ::/0                 0:0        ::/0                 0:0        ESP tunl [DH20][AES256][SHA512] 3600-sec 0-kb   Show IPSec tunnel config: Total 1 tunnels found.     weberjoh@pa> weberjoh@pa> weberjoh@pa> show vpn flow name fg:fg   tunnel  fg:fg         id:                     32         type:                   IPSec         gateway id:             23         local ip:               2003:51:6012::2         peer ip:                2003:51:6012::4         inner interface:        tunnel.4         outer interface:        ethernet1/1         state:                  active         session:                56269         tunnel mtu:             1388         soft lifetime:          3569         hard lifetime:          3600         lifetime remain:        3434 sec         lifesize remain:        N/A         latest rekey:           166 seconds ago         monitor:                off           monitor packets seen: 0           monitor packets reply:0         en/decap context:       40         local spi:              C18C3620         remote spi:             3D713142         key type:               auto key         protocol:               ESP         auth algorithm:         SHA512         enc  algorithm:         AES256         traffic selector:           protocol:             0           local ip range:       0.0.0.0 - 255.255.255.255           local port range:     0 - 65535           remote ip range:      0.0.0.0 - 255.255.255.255           remote port range:    0 - 65535         anti replay check:      yes         copy tos:               no         authentication errors:  0         decryption errors:      0         inner packet warnings:  0         replay packets:         0         packets received           when lifetime expired:0           when lifesize expired:0         sending sequence:       330         receive sequence:       331         encap packets:          1614770         decap packets:          833356         encap bytes:            1622388048         decap bytes:            806157712         key acquire requests:   1         owner state:            0         owner cpuid:            s1dp0         ownership:              1   weberjoh@pa> weberjoh@pa> weberjoh@pa> show vpn flow name fg:fg6   tunnel  fg:fg6         id:                     33         type:                   IPSec         gateway id:             23         local ip:               2003:51:6012::2         peer ip:                2003:51:6012::4         inner interface:        tunnel.4         outer interface:        ethernet1/1         state:                  active         session:                31283         tunnel mtu:             1388         soft lifetime:          3522         hard lifetime:          3600         lifetime remain:        842 sec         lifesize remain:        N/A         latest rekey:           2758 seconds ago         monitor:                off           monitor packets seen: 0           monitor packets reply:0         en/decap context:       26         local spi:              FECCD6C8         remote spi:             3D713141         key type:               auto key         protocol:               ESP         auth algorithm:         SHA512         enc  algorithm:         AES256         traffic selector:           protocol:             0           local ip range:       :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff           local port range:     0 - 65535           remote ip range:      :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff           remote port range:    0 - 65535         anti replay check:      yes         copy tos:               no         authentication errors:  0         decryption errors:      0         inner packet warnings:  0         replay packets:         0         packets received           when lifetime expired:0           when lifesize expired:0         sending sequence:       664         receive sequence:       667         encap packets:          735         decap packets:          831360         encap bytes:            99960         decap bytes:            820373328         key acquire requests:   65         owner state:            0         owner cpuid:            s1dp0         ownership:              1   weberjoh@pa>

And this are the outputs from the FortiGate. Note that there seems to be a bug for the  get vpn ike gateway command because it resulted in a closed PuTTY session after hundreds of lines! Have a look at the lines 23-37 which I only listed four times here:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96

fg # get vpn ike gateway pa   vd: root/0 name: pa version: 2 interface: wan1 6 addr: 2003:51:6012::4:500 -> 2003:51:6012::2:500 created: 60946s ago IKE SA  created: 1/3  established: 1/3  time: 0/226/680 ms IPsec SA  created: 2/38  established: 2/38  time: 0/68/1240 ms     id/spi: 95 257d196a85066784/4175cd992c3c06f4   direction: responder   status: established 12286-12286s ago = 0ms   proposal: aes-256-sha512   SK_ei: fba5cabf2b055cfb-6f2f685296f4b93e-47527a8d4ada2970-e93c91cf6a6d8aef   SK_er: 6a938f311ccaab3d-93cf2341d2237452-d4bd557112c3f3d7-8959a4f85c8c7d8d   SK_ai: 9b6b147b61ba9237-248c4823ce761143-5fd2ac9117fc5a6d-c8e94ac7729c84e5-6b651712de89ae51-71a4af5f21ee2973-872e30df0f417c87-ed285218e88812b8   SK_ar: 3bbdf19282cdb031-3b04c65772e18b84-7aebb082fea024b0-fb5f29ab0e873ccf-67f648fdbe8b602b-fec8468e33bfa48d-9d36f1931253951e-7d0a252edce42933   lifetime/rekey: 28800/16243   DPD sent/recv: 000000f5/000000f5     id/spi: 0 0000000000000000/0000000000000000   direction: responder   status: connecting, state 0, started 0s ago     id/spi: 0 0000000000000000/0000000000000000   direction: responder   status: connecting, state 0, started 0s ago     id/spi: 0 0000000000000000/0000000000000000   direction: responder   status: connecting, state 0, started 0s ago     id/spi: 0 0000000000000000/0000000000000000   direction: responder   status: connecting, state 0, started 0s ago   [...]   fg # fg # fg # get vpn ipsec tunnel name pa   gateway   name: 'pa'   type: route-based   local-gateway: 2003:51:6012::4:0 (static)   remote-gateway: 2003:51:6012::2:0 (static)   mode: ike-v2   interface: 'wan1' (6)   rx  packets: 16084  bytes: 3003520  errors: 0   tx  packets: 16151  bytes: 1830681  errors: 0   dpd: on-demand/negotiated  idle: 20000ms  retry: 3  count: 0   selectors     name: 'pa'     auto-negotiate: enable     mode: tunnel     src: 0:0.0.0.0/0.0.0.0:0     dst: 0:0.0.0.0/0.0.0.0:0     SA       lifetime/rekey: 3600/1665       mtu: 1390       tx-esp-seq: eed       replay: enabled       inbound         spi: 3d713144         enc:  aes-cb  4a823372f691c3006db1e32c3c5bb4dc957dfa61e8f1484b75f0883eb7536cc6         auth: sha512  e8f03430854a9411765cd4689da2c64f78070e9e45e2c1e973bf83cb6b969464aadccd00ee2b846d55c8c695251ad00657f539611254eb8e76da8ac61abe078d       outbound         spi: fd69edff         enc:  aes-cb  acab60bfcfddb9f485f296528b84bf31f4a5f2e5a13173d1d2dc824358785e9c         auth: sha512  158ab9b65c11d92d67c9199768a13bab72251311f4b4bbec8dc9002ed64391bf85365a5abe4baf5ec55f09c46571058412690fbdae28eafaebf471abe2592b17       NPU acceleration: none   selectors     name: 'pa6'     auto-negotiate: enable     mode: tunnel     src: 0:::/0:0     dst: 0:::/0:0     SA       lifetime/rekey: 3600/2206       mtu: 1390       tx-esp-seq: 557       replay: enabled       inbound         spi: 3d713145         enc:  aes-cb  30a8116f7312aa705fb3ea94fe9d0212347912f657499dd2290dd50e94f4a801         auth: sha512  07335a32925f88eeac7e753273457f4a49f01a71db5397b7606cc7e0c30ef51525db0ae6f887d4862e292869014741fcfce4adb00b42cac5daa04a2a67ececc3       outbound         spi: d48144de         enc:  aes-cb  cf9a0c704dcddad8f28e6e40034c53afe8e28c6bb10626c35dcaf62dbf1d37dd         auth: sha512  e0b2ebe3d044d5832e6e26512909a48a1537a819f636b31fbdb42adbf44c21a949516ff1daf0501536d0441d0ddf83aca2b8bbe810a6d5c48004ad379acef264       NPU acceleration: none   fg #