https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484881#M104467 <P>Hi Pavel,<BR /><BR />I'm able to capture the traffic now. Many thanks again!</P> Wed, 04 May 2022 14:03:09 GMT smshafek 2022-05-04T14:03:09Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484810#M104458 <P>Hello,<BR /><BR />I've configured a VPN Tunnel from a PA220 to a PA200. They are able to ping each other but I don't see any ESP Packets in Wireshark. What should I do to get the packets to be encapsulated?<BR /><BR />Many thanks in advanced.</P> Wed, 04 May 2022 12:41:24 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484810#M104458 smshafek 2022-05-04T12:41:24Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484842#M104459 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217724">@smshafek</a></P><P>&nbsp;</P><P>if you see the ipsec tunnel up with packets being encapsulated/decapsulated and routing is set correctly to go through tunnel, there is no other extra step to do for traffic to be encapsulated. Could you please confirm how did you take packet capture? What interface did you use to capture traffic?</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Wed, 04 May 2022 13:14:29 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484842#M104459 PavelK 2022-05-04T13:14:29Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484870#M104464 <P>Hi Pavel,<BR /><BR />I'm capturing traffic on the two hosts. One connected to the LAN of PA220 and the other to the LAN of PA200.<BR /><BR />Best regards</P> Wed, 04 May 2022 13:37:04 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484870#M104464 smshafek 2022-05-04T13:37:04Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484878#M104466 <P>Thank you for reply&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217724">@smshafek</a></P><P>&nbsp;</P><P>The ipsec tunnel between two PA Firewalls does not provide host to host end to end encryption. You will only see ESP traffic on interfaces that are used to build ipsec tunnel. This is typically WAN interface of the Firewall. You can refer to this in ike gateway configuration.</P><P>&nbsp;</P><P>If you want to do further verification of the tunnel configuration, I would recommend to take a look into this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTbCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTbCAK</A>&nbsp;Please refer to the section: "Tunnel is up but the traffic is not passing". In the output from: "show vpn flow tunnel-id &lt;tunnel id&gt;" the inner interface is where naked traffic comes in and outer interface is where you will only see ESP traffic.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Wed, 04 May 2022 13:59:31 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484878#M104466 PavelK 2022-05-04T13:59:31Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484881#M104467 <P>Hi Pavel,<BR /><BR />I'm able to capture the traffic now. Many thanks again!</P> Wed, 04 May 2022 14:03:09 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-to-site-ipsec-tunnel-not-working/m-p/484881#M104467 smshafek 2022-05-04T14:03:09Z