An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.
How can the engineer remediate this issue?
An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.
How can the engineer remediate this issue?
When troubleshooting a site-to-site VPN where both peers are behind a NAT and NAT-T is enabled, it is crucial to ensure that all necessary traffic types are permitted. The IPSec application includes IKE traffic on UDP port 500, as well as traffic on UDP ports 4500 (used when NAT-T is enabled) and 4501. Therefore, adding a Security policy to allow the IPSec application ensures that all required components (IKE, ipsec-ah, ipsec-esp, and ipsec-esp-udp) are allowed, comprehensively addressing the VPN traffic requirements.
Looks like should be C according to below https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0 The ipsec application contains the following sub-apps: ike ipsec-ah ipsec-esp ipsec-esp-udp(NAT-T) The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.
A: Add a Security policy to allow UDP/500 - will not work as stated from others when NAT-T is enabled it will also use UDP4500 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC "To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode." B: Add a Security policy to allow the IKE application. - will not work as per the above D:Add a Security policy to allow UDP/4501 - will not work as per the above C: Add a Security policy to allow the IPSec application. - having checked on PANOS 10.2 the IPSec application has 4 sub(?) applications - ike (Standard Ports: tcp/500, udp/500) - ipsec-ah (Standard Ports: IP Protocol 51) - ipsec-esp (Standard Ports: IP Protocol 50) - ipsec-esp-udp (Standard Ports: udp/4500, udp/4501)
I checked with 11.0.0 and ike is not under ipsec.
Check again because it's there ;)
FWIW, this was a PCNSE test question in Jan 2023.
adding my vote
Should be C as it will include other sub APPs... IKE 500 for answer A is not right as NAT-T is enabled
adding my vote
Should be C. Tested in my lab. The IPSec app contains ike, ipsec-ha, ipsec-esp, and ipsec-udp, which covers everything in the question.
I had done this before, and it works by just allowing the IKE application in the policy rule. I will vote for B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
Answer should be B, it is dropping the IKE and also NAT-T works on port 4500 not 4501
In Objects > Applications it can be seen that ike app uses tcp/500 and/or udp/500 and that it doesn't depend on any other app (for example ipsec). Since PA is always recommending to use app ID I would choose B.
Answer is C
I believe its safe to allow IPsec application which will encompass both udp/500 and udp/4500, udp/4501.
Ipsec apps include ike an the other ipsec. Option C
Ipsec apps include ike an the other ipsec. Option C
I believe it is B. because as mentioned above NAT-T is enabled so ,packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
Answering the question which only ask about IKE would be B. Best practice is to use APP-ID, not service for UDP/500.
Actually misread the question with NAT-T included. IPsec virtual private network clients use NAT traversal in order to have Encapsulating Security Payload packets traverse NAT. IPsec uses several protocols in its operation which must be enabled to traverse firewalls and network address translators: Answer should be C