topic Having trouble configuring IPSec tunnel (PA-500) in General Topics

Having trouble configuring IPSec tunnel (PA-500)

safecloud — Wed, 15 Feb 2012 21:43:10 GMT

We have a VPS system to which we need to grant access to our private office network. The VPS is in a cloud service so there is no networking gear that we can use for the vpn end point. Our office network is behind a PA-500 firewall.

The VPS is a CentOS linux system that I've configured to use racoon. I've tested this in my staging network with a pfsense firewall and was able to get it up and functional within about 30 minutes of work. Traffic flowed across the vpn in both directions perfectly.

On our office network with the PA-500, I am able to establish the tunnel, so both phases of IKE are successful, but no traffic is passed. When I check the routing with the fib-lookup subcommand, it's going out to this vps host over the untrusted interface rather than the tunnel.1 interface but if I add a static route, then both IKE phases fail because it's trying to send the ike packets through the tunnel as well, which hasn't yet been established.

I've been through the "How to set up IPSec VPNs" pdf but since this configuration involves a single host with only a public interface as one endpoint, there is less of a match to the examples.

Has anyone set up a configuration like this that can point me to my next step? It seems to me that I should need to add in a policy of some time, but I've tried several and haven't made any progress beyond IKE phase 2.

Re: Having trouble configuring IPSec tunnel (PA-500)

licenselu — Thu, 16 Feb 2012 10:01:05 GMT

Hello,

It seems that you have routing issue.

Check the following :

1) Default route pointing to your WAN router.

2) Route to 'remote network (LAN Side)' pointing to the tunnel interface.

You can also add a route to your tunnel endpoint IP address (with the next hop pointing to your WAN router).

Regards,

Hedi

Re: Having trouble configuring IPSec tunnel (PA-500)

safecloud — Thu, 01 Mar 2012 01:56:13 GMT

Hedi, thanks for your reply, but I'm not completely certain that I understand your suggestions.

1) We do have a default route in the PAN device to the WAN router. Of course, if we did not we wouldn't have internet access, so perhaps you are referring to something else?

2) I have tried setting up a static route to the remote network via the tunnel interface, but there isn't actually a remote network at all. It's a single host and a single IP at that endpoint of the tunnel. Whenever I try setting a static route through tunnel.1 for the remote endpoint, it prevents the IKE from succeeding, since the IKE packets are also routed through the tunnel.1 which isn't up yet. Am I misunderstanding what you are suggesting?

3) I have tried adding a next hop to that static route of our wan router and it doesn't seem to make any difference. It still prevents IKE from finishing. I've also tried next hop of the PAN device's trust interface with the same result.

Perhaps I'm just misunderstanding something.

Thanks.

Re: Having trouble configuring IPSec tunnel (PA-500)

licenselu — Fri, 02 Mar 2012 07:50:55 GMT

Hi,

Let's clarify a little bit.

1) You have a default route pointing to the WAN router : OK

2) You say " but there isn't actually a remote network at all. It's a single host and a single IP at that endpoint of the tunnel.".

In my point of view, this kind of configuration never work because you try to encrypt IP traffic to the same IP address of the tunnel endpoint.

How do you deal with routing ?

Sorry I have no idea

regards,

Hedi