ssl-vpn and IPsec tunnel Palo Alto with Check Point

Pablo.Atiaga — Fri, 13 Jul 2012 01:52:10 GMT

Hello all,

I'm hoping that somebody may be able to answer a few questions I have about the configuration of Palo Alto firewalls please?

I want to set up two differents VPN, one ssl-vpn and one IPsec, i do this because i want to conect to my firewall from wherever place (ssl-vpn) and the second one to conect to another firewall from other networks (IPsec). I configure the ssl-vpn succesfully and i have access to my firewall.

Later I have set up a IPsec tunnel with a Check Point firewall and a Palo Alto firewall each with an inside and outside interface.

In order to get this working I have:

     1) Confired IKE and IPSec Cryptos in PA to match CP
     2) Created tunnel interface and selected virtual router and the vpn zone (the one that i conect when i use Global Protect)
     3) Created IKE gateway specifying local interface, local IP, remote IP, pre-shared key and selected IKE crypto profile
     4) Created IPSec tunnel specifying tunnel interface, IKE gateway (pulling in some values) and selecting IPSec crypto profile
     4a) Added a proxy ID with the local internal network and the remote internal network
     5) Add a static route to virtual router with destination of the remote internal network and tunnel created above as interface

I think that the IPsec was created correctly because the leds turn "green" on and i saw the system logs and i realice that the authentication in phase 1 and 2 was succesfull. But i'm having problem to get to the other side. I tried to do traceroute but i don't see that the package it's trying to get the other side using the tunnel.

In the other side they have an IPS before the firewall, i was wondering if that's can generate me a problem.

I think that the problem could be related with some static route that its missing or with using the ssl-vpn zone.

Please i'll be really greatefull with any help that you could give me.

Thanks.

Re: ssl-vpn and IPsec tunnel Palo Alto with Check Point

zarina — Fri, 20 Jul 2012 02:09:00 GMT

Pablo,

To check the tunnel status, run the command from cli: show vpn flow

Also, do you have a security rule that allows traffic from your internal zone (the one where your test machine is) to vpn zone in which the tunnel is located? Make sure you also have a route configured on CP for the networks behind PAN.

Thanks,

Sri Darapuneni

Re: ssl-vpn and IPsec tunnel Palo Alto with Check Point

Pablo.Atiaga — Fri, 20 Jul 2012 02:20:31 GMT

Hi.

Thanks for the answer.

Yes i have created a security rule that allows the traffic.

When i don't use the "vpn" zone, the IPsec works fine, but i need to use the same zone for the ssl-vpn and the IPsec, that's because i want to use the tunnel when i connect remotely.

Thanks.

topic Re: ssl-vpn and IPsec tunnel Palo Alto with Check Point in General Topics

ssl-vpn and IPsec tunnel Palo Alto with Check Point

Re: ssl-vpn and IPsec tunnel Palo Alto with Check Point

Re: ssl-vpn and IPsec tunnel Palo Alto with Check Point