https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/537619#M110393 <P><SPAN><SPAN class="ui-provider gp b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Thank you for your response. Both sides have policies that permit traffic to/from the tunnel zone. I have another circuit that works with no issues at this site. However, when getting the screenshots you requested I noticed that on Starlink most of the traffic goes Interzone-default policy and is denied.</SPAN></SPAN></P> <P>&nbsp;</P> Tue, 04 Apr 2023 16:30:04 GMT CraigSmith2 2023-04-04T16:30:04Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536637#M110234 <P>I'm testing Starlink business and having issues passing traffic over my tunnel. This remote site connects to our data center via an IPsec tunnel. I can get the tunnel up and traceroute to the remote side of the tunnel, but I'm unable to pass traffic. I have "<SPAN>Enable NAT Traversal" selected on my IKE Gateway. The Starlink is set to IP passthrough.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Any help would be appreciated.</SPAN></P> Mon, 27 Mar 2023 16:16:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536637#M110234 CraigSmith2 2023-03-27T16:16:46Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536646#M110236 <P>If you can traceroute to other side over the tunnel it means that some traffic does cross the tunnel successfully right?</P> Mon, 27 Mar 2023 18:23:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536646#M110236 Raido_Rattameister 2023-03-27T18:23:39Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536828#M110255 <P>Yes, I agree, however, I'm unable to ping the management interface of the PA-220. Also from the remote side, I can't ping the gateway that is on the PA-220 for any of my vlans and my Cisco phones do not register.&nbsp;</P> <P>&nbsp;</P> Tue, 28 Mar 2023 20:33:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536828#M110255 CraigSmith2 2023-03-28T20:33:09Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536839#M110261 <P>Both sides have Palo?</P> <P>Do you have access to firewalls on both side?</P> Wed, 29 Mar 2023 00:59:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536839#M110261 Raido_Rattameister 2023-03-29T00:59:20Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536929#M110278 <P>Yes, both sides have Palo Altos. When I'm on-site I have access to both firewalls. I have to unplug the Starlink cable to keep my other tunnel running.</P> Wed, 29 Mar 2023 15:31:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536929#M110278 CraigSmith2 2023-03-29T15:31:14Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536935#M110282 <P>Check firewall policies on both sides if they permit traffic to/from tunnel zone.</P> <P>Can you share screenshot of working and not working traffic log from both sides and have at least those columns visible.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1680104836923.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49114iE7E1CF5467CE4559/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1680104836923.png" alt="Raido_Rattameister_0-1680104836923.png" /></span></P> <P>&nbsp;</P> Wed, 29 Mar 2023 15:48:33 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/536935#M110282 Raido_Rattameister 2023-03-29T15:48:33Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/537619#M110393 <P><SPAN><SPAN class="ui-provider gp b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Thank you for your response. Both sides have policies that permit traffic to/from the tunnel zone. I have another circuit that works with no issues at this site. However, when getting the screenshots you requested I noticed that on Starlink most of the traffic goes Interzone-default policy and is denied.</SPAN></SPAN></P> <P>&nbsp;</P> Tue, 04 Apr 2023 16:30:04 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/537619#M110393 CraigSmith2 2023-04-04T16:30:04Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/537654#M110398 <P>Hello,</P> <P>Do you have policies in place to allow the traffic to flow via the tunnel? Also how is the 'default', 0.0.0.0/0 route getting advertised on the 'remote' side, or is it a static route?</P> <P>Regards,</P> Tue, 04 Apr 2023 21:37:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/537654#M110398 OtakarKlier 2023-04-04T21:37:41Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/537655#M110399 <P>Hello,</P> <P>Sorry I didnt see the traffic screen shots before. But it looks like there are missing policies so the traffic is hitting the 'default' policies.</P> <P>Regards,</P> Tue, 04 Apr 2023 21:39:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/537655#M110399 OtakarKlier 2023-04-04T21:39:45Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/572006#M115126 <P>I'm having the same problem. It dosn't happen all the time. I think it has to do with esp traffic being blocked&nbsp;</P> Sat, 06 Jan 2024 23:35:54 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/572006#M115126 ChrisThornton 2024-01-06T23:35:54Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/572060#M115133 <P>Is there any solution<A href="https://cuyahogacountyauditor.site" target="_self">.</A>?</P> Tue, 09 Jan 2024 07:05:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/572060#M115133 Pollack32 2024-01-09T07:05:20Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/572091#M115135 <P>Hello,</P> <P>For the policy that handles the VPN traffic, do not perform and inspections or ssl decryption, etc. Basically allow all traffic to/from the two IP's that are the VPN endpoints and see how that works out. My guess is that there is UDP traffic getting blocked/dropped.</P> <P>Regards,</P> Mon, 08 Jan 2024 15:36:47 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/572091#M115135 OtakarKlier 2024-01-08T15:36:47Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/595790#M118550 <P>Sorry for not responding. I abandoned this project.</P> <P>Yes the routes are static and looking back at my screenshots I think you are correct that policies were missing.&nbsp;</P> <P>&nbsp;</P> <P>I'm considering trying StarLink again, I was reviewing what went wrong. Thank you for your help.</P> Fri, 23 Aug 2024 17:50:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/595790#M118550 CraigSmith2 2024-08-23T17:50:01Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/606906#M120467 <P>We had the same issue and StarLink confirmed the following so we are looking into a solution</P> <P>&nbsp;</P> <P>ESP packets are dropped.</P> <P>VPNs that rely on protocols 47 (GRE), 50 (ESP), 51 (AH), 115 (L2TP) are dropped by CGNAT at this time.</P> Fri, 18 Oct 2024 15:24:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/606906#M120467 dkaliel 2024-10-18T15:24:44Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/1225070#M123810 <P>Just going to chime in for folks like myself who have limited choices. I found a good article on a competitor site that helped me and i managed to get a site to site up thru starlink residential.</P> <P>my setup is PA--&gt;FTG--&gt;Starlink---&gt;ISP---&gt;PA Corp.&nbsp;</P> <P>PA on Corp side is in passive mode since it has the static ip</P> <P>Both PAs are running ikev1 in aggressive mode with NAT-T</P> <P>The FTG in my case is just acting like a service provider</P> <P>&nbsp;</P> <P><A href="https://community.fortinet.com/t5/Support-Forum/IPSEC-tunnels-behind-CGNAT-Starlink/m-p/226976" target="_blank" rel="noopener">https://community.fortinet.com/t5/Support-Forum/IPSEC-tunnels-behind-CGNAT-Starlink/m-p/226976</A></P> <P><A href="https://www.starlink.com/support/article/aa5aecf3-e97c-e84e-3f87-8d2ecdfde857" target="_blank" rel="noopener">https://www.starlink.com/support/article/aa5aecf3-e97c-e84e-3f87-8d2ecdfde857</A></P> <P>&nbsp;</P> <P>I am a bit curious if anyone has run any testing to see if any of the ports are blocked per the article from starlink below? I would think the traffic thru the vpn would be immune to this.</P> <P><A href="https://www.starlink.com/support/article/c3caacdf-1c1f-98db-b821-bbb36ca9d89b" target="_blank" rel="noopener">https://www.starlink.com/support/article/c3caacdf-1c1f-98db-b821-bbb36ca9d89b</A></P> Sat, 29 Mar 2025 01:50:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-paloalto-starlink/m-p/1225070#M123810 PktBlocker 2025-03-29T01:50:46Z