https://live.paloaltonetworks.com/t5/general-topics/ipsec-esp-trough-pa-7k-only-unidirectional-best-practice-work/m-p/64317#M38586 Hi Gerardo, thanks for your answer. Usual we do no NAT at all in the concerning environment. The IKE-part is not the problem. The PA-7k does IKE stateful but is not able to handle the ESP stateful. Most solutions I am aware of need either change the client to avoid using ESP and packing ESP in TCP or UDP. Allowing each ESP packet from outside is not a good option. Using a second Firewall like Juniper Netscreen or Juniper SRX to fix the PA-7k firewall is also a possible solution, but who can afford a second firewall to fix a PANW bug? Regards Winfried Wed, 09 Sep 2015 08:05:59 GMT Unibw 2015-09-09T08:05:59Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-esp-trough-pa-7k-only-unidirectional-best-practice-work/m-p/63918#M38396 <P>Hi,</P><P>&nbsp;</P><P>due to a bug (ID:80950), that PANW is not able to fix, it is necessary to create seperate IPSec-ESP policies for both directions trough the PA-7050.</P><P>&nbsp;</P><P>IPSec-ESP that comes in response to a opened session is being dropped if there is no separate policy for incomming ESP traffic.</P><P>&nbsp;</P><P>Example:</P><P>-Client are allowed to open IPSec-Connections from "trust" to "untrust".</P><P>-You have to allow ESP also from "untrust" to "trust" for any adress a IPSec client might use</P><P>&nbsp;</P><P>To avoid flooding, etc. from outside I am searching for solutions to avoid this.</P><P>&nbsp;</P><P>Has any PA-7k admin found a valid approach?</P><P>&nbsp;</P><P>Regards</P><P>Winfried</P> Tue, 01 Sep 2015 07:47:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-esp-trough-pa-7k-only-unidirectional-best-practice-work/m-p/63918#M38396 Unibw 2015-09-01T07:47:38Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-esp-trough-pa-7k-only-unidirectional-best-practice-work/m-p/63957#M38420 <P>Are you using hide-NAT to provide internet access?</P><P>&nbsp;</P><P>Maybe using a Hide-NATfor the internal users you're allowing traffic to the untrust could workaround the issue, using NAT-transversal should encapsulate the traffic in UDP&nbsp;instead of ESP and almost every vendor support it.</P><P>&nbsp;</P><P>You can find the NAT-transversal negotiation in the RFC</P><P><A href="https://tools.ietf.org/html/rfc3947#page-3" target="_blank">https://tools.ietf.org/html/rfc3947#page-3</A></P><P>&nbsp;</P><P>so if you simply hide NAT the outgoing traffic from trust to untrust going to UDP port 500 should do the trick.</P><P>If you can control the client configuration use IKEv2 when possible, it's more resilent to DOS attacks.&nbsp;</P><P>Be careful because allowing outgoing ESP traffic gives the end user tha ability to bypass your company policy rules.&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Gerardo.</P><P>&nbsp;</P> Tue, 01 Sep 2015 17:27:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-esp-trough-pa-7k-only-unidirectional-best-practice-work/m-p/63957#M38420 glastra1 2015-09-01T17:27:51Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-esp-trough-pa-7k-only-unidirectional-best-practice-work/m-p/64317#M38586 Hi Gerardo, thanks for your answer. Usual we do no NAT at all in the concerning environment. The IKE-part is not the problem. The PA-7k does IKE stateful but is not able to handle the ESP stateful. Most solutions I am aware of need either change the client to avoid using ESP and packing ESP in TCP or UDP. Allowing each ESP packet from outside is not a good option. Using a second Firewall like Juniper Netscreen or Juniper SRX to fix the PA-7k firewall is also a possible solution, but who can afford a second firewall to fix a PANW bug? Regards Winfried Wed, 09 Sep 2015 08:05:59 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-esp-trough-pa-7k-only-unidirectional-best-practice-work/m-p/64317#M38586 Unibw 2015-09-09T08:05:59Z