topic Re: GlobalProtect, XAuth client, issues with routing multiple subnets in General Topics

GlobalProtect, XAuth client, issues with routing multiple subnets

fjwcash — Mon, 04 Dec 2017 20:33:09 GMT

I'm probably missing something simple, but I can't figure out what.

I have GlobalProtect Portal setup on the datacentre (DC) firewall. I have GlobalProtect Gateway setup on the office firewall, with XAuth enabled.

I can connect to the Gateway using the vpnc client on a Linux station and everything works. I get an IP, I can access things on the office LAN, I can access the Internet through the VPN, etc.

What I'd like to be able to is configure a VoIP phone on a separate subnet to connect to that Linux station, and have traffic forwarded through the VPN to the office firewall, and then route out from there to the DC firewall to the VoIP server. Traffic goes from the phone to the Linux station, through the VPN link to the office firewall, through to the DC firewall, to the VoIP server (can view the traffic via tcpdump), is sent back from the VoIP server, through the DC firewall, and is dropped by the office firewall.

Doing a packet capture on the office firewall, I see the traffic from the phone to the VoIP server in the receive log, the firewall log, and the transmit. But I see traffic coming back from the VoIP server to the phone only in the receive log and the drop log. The Session Browser shows an active session, so I'm not sure why the return traffic is being dropped.

Before I go too far down the rabbit hole figuring this out, is this setup supposed to work? Routing multiple subnets through a GlobalProtect VPN link. Are there any docs for this setup that I've missed in my searches?

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

rmfalconer — Mon, 04 Dec 2017 22:20:27 GMT

How have you done the routing in your corporate network for the remote IP phone subnet? Is the Linux box doing some kind of NAT before encapsulation?

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

fjwcash — Mon, 04 Dec 2017 22:52:39 GMT

The Linux box is configured with eth0 being assigned an IP via DHCP from the local network.

eth0:0 is 10.2.6.2/23 (the VoIP phone subnet).

tun0 gets a 10.4.0.0/24 IP via the VPN configuration, and sets the default route to point to tun0.

IP forwarding is configured for all interfaces. iptables is set to allow everything (empty chains, no rules, no NAT or anything). This is a strictly routing setup.

The VoIP phone is configured with a static IP of 10.2.6.2/23 and a default gateway of .2 (the Linux box).

The GP Gateway is configured to use tunnel.1 for the VPN endpoint (tried with no IP assigned, with 10.4.0.1 assigned, and with both 10.4.0.1 and 10.2.6.1 assigned), as part of a separate GP zone, which is part of the DC virtual router.

The DC virtual router has a static route for 10.4.0.0/24 pointing to the tunnel.1 interface with no next hop. Along with another static route for 10.2.6.0/23 pointing to tunnel.1 with no next hop. These are redistributed via OSPF to the other firewall (and the Check Stats link shows the two subnets listed with the correct router as the next hop).

And there are Security Policies in place to allow traffic from the GP zone to the DC zone.

I think that covers everything. If not, let me know what other info you need. 🙂

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

rmfalconer — Tue, 05 Dec 2017 16:51:44 GMT

Based on your explanation, if this is a supported configuration, it should work. Routing and rules seem to be in place to make it function.

It's possible that a remote access tunnel just doesn't support routing subnets that aren't assigned in the IP Pool. TAC might be able to answer that.

What version of PAN OS are you using?

Can you have an L2L tunnel with that Linux box?

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

fjwcash — Tue, 05 Dec 2017 17:20:48 GMT

@rmfalconer wrote:
Based on your explanation, if this is a supported configuration, it should work. Routing and rules seem to be in place to make it function.
It's possible that a remote access tunnel just doesn't support routing subnets that aren't assigned in the IP Pool. TAC might be able to answer that.
What version of PAN OS are you using?
Can you have an L2L tunnel with that Linux box?

Yeah, that's why I was asking the question was to see if this is even a supported setup (multiple subnets behind a GP VPN link). Thought I would check here before putting a ticket in with support. 🙂

We're still running PanOS 6.1.17 on the remote schools firewalls as that's what's recommended to us from the Ministry of Education, but the DC firewall is running PanOS 7.1.10 as we needed some extra features.

What's an L2L tunnel? I haven't heard of that terminology before.

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

rmfalconer — Tue, 05 Dec 2017 17:28:02 GMT

L2L is Lan to Lan, an ipsec tunnel between sites. That would definitely support multiple subnets on the Linux side. You would also have to use additional software on the Linux box to support the tunnel. Or use another device at the Linux site that can peer with the PA.

If the Linux setup is a one-off, then this might be something you could try. But if it's something you need to roll-out to a lot of sites, it probably won't scale well.

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

fjwcash — Tue, 05 Dec 2017 17:39:46 GMT

Ah, yes, I've done that with OpenVPN between sites in the past. Was hoping to avoid doing that for this setup, as it's more of a roadwarrior setup for staff occasionally working from home or while out-of-town (just drop the GP client on their laptop, give them a VoIP phone, and away they go). The initial test setup is with a Linux station using vpnc as the guinea pig tech is a Linux user. 🙂 There's aways the option of using a softphone VoIP client as well, running on the laptop.

I'll run this by support to see if this is even doable with GlobalProtect VPNs, or if it's something that requires a proper IPSec tunnel to the firewall. If the latter, this could be the final push needed to get secure SIP enabled instead of routing VoIP over VPNs. 😄

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

fjwcash — Tue, 05 Dec 2017 18:35:52 GMT

Okay, official word from Support is that this is not a supported configuration. The GP VPN setup is host-based, not network-based, so only traffic from the IP of the GP client is allowed through the firewall bi-directionally. Any other traffic is allowed through from the GP client, but return traffic is dropped.

To route multiple subnets would require a proper IPSec VPN link to the firewall.

I kind of thought that would be the case, but now it's definite. 🙂

Re: GlobalProtect, XAuth client, issues with routing multiple subnets

rmfalconer — Tue, 05 Dec 2017 18:41:02 GMT

Good to know. Thanks for posting the follow-up.