topic Re: What ports are needed for site to site IPsec tunnels to work? in General Topics

What ports are needed for site to site IPsec tunnels to work?

MarioMarquez — Thu, 14 Mar 2019 18:21:24 GMT

We have 2 palo alot firewalls & we are trying to establish a ipsec tunnel between both. We proved that all vpn configurations are correct and were able to establish the tunnel & pass traffic but only if we add a firewall rule saying allow any/any/any/any at the very top of the rule base, which goes against our security requirements. Once we deleted the firewall rule the tunnels stopped working. Simply put, we need to open firewall rules for site to site tunnels to work in our environment. Does anyone know the Palo Alto TCP/UDP ports to open in order for phase 1 & 2 to go green?

Re: What ports are needed for site to site IPsec tunnels to work?

Raido_Rattameister — Thu, 14 Mar 2019 18:48:01 GMT

IPSec - UDP 500

IPSec over NAT - UDP 4500

GlobalProtect - TCP 443 and UDP 4501

Re: What ports are needed for site to site IPsec tunnels to work?

MarioMarquez — Thu, 14 Mar 2019 18:51:54 GMT

Thanks! Which zones do these ports need to be opened on?

Re: What ports are needed for site to site IPsec tunnels to work?

OtakarKlier — Thu, 14 Mar 2019 21:01:17 GMT

Hello,

The one from the internet, ie untrust.

Regards,

Re: What ports are needed for site to site IPsec tunnels to work?

Raido_Rattameister — Fri, 15 Mar 2019 03:40:10 GMT

Usually vpn is terminated on UNTRUST interface.

Unless you have added "block any" rule to the end this traffic is permitted already by "interzone-default" policy.

If you terminate vpn on on some other interface (TRUST, LOOPBACK etc) and have NAT in place then you need to adjust your security policy accordingly.

Re: What ports are needed for site to site IPsec tunnels to work?

MarioMarquez — Fri, 15 Mar 2019 08:15:39 GMT

Can you help me understand what your saying about the default security policy? It doesn't make sense to me. How can something be permitted already because of the inter-zone default policy when the default policy is to deny all inter-zone traffic? It seems like nothing is allowed out if the box accept intra-zone traffic and the rule-1 allow any to untrust.

Re: What ports are needed for site to site IPsec tunnels to work?

Raido_Rattameister — Fri, 15 Mar 2019 13:31:58 GMT

Hi I think I had typo in my answer about interzone. If traffic stays in same zone it is intrazone.

Basically rules are evaluated top to down.

First one that matches will take effect. Either allows or blocks and based on security profile will check for viruses or not (only allow rules).

If no rule matches then one of last 2 will match.

intrazone-default will match if traffic source and destination is in same zone. For example if traffic from vpn peer will come from internet and you have configured IPSec gateway on WAN interface then this rule will match.

If traffic (based on NAT and virtual router) is destined to some other zone then "interzone-default" will match.

Those default rules will not log by default so you don't see any traffic that matches those rules.

To gain this visibility you have to click on the rule and choose "override".

Click on the rule name.

On "Actions" tab check "Log at session end".

Re: What ports are needed for site to site IPsec tunnels to work?

BorisJones — Sun, 24 Mar 2019 08:05:47 GMT

Hi! I suggest install and setting VeePN and servers.
This vpn differs from other vpn providers:
1) Besides vpn you are provided with fully working vps
a) Personalized configurations for your vpn
b) Regulated logs
c) Generating your own services, such as http
d) There is no 3rd silent persons, after setting up you are going to be the only owner

Re: What ports are needed for site to site IPsec tunnels to work?

Retired Member — Fri, 08 May 2020 00:55:22 GMT

Hi,

I am currently encountering an issue, UDP 500 and 4500 are not enough to get site to site vpn tunnel up and running. Is that esp also required to be allowed?

THanks

Best Regards,

Elroy

Re: What ports are needed for site to site IPsec tunnels to work?

OtakarKlier — Fri, 08 May 2020 13:47:39 GMT

Hello,

I went beyond ports and use the L7 Applications. Including the screen shot below. I also allow ping as some devices send ping to monitor tunnel status.

Hope that helps.

Re: What ports are needed for site to site IPsec tunnels to work?

Retired Member — Mon, 11 May 2020 00:35:43 GMT

Hi,

Thanks for your reply. Does that mean UDP 500 and 4500 are not enough and esp is also required? THanks

Best Regards,

Elroy

Re: What ports are needed for site to site IPsec tunnels to work?

KunalChopra — Mon, 11 May 2020 05:10:12 GMT

ideally if you have allowed ports , then it should work . for better security/clarity , instead of using service ports , you can use ipsec related applications as mentioned in earlier post .

Now , if it is still not working , then i would suggest you to check logs and see what exactly is getting denied and then allow it by ports OR application.

NOTE :- allow logging in default policies to see deny logs if it is hitting those policies

Hope it gives you a direction

Re: What ports are needed for site to site IPsec tunnels to work?

Retired Member — Mon, 11 May 2020 05:14:30 GMT

Thank you so much for your response. In my scenario, I am considering if it is blocking by the intermediate network devices which is mainly port-based. So I have limited visibility on those devices. But thanks again and it gives some insights as well.

Best Regards,

Elroy

Re: What ports are needed for site to site IPsec tunnels to work?

KunalChopra — Mon, 11 May 2020 05:18:12 GMT

you should not see any logs in your firewall if some intermediate device is blocking it and that way it can be confirmed.

Or if you want to dig in further , just apply packet capture with both ends public ip in filter.

Cheers

Re: What ports are needed for site to site IPsec tunnels to work?

Retired Member — Mon, 11 May 2020 05:58:48 GMT

I have performed a packet capture and see that traffic is encap and no decap is sending back and most likely is using esp. My question is that ipsec should be using udp 500 and 4500 from documents. if I should enable esp as well

Thanks

Best Regards,

Elroy