topic Re: IKE pre-shared key VPN dynamic ip in Security e-Series

IKE pre-shared key VPN dynamic ip

tmoez — Wed, 31 Aug 2016 11:36:42 GMT

I am tyring to setup an IKE vpn from a Palo Alto to a MSR2003. I can't seem to figure it out. I can get the phase1 and phase2 to talk on the Palo Alto however on the HP router I do display ipsec sa and it's blank. Can't seem to get the 2 to talk properly.

I'm using comcast on the spoke end with a dynamic ip G0/0 get's ip through Comcast using DHCP. However current configuration shows it statically assigned. I've tried them both to no avail.

I'm also unable to get any other encryption than des and sha1. I assumed that was because fips was not enabled. I do not have the command to enable fips.....

I've posted my configuration so far.....

show current-configuration
#
version 7.1.059, Release 0304P15
#
sysname CypressSwamp
#
dhcp enable
#
dns domain co.cal.md.us
dns server 75.75.75.75
dns server 75.75.76.76
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool LAN
gateway-list 10.10.10.250
network 10.10.10.0 mask 255.255.255.0
address range 10.10.10.100 10.10.10.120
dns-list 75.75.75.75 75.75.76.76
#
controller Cellular0/0
#
interface Aux0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
description WAN
ip address 50.78.77.11 255.255.255.248
nat outbound address-group 1 no-pat
ipsec apply policy map1
#
interface GigabitEthernet0/1
port link-mode route
description LAN
ip address 10.10.10.250 255.255.255.0
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
ip route-static 0.0.0.0 0 50.78.77.14
#
acl advanced name NATOut
rule 0 permit ip source 10.10.10.0 0.0.0.255
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
ipsec transform-set calvert
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
nat address-group 1
address 50.78.77.11 50.78.77.11
#
ike keychain keychain1
pre-shared-key address 64.26.88.100 255.255.255.248 key cipher left intentionally blank
#
return

Re: IKE pre-shared key VPN dynamic ip

NickChatz — Wed, 31 Aug 2016 12:01:42 GMT

Hi there ,

i made a small research regarding fips and found these steps..maybe they apply to your case :

Steps to enable FIPS mode:

Follow the procedure in the following article to enable FIPS mode on firewall 1: How to Enable or Disable (Common Criteria) CCEAL4 Mode ( //live.paloaltonetworks.com/t5/Management-Articles/How-to-Enable-or-Disable-Common-Criteria-CCEAL4-Mode/ta-p/58679 )
After you are able to log into the firewall via GUI on Firewall1 on 192.168.1.1, import firewall 1’s exported candidate configuration into the firewall A using WebGUI : Device > Setup > Operations > Import Named Configuration Snapshot.
Note: If the device is being managed from Panorama, then import the device state: (WebGUI) Device -> Setup -> Operations -> Import Device State.
Make sure you have a local admin account configured with a known password so that we are still able to manage the device after committing.
Make sure HA is enabled and HA encryption keys are exchanged again between firewall 1 and firewall 2 using the method in this article: How to enable encryption on HA1 in high availability configurations.
Make sure HA preemption is turned off and HA settings are properly there.
After verifying configuration, make sure network cables are disconnected on this firewall. This will prevent any split brain situation in the network.
Commit the changes, and if the commit goes through, connect the management port back to the network so that you can connect back to original management IP to regain access to the firewall.
After logging in again, check the HA status and suspend the local device via the CLI:
> request high-availability state suspend
Update the Licenses, Content and Antivirus database, URL database to the required version. WildFire registration might fail because the device is in suspended state, so ignore for now.
If Panorama is involved, on the Panorama, change the template operational mode to FIPS, or Common Critera. Performing a local commit is optional.
Verify, under managed devices, that Firewall1 shows as connected, then do a Device Group commit to Firewall1.
Make sure all settings are properly pushed to the firewall.
Connect the network cables on Firewall1, put Firewall1 in functional mode, and suspend Firewall2 via the CLI.
> request high-availability state functional (On Firewall1)
> request high-availability state suspend (On Firewall2)
Now the Firewall1 should be active. Verify that traffic is passing through the device. Download the WildFire package, and verify that the registration is working and status is okay. Wildfire Configuration, Testing, and Monitoring
Repeat steps 1 to 12 for firewall 2.
Put the Firewall2 in a functional state after verifying everything is in sync and sessions are also synced between the two firewalls.
Download the WildFire package on firewall 2, and verify that the registration is working and the status. Wildfire Configuration, Testing, and Monitoring
Test the failover by suspending device B, and make sure the tcp-reject-non-syn is enabled again.

Re: IKE pre-shared key VPN dynamic ip

tmoez — Wed, 31 Aug 2016 13:31:58 GMT

Thank you for the quick reply. I"m good on the Palo Alto side, it's the MSR2003 side that I'm stuck on.

Re: IKE pre-shared key VPN dynamic ip

NickChatz — Wed, 31 Aug 2016 14:43:34 GMT

Oh ok good then. What's your current firmware version?

maybe this can help you --> http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0127033

Re: IKE pre-shared key VPN dynamic ip

Ian Vaughan — Wed, 31 Aug 2016 20:35:16 GMT

Howdy,

Just a couple of things -

1) If you can only see DES and SHA and no AES could it be because you haven't generated your (free) High-Encryption license and installed the key? There are restrictions on who can download a license key to enable the higher grade ciphers & algorythms based on your country of residence. You can get hold of this license by registering your device in the "My Networking" portal (sign in with your HPE Passport credentials) and if you are entitled to the license it should appear in "My Licenses" ready for download.

2) Check the Blog post that Phil Kennedy, one of our UK MASE Engineers, put together - it's a Cisco MSR inter-op example that you should be able to adapt to your use case.

Let us know how you get on and give us some feedback.

Thanks

Ian