IKEv2 tunnel IKE Crypto aes-256-cbc sha256 DH 2 PSK works, but when we try to move to any other DH group the tunnel fails. PA-820 PAN-OS 9.1.9
According to Azure documentation, DH Group 14 should be supported, but we were unable to make it work.
Any ideas on what we could be missing?
Thank you very much. We have searched, but not found the documentation on this. You're much more a a PAN guru than I, though.
I tried to find a doc but there's nothing out there regarding prf on Palo, so it may not be supported after all, sorry if I got your hopes up :/ I'll ask around
I understand about md5, but to a certain extent, I just want the proposals to match so the tunnel will come up.
This prf can be configured with the IKEv2 Preferred setting?
Thank you!
Prf is an ikev2 function which you can achieve by simply setting the Ike gateway to ikev2 preferred. Md5 however dates back to the stone age and should not be used
I don't know. I didn't check over the holiday weekend in the US and when I had him explicitly set it today to DH 14, it magically worked.
I have a different tunnel where the peer tells me that they are using md5 for PRF. I can't find anywhere to set this in the Palo Alto. Is it configurable on a Palo?
Did the debug help?
It was the other side of the tunnel. They had told me that DH 14 was allowed, but that turned out not to be the case.
Thank you for your help!
Interesting, try this: reaper@PANgurus> debug ike gateway yourgatewayhere on debug reaper@PANgurus> tail follow yes mp-log ikemgr.log And then set a higher DH. When negotiation starts you should see all the pairs the remote end wants to support
It is failing at Phase 1.
Changing only the DH Group in the IKE Crypto to DH 2, allows both phases to come up.
You can debug the ikemgr to see which ciphers are being negotiated and where it is failing Is it failing at phase1 or phase2? In ph2 you could try gcm instead of cbc, and set dh 19