Skip to main content

IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the differences within the configuration and some listings from common CLI outputs for both firewalls.


I am using exactly the same lab environment as in my last blogpost. Please refer to it for any details about the IP addressing scheme, etc. I am still running at PAN-OS version 8.0.3 and FortiOS v5.4.5, build1138.
To use IKEv2 for an IPsec VPN tunnel you must only change the phase 1 settings on both endpoints, such as shown in the following screenshots for the Palo Alto Networks as well as for the Fortinet firewall:
For the sake of completeness here is my Fortinet configuration in CLI mode. It also shows the two default routes as well as the two VPN routes:

After committing the changes and some initial traffic the VPN tunnel comes up. The Palo GUI shows the “IKEv2” mode while the Fortinet does not list the used mode:
The CLI outputs from both firewalls changed a bit compared to the IKEv1 output. For example, the Palo lists the “Child SAs” in the ike-sa detail part and the “traffic selectors” in the vpn flow. Formerly they were called “proxy-id”.
Here are some outputs from the Palo Alto:
And this are the outputs from the FortiGate. Note that there seems to be a bug for the  get vpn ike gateway command because it resulted in a closed PuTTY session after hundreds of lines! Have a look at the lines 23-37 which I only listed four times here:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
fg # get vpn ike gateway pa
 
vd: root/0
name: pa
version: 2
interface: wan1 6
addr: 2003:51:6012::4:500 -> 2003:51:6012::2:500
created: 60946s ago
IKE SA  created: 1/3  established: 1/3  time: 0/226/680 ms
IPsec SA  created: 2/38  established: 2/38  time: 0/68/1240 ms
 
  id/spi: 95 257d196a85066784/4175cd992c3c06f4
  direction: responder
  status: established 12286-12286s ago = 0ms
  proposal: aes-256-sha512
  SK_ei: fba5cabf2b055cfb-6f2f685296f4b93e-47527a8d4ada2970-e93c91cf6a6d8aef
  SK_er: 6a938f311ccaab3d-93cf2341d2237452-d4bd557112c3f3d7-8959a4f85c8c7d8d
  SK_ai: 9b6b147b61ba9237-248c4823ce761143-5fd2ac9117fc5a6d-c8e94ac7729c84e5-6b651712de89ae51-71a4af5f21ee2973-872e30df0f417c87-ed285218e88812b8
  SK_ar: 3bbdf19282cdb031-3b04c65772e18b84-7aebb082fea024b0-fb5f29ab0e873ccf-67f648fdbe8b602b-fec8468e33bfa48d-9d36f1931253951e-7d0a252edce42933
  lifetime/rekey: 28800/16243
  DPD sent/recv: 000000f5/000000f5
 
  id/spi: 0 0000000000000000/0000000000000000
  direction: responder
  status: connecting, state 0, started 0s ago
 
  id/spi: 0 0000000000000000/0000000000000000
  direction: responder
  status: connecting, state 0, started 0s ago
 
  id/spi: 0 0000000000000000/0000000000000000
  direction: responder
  status: connecting, state 0, started 0s ago
 
  id/spi: 0 0000000000000000/0000000000000000
  direction: responder
  status: connecting, state 0, started 0s ago
 
[...]
 
fg #
fg #
fg # get vpn ipsec tunnel name pa
 
gateway
  name: 'pa'
  type: route-based
  local-gateway: 2003:51:6012::4:0 (static)
  remote-gateway: 2003:51:6012::2:0 (static)
  mode: ike-v2
  interface: 'wan1' (6)
  rx  packets: 16084  bytes: 3003520  errors: 0
  tx  packets: 16151  bytes: 1830681  errors: 0
  dpd: on-demand/negotiated  idle: 20000ms  retry: 3  count: 0
  selectors
    name: 'pa'
    auto-negotiate: enable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
      lifetime/rekey: 3600/1665
      mtu: 1390
      tx-esp-seq: eed
      replay: enabled
      inbound
        spi: 3d713144
        enc:  aes-cb  4a823372f691c3006db1e32c3c5bb4dc957dfa61e8f1484b75f0883eb7536cc6
        auth: sha512  e8f03430854a9411765cd4689da2c64f78070e9e45e2c1e973bf83cb6b969464aadccd00ee2b846d55c8c695251ad00657f539611254eb8e76da8ac61abe078d
      outbound
        spi: fd69edff
        enc:  aes-cb  acab60bfcfddb9f485f296528b84bf31f4a5f2e5a13173d1d2dc824358785e9c
        auth: sha512  158ab9b65c11d92d67c9199768a13bab72251311f4b4bbec8dc9002ed64391bf85365a5abe4baf5ec55f09c46571058412690fbdae28eafaebf471abe2592b17
      NPU acceleration: none
  selectors
    name: 'pa6'
    auto-negotiate: enable
    mode: tunnel
    src: 0:::/0:0
    dst: 0:::/0:0
    SA
      lifetime/rekey: 3600/2206
      mtu: 1390
      tx-esp-seq: 557
      replay: enabled
      inbound
        spi: 3d713145
        enc:  aes-cb  30a8116f7312aa705fb3ea94fe9d0212347912f657499dd2290dd50e94f4a801
        auth: sha512  07335a32925f88eeac7e753273457f4a49f01a71db5397b7606cc7e0c30ef51525db0ae6f887d4862e292869014741fcfce4adb00b42cac5daa04a2a67ececc3
      outbound
        spi: d48144de
        enc:  aes-cb  cf9a0c704dcddad8f28e6e40034c53afe8e28c6bb10626c35dcaf62dbf1d37dd
        auth: sha512  e0b2ebe3d044d5832e6e26512909a48a1537a819f636b31fbdb42adbf44c21a949516ff1daf0501536d0441d0ddf83aca2b8bbe810a6d5c48004ad379acef264
      NPU acceleration: none
 
fg #

Comments

Popular posts from this blog

Checkpoint firewall common commands part 2

Checkpoint firewall common commands part 2 For basic firewall informaton gathering: fgate stat -Status and statistics of Flood-Gate-1. fwaccel <stat|stats|conns>  – View status, statistics or connection table of SecureXL. fw getifs -Show list of configured interfaces with IP and netmask. cpstat <app_flag> [-f flavour] -View OS, HW and CP application status. Issue cpstat without any options to see all possible application flags <app_flag> and corresponding flavours. Examples: cpstat fw -f policy – verbose policy info cpstat os -f cpu – CPU utilization statistics cpinfo -y all   -List all installed patches and hotfixes. cpd_sched_config print -Show task scheduled with CPD scheduler. enabled_blades -View enabled software blades avsu_client [-app <app>]   , get_version <app>  -Get signature version and status of content security .Without the -app option “Anti Virus” is used. show co...

Unable to Connect to Server Checkpoint R80

Unable to Connect to Server Checkpoint R80 Unable to Connect to Server A connection to the management server will fail if: A firewall between SmartConsole and the management server blocks Port 19009 -  port 19009 is used for a new R80 service. Allow traffic on this port for all clients and management servers. No GUI clients are assigned -  Open the Gaia Portal. If the First Time Configuration Wizard opens, complete it. If the First Time Configuration Wizard has already run, open  User Management > GUI Clients  and add a client. When using Multi-Domain Security Management, connect SmartConsole to the Multi-Domain Server and make sure the domains have GUI clients assigned to them. The required processes are not reachable -  Make sure the computer with SmartConsole installed can reach the IP address of the management server, and that these server processes are up and running: cpm fwm Operation time out  – Your connection ...

Configuring Proxy ARP for Manual NAT

Configuring Proxy ARP for Manual NAT Symptoms After creating a Manual Static NAT rule, Security Gateway does not answer the ARP Requests for the Static NATed IP address that was configured in the Manual NAT rule. Security Gateway replies to ARP requests with a wrong MAC address, mostly for the NAT traffic.  Introduction Let us consider the following scenario: Two networks ( Network_A  and  Network_B ) are separated by a Security Gateway (single Security Gateway or ClusterXL). On each network, there is a host ( Host_A  on  Network_A ,  Host_B  on  Network_B ). Let us assume, that  Network_A  represents the  Internal  network, and  Network_B  represents the  External  network. According to the existing standards, when  Host_B  needs to send data to  Host_A , an ARP Request for the MAC address of  Host_A  will be sent by  Host_B  to  Network...