topic Re: TLS handshake error when using my IPsec tunnel in General Topics

TLS handshake error when using my IPsec tunnel

KevinHaynes — Tue, 14 Jan 2025 19:39:18 GMT

I have an IPsec tunnel set up between two PAs. Everything showing green and I can ping between the two networks. My problem is that whenever I try to access a Docker container over TLS through the tunnel I receive a TLS handshake error, connection reset by peer. I have tried a variety of fixes including changing the Docker network settings and lowering the MTUs on the interfaces and Docker containers and nothing has fixed it. When I try to access these same containers from within the network, everything works as expected. It also works fine over a Wireguard tunnel that I was using previously.

Re: TLS handshake error when using my IPsec tunnel

BPry — Tue, 14 Jan 2025 22:41:27 GMT

@KevinHaynes,

Have you looked at both PAs and ensured that the traffic is being allowed on both ends? Do you have any restrictions on the container side of things that would prevent the IPs coming across your tunnel from accessing the site?

Re: TLS handshake error when using my IPsec tunnel

KevinHaynes — Wed, 15 Jan 2025 17:39:59 GMT

I have security policies allowing the traffic. Do I need to add Policy Based Forwarding as well? I had thought all along that this was a Docker issue, but I just tried accessing a resource through the tunnel that was not on Docker and got the same connection reset. I am new to PA, so I'm not sure exactly what policies need to be in place allow the traffic through the tunnel.

Re: TLS handshake error when using my IPsec tunnel

KevinHaynes — Fri, 17 Jan 2025 20:05:26 GMT

Tunnel was misconfigured. Followed this video exactly and it worked: https://www.youtube.com/watch?v=GPANrMczTz4 . Had to add some additional security policies to this.