topic Re: IPSec / returning ESP packets dropped when terminating interface is in a different zone in General Topics

IPSec / returning ESP packets dropped when terminating interface is in a different zone

jason.chia — Fri, 12 Jul 2019 10:20:13 GMT

Hi all,

I have an IPSec tunnel connecting to an old SSG. Tunnel came up successfully and SSG can see the traffic and is returning correctly into the tunnel. However PAN's decrypt counter remains 0. When i did a packet capture, the returning ESP packet is dropped shown below Frame 43 and 47:

The setup i have is:

eth1/1 - ISP WAN in zone "outside"
loopback.1 - Public IP advertised by ISP in zone "dmz"
IPSec create similar to https://blog.webernetz.net/ipsec-site-to-site-vpn-palo-alto-juniper-screenos/
tunnel.1 - in zone "trust"
both ends of tunnel is in "trust"
IPSec statuses all showing green
has policy from "outside" to "dmz" allowing any any from the two terminating IPs

When i change loopback.1 to zone "outside", everything works. Any suggestion or help is very much appreciated. Thanks in advance.

Model	PA-820
Software Version	9.0.2-h4

Thank you,
Jason

Re: IPSec / returning ESP packets dropped when terminating interface is in a different zone

reaper — Thu, 18 Jul 2019 09:51:04 GMT

I'd recommend leaving the loopback on the untrust as that's the actual place where you want to terminate tunnels

Is there a specifc use case for having it in DMZ on a loopback (just curious)

have you captured any global counters? these could tell you what exactly is causing the drop

> debug dataplane packet-diag set filter match source <src> destination <dst>
> debug dataplane packet-diag set filter match source <dst> destination <src>
> debug dataplane packet-diag set filter on
> show counter global filter delta yes packet-filter yes (establishes the delta start)
> show counter global filter delta yes packet-filter yes

Re: IPSec / returning ESP packets dropped when terminating interface is in a different zone

jason.chia — Fri, 19 Jul 2019 01:36:00 GMT

Thanks @reaper

the only reason is that address (subnet) is supposed to be a DMZ range.

I just found this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsiCAC

Cause
The issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate.

i'm curious as to why it is design this way.

and correct me if i'm wrong all IPSec tunnels have to terminate on the same zone as the one on the Internet?

i'll get those global counters just to confirm the exact drops and update later.

Re: IPSec / returning ESP packets dropped when terminating interface is in a different zone

reaper — Fri, 19 Jul 2019 11:53:41 GMT

if you can set the loopback in an IP range that is not configured on the external interface, this issue will likely not happen

I suspect there is a conflict when the packet is received, the destination zone will be determined by using the routing table, the external interface is the actual owner of the ip subnet

if you split up the external subnet and set one segment on the DMZ interface and then set up the loopback in that subnet with the dmz zone, there should not be an issue