Knowledge Base Article

IPSEC with Azure Gateway

IKE Best Practice with Azure IPSEC Gateway

Issue:Intermittent IPSEC SA disconnects; Packet loss; TLSi disabled.

Symptoms:

  • Timeline shows 'unable to decrypt' packets intermittently; resulting in asymmetric traffic. 
  • TLS Inspection shows disabled intermittently on CMA events.
  • Intermittently, session with a server / host behind IPSec Azure gateway lost.
  • Correspondingly IPSec Timeline shows following in the logs
Unable to decrypt packet - ignoring
Error parsing or unsupported parameters in an incoming packet

Environment:

IPSec tunnel with Azure Gateway, GCM used as encryption and Phase 1 timers are such that Azure is the initiator for rekeying.

The larger picture - While using GCM and IKE timers set to default / matching values  [3600sec (p1) and 28800sec (p2)]. This issue is observed whenever the Azure gateway is the initiator of IKE Phase1 tunnel.  Cato  receives malformed packet from Azure that Cato is unable to decrypt. A corresponding message mentioned above is seen in the IPsec Timeline (Timeline message shown above). Refer to articles below on where to find timelines and pcaps in the CMA.

Whenever you see similar symptom recommendation is to have P1 lifetime on Cato as default of 19800sec (5.5 hrs) i.e. lower than Azure default of 28800 sec (8 hrs). This will ensure that Cato is always the initiator of tunnel of P1 rekey. Another workaround is to use encryption algorithm other than GCM.

Our IPSec has been implemented by some of our largest customers with 100+ sites across the global and proven to be compatible with industry standard SDWAN vendors. The issue is not seen with just the Cato as peer. From lab tests it was confirmed this behavior is same between with Juniper SRX or Fortinet as a peer device with Azure IPSec gateway. Cato maintains its own IPSEC suite built from scratch compliant with IKE standards. 

Reference articles-

  1. Did you know? - IPSEC Timelines and PCAP | Cato Connect 
  2. https://support.catonetworks.com/hc/en-us/articles/4413280512785-Advanced-Configurations-for-a-Site
  3. https://support.catonetworks.com/hc/en-us/articles/4413273472145-Configuring-IPsec-IKEv1-Sites
  4. https://support.catonetworks.com/hc/en-us/articles/360001688857-Cato-IPsec-Guide-IKEv1-vs-IKEv2 
  5. https://support.catonetworks.com/hc/en-us/articles/16203875505565-IPsec-Site-Connectivity-Troubleshooting
  6. https://support.catonetworks.com/hc/en-us/articles/11013259398301-Troubleshooting-IPsec-Connectivity
Updated 19 hours ago
Version 3.0
No CommentsBe the first to comment