topic Paloalto routing an IPSEC tunnel to another router in General Topics https://live.paloaltonetworks.com/t5/general-topics/paloalto-routing-an-ipsec-tunnel-to-another-router/m-p/1232460#M124648 <P>Hello, I'm trying to create a tunnel between R1 (OpnSense) and R3 (Sophos), R2 is the Paloalto that NATs a dedicated wan IP to interface1/2 (private TRUST LAN) where is locally connected the Sophos.</P> <P>&nbsp;</P> <P>R1 (Opnsense) &lt;-----&gt;&nbsp; R2 (Paloalto NAT 1:1) &lt;-----&gt; R3 (Sophos)</P> <P>&nbsp;</P> <P>I have setup all the IPSEC IKE2 tunnels on R1 and R3,&nbsp; on R2 i did the NAT1:1 with Dinamic IP and Port on both inbound and outbound sides,&nbsp; so the clients on R3 have the Public IP that i set,&nbsp; the NAT is working fine with the TCP ports.</P> <P>&nbsp;</P> <P>NAT</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_0-1750750937204.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68154i33EBB3DA5A7687FF/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_0-1750750937204.png" alt="alexcoxie_0-1750750937204.png" /></span></P> <P>Security (86 apps seen)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_1-1750751072579.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68155iD6DEF251F2431643/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_1-1750751072579.png" alt="alexcoxie_1-1750751072579.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_2-1750751152487.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68156i9231AE93363C1D95/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_2-1750751152487.png" alt="alexcoxie_2-1750751152487.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_3-1750751174390.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68157iB8835492DC8848F2/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_3-1750751174390.png" alt="alexcoxie_3-1750751174390.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The problem is the the tunnel is not initialized, I can't see any package arriving from the R1 to R2 on UPD 500/4500.</P> <P>&nbsp;</P> <P>what could be? It is possible to do this configuration ? (R2 routes the tunnel between R1 and R3 only with a NAT?)</P> <P>&nbsp;</P> <P>Thank you.</P> Tue, 24 Jun 2025 07:46:39 GMT alexcoxie 2025-06-24T07:46:39Z Paloalto routing an IPSEC tunnel to another router https://live.paloaltonetworks.com/t5/general-topics/paloalto-routing-an-ipsec-tunnel-to-another-router/m-p/1232460#M124648 <P>Hello, I'm trying to create a tunnel between R1 (OpnSense) and R3 (Sophos), R2 is the Paloalto that NATs a dedicated wan IP to interface1/2 (private TRUST LAN) where is locally connected the Sophos.</P> <P>&nbsp;</P> <P>R1 (Opnsense) &lt;-----&gt;&nbsp; R2 (Paloalto NAT 1:1) &lt;-----&gt; R3 (Sophos)</P> <P>&nbsp;</P> <P>I have setup all the IPSEC IKE2 tunnels on R1 and R3,&nbsp; on R2 i did the NAT1:1 with Dinamic IP and Port on both inbound and outbound sides,&nbsp; so the clients on R3 have the Public IP that i set,&nbsp; the NAT is working fine with the TCP ports.</P> <P>&nbsp;</P> <P>NAT</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_0-1750750937204.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68154i33EBB3DA5A7687FF/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_0-1750750937204.png" alt="alexcoxie_0-1750750937204.png" /></span></P> <P>Security (86 apps seen)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_1-1750751072579.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68155iD6DEF251F2431643/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_1-1750751072579.png" alt="alexcoxie_1-1750751072579.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_2-1750751152487.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68156i9231AE93363C1D95/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_2-1750751152487.png" alt="alexcoxie_2-1750751152487.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexcoxie_3-1750751174390.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68157iB8835492DC8848F2/image-size/medium?v=v2&amp;px=400" role="button" title="alexcoxie_3-1750751174390.png" alt="alexcoxie_3-1750751174390.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The problem is the the tunnel is not initialized, I can't see any package arriving from the R1 to R2 on UPD 500/4500.</P> <P>&nbsp;</P> <P>what could be? It is possible to do this configuration ? (R2 routes the tunnel between R1 and R3 only with a NAT?)</P> <P>&nbsp;</P> <P>Thank you.</P> Tue, 24 Jun 2025 07:46:39 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-routing-an-ipsec-tunnel-to-another-router/m-p/1232460#M124648 alexcoxie 2025-06-24T07:46:39Z Re: Paloalto routing an IPSEC tunnel to another router https://live.paloaltonetworks.com/t5/general-topics/paloalto-routing-an-ipsec-tunnel-to-another-router/m-p/1232491#M124651 <P>Hello,</P> <P>Do you also have the appropriate security policies in place to allow the traffic? Check the Unified logs to see if the traffic is allowed or blocked.</P> <P>Regards,</P> Tue, 24 Jun 2025 16:23:30 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-routing-an-ipsec-tunnel-to-another-router/m-p/1232491#M124651 OtakarKlier 2025-06-24T16:23:30Z