topic Re: DHCP address assignment for Global Protect VPN in GlobalProtect Discussions

DHCP address assignment for Global Protect VPN

RussMc — Thu, 29 Jul 2021 18:13:51 GMT

All,

I am working on a PA-220 LAB, in preparation for a PA 820 rollout. I have setup and configured my Global protect VPN. When it comes to DHCP, I know I can't use my DHCP servers but have to rely on DHCP from the firewall. That is OK. My question is this:

For my VPN users, If I create a DHCP scope in Network>GatewayS>MyGateway>Agent>Client Settings>Configs>IP Pools>IP Pool, and the DHCP addresses are not sub set of an existing Ethernet Interface\sub-interface, will I have to create a layer 3 sub interface so the VPN traffic is routed correctly? IE; all Interfaces\sub interfaces are 10.0.x.x and I want VPN addresses to be 192.168.x.x. Will I need to create a layer 3 interface for the 192.168.x.x so traffic flows correctly?

I am sure this is simple but I want to make sure I do it correctly in the building\testing stage

Re: DHCP address assignment for Global Protect VPN

laurence64 — Fri, 30 Jul 2021 09:30:52 GMT

Hi @RussMc

Yes you will need a L3 interface and a zone if you want to land the tunnel in a isolated zone.

Re: DHCP address assignment for Global Protect VPN

RussMc — Fri, 30 Jul 2021 14:41:42 GMT

Thank you. I will add it and test this weekend.

Re: DHCP address assignment for Global Protect VPN

RussMc — Tue, 17 Aug 2021 17:47:02 GMT

Ok, I added the L3 interface and added the VLAN to my switches and committed all changes. I can connect to VPN by computer but not by an app on my iPhone (I do have the correct licensing for the GP app). The error I get is " The network connection is unreachable or the gateway is unresponsive.

Also, when I have a laptop successfully connected to the VPN, I can't seem to get to any VLAN's on my network. I do have the VLAN's identified in the split tunnel. I tried adding the VLA's individually as well as specifying 0.0.0.0/0 to no avail.

Any thoughts or suggestions?

Re: DHCP address assignment for Global Protect VPN

Mick_Ball — Tue, 17 Aug 2021 20:00:42 GMT

You will need to add a security policy allowing traffic from the GP tunnel zone to your lan interface zone.

Re: DHCP address assignment for Global Protect VPN

laurence64 — Wed, 18 Aug 2021 07:26:52 GMT

Absolutely as @Mick_Ball says, you need to treat the Global protect environment as you would any other so

Tunnel interface that lands either in your inside network or a DMZ or wherever you want
Zone for the Tunnel interface
Rules allowing your users to access the resources they need using Zones and policies
NAT rules if you want to go out to the internet through the Firewall (as opposed to breakout locally)

Using the 0.0.0.0/0 route will tunnel everything back to the Gateway so you may want to just use the subnets that you require.

Re: DHCP address assignment for Global Protect VPN

RussMc — Wed, 18 Aug 2021 14:36:11 GMT

For testing purposes, I have the tunnel added to my untrusted (Internet) zone and set on my gateway configuration. In the past, this has worked just fine with all applicable VLAN's added to the split tunnel.

Re: DHCP address assignment for Global Protect VPN

Mick_Ball — Wed, 18 Aug 2021 15:48:39 GMT

Are the vlans you mentioned external or internal

Re: DHCP address assignment for Global Protect VPN

RussMc — Wed, 18 Aug 2021 16:12:39 GMT

All internal.

Re: DHCP address assignment for Global Protect VPN

RussMc — Thu, 19 Aug 2021 13:11:24 GMT

OK, I have the VPN client working now on the client PC's & MAC's. I forwent adding the tunnel to my untrusted (Internet) zone and went with Mick's suggestion. I created a new zone, configured the tunnel, and added a security policy and access to the VLAN's works just fine. The only issue I have is our iPhones will not connect to the VPN. I still get the following error:

Gateway <My Gateway>: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.

Could this be caused by the self signed certificate I am using for testing (I will have a real, valid cert in production)? If this is the case, I guess I am looking for validation since I ran out of time until this weekend to do more testing. I found this article:

https://medium.com/collaborne-engineering/self-signed-certificates-in-ios-apps-ff489bf8b96e

Thoughts on if will resolve the issue?

Re: DHCP address assignment for Global Protect VPN

Mick_Ball — Thu, 19 Aug 2021 20:22:40 GMT

Do you have the required gateway subscription for mobile devices?

ios works differently from windoze with cert stuff... i only have trusted certs so cannot test but when i use ip address for portal i get ...

the network is unreachable or the portal is unresponsive....

not sure why you get the gateway error....

anyhows... try the fix yo have as you will need to trust your ssigned cert...

laters...

Re: DHCP address assignment for Global Protect VPN

RussMc — Fri, 20 Aug 2021 15:24:37 GMT

I have the required licensing for mobile devices.

From Safari, Chrome, and Firefox, from an iPhone, I can hit the VPN gateway (by IP) and login just fine. Once I do, I see the links to download the appropriate client, though you can't on an idevice... This means all but the App is working fine.

I have the cert loaded and trusted in my device and will test this weekend and report back on Monday. Thank you for all the help and advice.

Re: DHCP address assignment for Global Protect VPN

RussMc — Mon, 23 Aug 2021 15:06:37 GMT

The testing over the weekend was successful. Creating a L3 interface for the VPN traffic, then creating a zone\rules for the traffic to flow and then, installing the cert and trusting it on the iDevice worked perfectly. I was then able to navigate where my rules permitted. I will be obtaining a true, trusted cert for the production rollout. Thanks and Kudos to @Mick_Ball & @laurence64 for all the help.