Unable to establish IPSec tunnel from Firewall to the Web Security Service

book

Article ID: 168374

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

There are many possible factors that might cause the IPSec tunnel to fail to connect to the Web Security Service (WSS).
 

Cause

  1. Incorrect Pre-Shared key (PSK)
  2. Incorrect Exchange Mode
  3. NAT rule enabled
  4. NAT-T enabled
  5. Wrong peer IP address

Environment

Firewall/VPN

Web Security Service

Resolution

Verify the following:

  1. PSK value that's entered on the firewall configuration must match the PSK value configured for the Location in your ThreatPulse portal.
  2. Exchange Mode must be set to main mode (WSS does not support aggressive mode).
  3. NAT for traffic that's sent to WSS should be disabled.
  4. NAT-T should be disabled.
  5. Peer IP Address is the WSS destination data-center IP address (Data Center IP addresses for Web Security Service).


If these do not fix the connection, contact Technical Support for assistance.

Provide the Cloud Network team with the Firewall IPSec logs and Firewall Egress IP.