GlobalProtect, XAuth client, issues with routing multiple subnets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect, XAuth client, issues with routing multiple subnets

L4 Transporter

I'm probably missing something simple, but I can't figure out what.

 

I have GlobalProtect Portal setup on the datacentre (DC) firewall.  I have GlobalProtect Gateway setup on the office firewall, with XAuth enabled.

 

I can connect to the Gateway using the vpnc client on a Linux station and everything works.  I get an IP, I can access things on the office LAN, I can access the Internet through the VPN, etc.

 

What I'd like to be able to is configure a VoIP phone on a separate subnet to connect to that Linux station, and have traffic forwarded through the VPN to the office firewall, and then route out from there to the DC firewall to the VoIP server.  Traffic goes from the phone to the Linux station, through the VPN link to the office firewall, through to the DC firewall, to the VoIP server (can view the traffic via tcpdump), is sent back from the VoIP server, through the DC firewall, and is dropped by the office firewall.

 

Doing a packet capture on the office firewall, I see the traffic from the phone to the VoIP server in the receive log, the firewall log, and the transmit.  But I see traffic coming back from the VoIP server to the phone only in the receive log and the drop log.  The Session Browser shows an active session, so I'm not sure why the return traffic is being dropped.

 

Before I go too far down the rabbit hole figuring this out, is this setup supposed to work?  Routing multiple subnets through a GlobalProtect VPN link.  Are there any docs for this setup that I've missed in my searches?

1 accepted solution

Accepted Solutions

Okay, official word from Support is that this is not a supported configuration.  The GP VPN setup is host-based, not network-based, so only traffic from the IP of the GP client is allowed through the firewall bi-directionally.  Any other traffic is allowed through from the GP client, but return traffic is dropped.

 

To route multiple subnets would require a proper IPSec VPN link to the firewall.

 

I kind of thought that would be the case, but now it's definite.  🙂

View solution in original post

8 REPLIES 8

L5 Sessionator

How have you done the routing in your corporate network for the remote IP phone subnet? Is the Linux box doing some kind of NAT before encapsulation?

The Linux box is configured with eth0 being assigned an IP via DHCP from the local network.

 

eth0:0 is 10.2.6.2/23 (the VoIP phone subnet).

 

tun0 gets a 10.4.0.0/24 IP via the VPN configuration, and sets the default route to point to tun0.

 

IP forwarding is configured for all interfaces.  iptables is set to allow everything (empty chains, no rules, no NAT or anything).  This is a strictly routing setup.

 

The VoIP phone is configured with a static IP of 10.2.6.2/23 and a default gateway of .2 (the Linux box).

 

 

The GP Gateway is configured to use tunnel.1 for the VPN endpoint (tried with no IP assigned, with 10.4.0.1 assigned, and with both 10.4.0.1 and 10.2.6.1 assigned), as part of a separate GP zone, which is part of the DC virtual router.

 

The DC virtual router has a static route for 10.4.0.0/24 pointing to the tunnel.1 interface with no next hop.  Along with another static route for 10.2.6.0/23 pointing to tunnel.1 with no next hop.  These are redistributed via OSPF to the other firewall (and the Check Stats link shows the two subnets listed with the correct router as the next hop).

 

And there are Security Policies in place to allow traffic from the GP zone to the DC zone.

 

I think that covers everything.  If not, let me know what other info you need.  🙂

Based on your explanation, if this is a supported configuration, it should work. Routing and rules seem to be in place to make it function.

It's possible that a remote access tunnel just doesn't support routing subnets that aren't assigned in the IP Pool. TAC might be able to answer that.

What version of PAN OS are you using?

Can you have an L2L tunnel with that Linux box? 


@rmfalconer wrote:

Based on your explanation, if this is a supported configuration, it should work. Routing and rules seem to be in place to make it function.

It's possible that a remote access tunnel just doesn't support routing subnets that aren't assigned in the IP Pool. TAC might be able to answer that.

What version of PAN OS are you using?

Can you have an L2L tunnel with that Linux box? 


 

Yeah, that's why I was asking the question was to see if this is even a supported setup (multiple subnets behind a GP VPN link).  Thought I would check here before putting a ticket in with support.  🙂

 

We're still running PanOS 6.1.17 on the remote schools firewalls as that's what's recommended to us from the Ministry of Education, but the DC firewall is running PanOS 7.1.10 as we needed some extra features.

 

What's an L2L tunnel?  I haven't heard of that terminology before.

L2L is Lan to Lan, an ipsec tunnel between sites. That would definitely support multiple subnets on the Linux side. You would also have to use additional software on the Linux box to support the tunnel. Or use another device at the Linux site that can peer with the PA.

If the Linux setup is a one-off, then this might be something you could try. But if it's something you need to roll-out to a lot of sites, it probably won't scale well.

Ah, yes, I've done that with OpenVPN between sites in the past.  Was hoping to avoid doing that for this setup, as it's more of a roadwarrior setup for staff occasionally working from home or while out-of-town (just drop the GP client on their laptop, give them a VoIP phone, and away they go).  The initial test setup is with a Linux station using vpnc as the guinea pig tech is a Linux user.  🙂  There's aways the option of using a softphone VoIP client as well, running on the laptop.

 

I'll run this by support to see if this is even doable with GlobalProtect VPNs, or if it's something that requires a proper IPSec tunnel to the firewall.  If the latter, this could be the final push needed to get secure SIP enabled instead of routing VoIP over VPNs.  😄

Okay, official word from Support is that this is not a supported configuration.  The GP VPN setup is host-based, not network-based, so only traffic from the IP of the GP client is allowed through the firewall bi-directionally.  Any other traffic is allowed through from the GP client, but return traffic is dropped.

 

To route multiple subnets would require a proper IPSec VPN link to the firewall.

 

I kind of thought that would be the case, but now it's definite.  🙂

Good to know. Thanks for posting the follow-up.

  • 1 accepted solution
  • 3667 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!