https://live.paloaltonetworks.com/t5/next-generation-firewall/tunnel-inside-of-tunnel/m-p/1225387#M5751 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/540963063">@skey4867</a>&nbsp;,</P> <P>&nbsp;</P> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/540963063">@skey4867</a>&nbsp;wrote:<BR /> <P>I have a site to site configure and tunnel established between palo alto and juniper vsrx.&nbsp; I am trying to route an IPSec tunnel through the existing tunnel.&nbsp; I am able to ping through the existing tunnels so connectivity exist.&nbsp; I have applied and "ANY/ANY" policy as well.&nbsp; The issue I is the traffic from the "spoke/remote" is able to send the IKEv2 Initiation through the tunnel but the Hub response is never making it back.&nbsp; I see the session in the browser as being sent to the hub but again the return traffic is lost somewhere.&nbsp; If I connect Palo Alto to Palo Alto the inner tunnel establishes just fine through the outter tunnel.&nbsp; If I configure Juniper to Juniper same outcome.&nbsp; No ACL's or anything like that that are applied either.&nbsp;&nbsp;</P> <HR /></BLOCKQUOTE> <P>Are you trying to do some tunnel in a tunnel?<BR /><BR /></P> <P>Also, you can refer to&nbsp;<A href="https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-12-troubleshooting-ipsec-tunnels/ta-p/532287" target="_blank">https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-12-troubleshooting-ipsec-tunnels/ta-p/532287</A>&nbsp;for some initial troubleshooting.</P> <P>&nbsp;</P> <P>Olivier</P> Wed, 02 Apr 2025 04:06:36 GMT ozheng 2025-04-02T04:06:36Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tunnel-inside-of-tunnel/m-p/1225054#M5745 <P>I have a site to site configure and tunnel established between palo alto and juniper vsrx.&nbsp; I am trying to route an IPSec tunnel through the existing tunnel.&nbsp; I am able to ping through the existing tunnels so connectivity exist.&nbsp; I have applied and "ANY/ANY" policy as well.&nbsp; The issue I is the traffic from the "spoke/remote" is able to send the IKEv2 Initiation through the tunnel but the Hub response is never making it back.&nbsp; I see the session in the browser as being sent to the hub but again the return traffic is lost somewhere.&nbsp; If I connect Palo Alto to Palo Alto the inner tunnel establishes just fine through the outter tunnel.&nbsp; If I configure Juniper to Juniper same outcome.&nbsp; No ACL's or anything like that that are applied either.&nbsp;&nbsp;</P> Fri, 28 Mar 2025 22:38:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tunnel-inside-of-tunnel/m-p/1225054#M5745 skey4867 2025-03-28T22:38:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tunnel-inside-of-tunnel/m-p/1225387#M5751 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/540963063">@skey4867</a>&nbsp;,</P> <P>&nbsp;</P> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/540963063">@skey4867</a>&nbsp;wrote:<BR /> <P>I have a site to site configure and tunnel established between palo alto and juniper vsrx.&nbsp; I am trying to route an IPSec tunnel through the existing tunnel.&nbsp; I am able to ping through the existing tunnels so connectivity exist.&nbsp; I have applied and "ANY/ANY" policy as well.&nbsp; The issue I is the traffic from the "spoke/remote" is able to send the IKEv2 Initiation through the tunnel but the Hub response is never making it back.&nbsp; I see the session in the browser as being sent to the hub but again the return traffic is lost somewhere.&nbsp; If I connect Palo Alto to Palo Alto the inner tunnel establishes just fine through the outter tunnel.&nbsp; If I configure Juniper to Juniper same outcome.&nbsp; No ACL's or anything like that that are applied either.&nbsp;&nbsp;</P> <HR /></BLOCKQUOTE> <P>Are you trying to do some tunnel in a tunnel?<BR /><BR /></P> <P>Also, you can refer to&nbsp;<A href="https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-12-troubleshooting-ipsec-tunnels/ta-p/532287" target="_blank">https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-12-troubleshooting-ipsec-tunnels/ta-p/532287</A>&nbsp;for some initial troubleshooting.</P> <P>&nbsp;</P> <P>Olivier</P> Wed, 02 Apr 2025 04:06:36 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tunnel-inside-of-tunnel/m-p/1225387#M5751 ozheng 2025-04-02T04:06:36Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tunnel-inside-of-tunnel/m-p/1225854#M5772 <P>Hello&nbsp;<SPAN>Olivier,</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks for you reply.&nbsp; Yes I am trying to establish an IPSec tunnel inside and already established IPSec Tunnel.&nbsp; I have attached an example diagram to hopefully outline what I am trying to achieve.&nbsp;&nbsp;</SPAN></P> Mon, 07 Apr 2025 17:12:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tunnel-inside-of-tunnel/m-p/1225854#M5772 skey4867 2025-04-07T17:12:00Z