Comprehensive IPSec VPN Testing and Troubleshooting on Palo Alto Firewalls

Monitor > Logs > System: View system logs for IKE and IPSec negotiation messages.
Monitor > Logs > Traffic: Analyze traffic logs to verify if traffic is passing through the VPN tunnel.
Network > IPSec Tunnels: Check the status of IPSec tunnels and view detailed information.
Network > Network Profiles > Monitor: Configure tunnel monitoring profiles to detect tunnel failures.

Use the following CLI commands for in-depth diagnostics:

For more detailed CLI troubleshooting steps, refer to Palo Alto Networks' documentation on Troubleshooting Site-to-Site VPN Issues Using CLI.

Pre-shared Key Mismatch: Ensure that both peers have the same pre-shared key configured.
Proposal Mismatch: Verify that encryption, authentication, and DH group settings match on both sides.
Firewall Rules: Confirm that security policies allow IKE (UDP 500), NAT-T (UDP 4500), and ESP (protocol 50) traffic.
NAT Traversal: If NAT is involved, ensure that NAT-T is enabled on both peers.
Proxy ID Mismatch: Ensure that the local and remote network definitions (Proxy IDs) match on both peers.
MTU Issues: Adjust the MTU size if fragmentation is causing issues, especially when using IPSec over UDP.

For a detailed guide on troubleshooting IPSec VPN connectivity issues, refer to Palo Alto Networks' knowledge base article on How to Troubleshoot IPSec VPN connectivity issues.

Use packet captures to analyze IKE and IPSec negotiations:

debug ike pcap on: Start packet capture for IKE negotiations.
view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap: View the captured packets.
debug ike pcap off: Stop packet capture.

Ensure to disable packet captures after analysis to conserve system resources.