Routing Branch Site Internet Traffic Through Headquarters Firewall over VPN Tunnel

Overview

A branch firewall behind a DSL modem is configured to establish a VPN tunnel with the headquarters (HQ) firewall, enabling users at the branch to access the HQ network. On the branch side, the modem connects to the untrust interface of the firewall and provides an IP address through DHCP to the interface. The modem injects a default route on the Palo Alto Networks firewall, pointing towards the modem's private IP address. The company now wants to enforce a rule that all internet traffic from branch users be routed through the VPN tunnel and through the HQ firewall, instead of directly out through the untrust interface and the modem.

Issue

A static route, 0.0.0.0/0 next hop tunnel.1 interface, was added to route branch traffic through the VPN tunnel. This caused a total network outage for the branch users.

Cause

Refer to the diagram. Before changing the default route pointing to the tunnel interface, all IKE negotiation and the ESP packets to the VPN peer, 1.2.3.4, egressed via the eth1/2 interface on the branch firewall, using the default route provided by the DSL modem ( 0.0.0.0/0 next hop 192.168.1.254). By changing the default route to the tunnel.1 interface, the ESP packets to 1.2.3.4, which should have egressed via the physical eth1/2 interface must now use the tunnel.1 interface. In effect, the IKE negotiation required to establish a tunnel is being routed through the tunnel it is attempting to create. Therefore, the tunnel cannot be established and the network outage occurs.

Resolution

Configure a static route with a lower metric for the route to 1.2.3.4, on eth1/2 interface and next hop 192.168.1.254.

Configure similar static routes with a lower metric for the Palo Alto Networks updates server, DNS server (if using the service routes for public DNS servers), and any other server that the Palo Alto Networks firewall contacts using service routes on the eth1/2 interface.

You can then add 0.0.0.0/0 pointing out to the tunnel.1 interface, which routes all the internet traffic via the tunnel interface, except the IKE negotiation and ESP traffic (which now uses the eth1/2 interface for negotiations).

Additionally, the following security policies are required:

1. From trust zone to VPN zone on the Branch firewall.
   This policy would have already been configured for branch users to access the HQ network. The reverse policy would have been configured for HQ users to access the branch network.
2. From VPN zone to untrust zone on the HQ firewall.
3. Optionally, configure the reverse policy for specific scenarios that allow communication to initiate from the untrust zone. Policies can be configured to restrict traffic to specific destination IP addresses.

owner: kprakash