topic Re: PPPOE interface - dynamic IP - GP Portal in General Topics

PPPOE interface - dynamic IP - GP Portal

pan219 — Fri, 18 Jan 2019 01:03:48 GMT

When establishing a connection via PPPOE there is no possibility to select the IP ("None") assigned by ISP in the Global Protect portal configuration, only the interface, which is not sufficient for it to work. I would expect that the IP assigned by ISP is created as an dynamic address object.

To make GP work with portal & gateway, I had to create a loopback, then doing a NAT from the pppoe interface's (in my case eth1/1) ip:some other port not being 443 to the loopback:443. I had to create an additional address object where I manually had to put in the dynamic ip. I now have to amend this address object manually every time the interface ip changes. Am I missing something here or is it really this cumbersome using PPPOE?

It seems PAN is not that much interested in supporting PPPOE connections- besides this, there is also lack of vlan tagging support once the L3 interface has been set to PPPOE which many ISPs require and no option for a scheduled reconnection.

Re: PPPOE interface - dynamic IP - GP Portal

emr_1 — Fri, 18 Jan 2019 08:43:34 GMT

This should be work with 'None' in IP address field.

Here is my testbed (sorry, mine is dhcp client - not pppoe)

With above interface, if I configure GP as below...

The device recognizes IP address which retrieved from ISP.

admin@PA-220> debug ssl-vpn global-protect-portal

portal : gptest
portal address IPv4 : 58.156.1xx.xxx

admin@PA-220> debug ssl-vpn global-protect-gateway

gateway : gptest
gateway address (IPv4 Only) : 58.156.1xx.xxx

admin@PA-220>

Re: PPPOE interface - dynamic IP - GP Portal

pan219 — Fri, 18 Jan 2019 09:37:56 GMT

thanks!

can you select your ip where none is listed in GP portal configuration?

I have the assumption pppoe differs from dhcp

Re: PPPOE interface - dynamic IP - GP Portal

emr_1 — Mon, 21 Jan 2019 00:21:59 GMT

No, if IP address grabed dynamically, it is not shown on the list.

(as I mentioned above, it works with 'None')

By the way, if you configure static-ip under pppoe setting, it shows IP address.

Re: PPPOE interface - dynamic IP - GP Portal

supergonzo74 — Tue, 11 Jan 2022 20:52:02 GMT

Hi community,

after having spent two whole days on the topic of getting the GP-gateway up and running to connect via androids native ipsec client on a PPPoE interface with dynamically assigned IP...I gave up... and can confirm:

1.) 'cumbersome' is an euphemism

2.) the 'solution' presented herein does not work for scenarios with dynamically assigned IP via PPPoE

3.) selecting 'none' IP in GP-gatway config will not work in this scenario -> the paloalto PA220 (SW Ver. 10.1.4) will not respond to IKE traffic on the PPPoE interface (captured via a transparent linux bridge on respective WAN uplink)

4.) I also tried Pan219s trick with NATting the ipsec traffic to a loopback interface with a static IP on which the GP-portal would reside with the modification of using the FQDN destination object of my WANs DDNS address in my NAT-rules' 'original packet' section. Here I had the problem that the FQDN object was not reliably translated and suddenly reported that it had 'no value assigned'.

After all I share the impression that paloalto really does not pay too much attention to these SOHO scenarios, i.e. the lack of VLAN support, the DDNS implementation (had to use a linux box behind the palo to update my DDNS provider with firewalls external address) and now the non-functional GP-portal.

I don't want to put another router in front of the palo just to get the GP-portal up and running.

How are chances to get above functionalities implemented/fixed? Or anybody around with some virtuos workaround?

Any help would be highly appreciated.

Re: PPPOE interface - dynamic IP - GP Portal

pan219 — Tue, 18 Jan 2022 20:08:04 GMT

Hi Supergonzo,

after some fiddling and trial an error I found the solution. Initially I also tried the fqdn workaround you mentioned above, also no success. The breakthrough: Instead of using an address object limited to the assigned WAN IP I have created an address object with the ip range 0.0.0.0/0 which is used in any rules (NAT as well as Security Policy).

That's the only change I have made to the original setup. Lo and behold, this configuration works flawlessly since 2 years.

Re: PPPOE interface - dynamic IP - GP Portal

supergonzo74 — Sun, 23 Jan 2022 20:43:04 GMT

Hi Pan219,

tried the setup you mentioned above with the 0.0.0.0/0 object this evening but to no avail. When trying to commit my nat ruleset it throws following error as host portion of original address differs from translated when nat-ting from "0.0.0.0/0" to "loopback-ip/32":

Error: nat rule 'inbound_ipsec_to_untrust_interface': Mismatch of destination address translation range between original address and translated address

Can you plz post a screenshot of your nat rule?

Thx in advance!

Re: PPPOE interface - dynamic IP - GP Portal

pan219 — Tue, 25 Jan 2022 10:01:34 GMT

some more clarification:

- I have limited the source address: x.x.x.x/x

- the loopback ip is an address object in the format x.x.x.x without the /32

- gateway and portal sitting on the loopback interface

- in gateway configuration - agents - tunnel settings: tunnel mode and ipsec is enabled