What ports are needed for site to site IPsec tunnels to work?

Reply
L3 Networker

What ports are needed for site to site IPsec tunnels to work?

We have 2 palo alot firewalls & we are trying to establish a ipsec tunnel between both.  We proved that all vpn configurations are correct and were able to establish the tunnel & pass traffic but only if we add a firewall rule saying allow any/any/any/any at the very top of the rule base, which goes against our security requirements.   Once we deleted the firewall rule the tunnels stopped working.  Simply put, we need to open firewall rules for site to site tunnels to work in our environment.  Does anyone know the Palo Alto TCP/UDP ports to open in order for phase 1 & 2 to go green?

Tags (2)
L7 Applicator

Re: What ports are needed for site to site IPsec tunnels to work?

IPSec - UDP 500

IPSec over NAT - UDP 4500

GlobalProtect - TCP 443 and UDP 4501

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L3 Networker

Re: What ports are needed for site to site IPsec tunnels to work?

Thanks!  Which zones do these ports need to be opened on?

L7 Applicator

Re: What ports are needed for site to site IPsec tunnels to work?

Hello,

The one from the internet, ie untrust.

 

Regards,

L7 Applicator

Re: What ports are needed for site to site IPsec tunnels to work?

Usually vpn is terminated on UNTRUST interface.

Unless you have added "block any" rule to the end this traffic is permitted already by "interzone-default" policy.

If you terminate vpn on on some other interface (TRUST, LOOPBACK etc) and have NAT in place then you need to adjust your security policy accordingly.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L3 Networker

Re: What ports are needed for site to site IPsec tunnels to work?

Can you help me understand what your saying about the default security policy? It doesn't make sense to me. How can something be permitted already because of the inter-zone default policy when the default policy is to deny all inter-zone traffic? It seems like nothing is allowed out if the box accept intra-zone traffic and the rule-1 allow any to untrust.
Highlighted
L7 Applicator

Re: What ports are needed for site to site IPsec tunnels to work?

Hi I think I had typo in my answer about interzone. If traffic stays in same zone it is intrazone.

 

Basically rules are evaluated top to down.

First one that matches will take effect. Either allows or blocks and based on security profile will check for viruses or not (only allow rules).

If no rule matches then one of last 2 will match.

intrazone-default will match if traffic source and destination is in same zone. For example if traffic from vpn peer will come from internet and you have configured IPSec gateway on WAN interface then this rule will match.

If traffic (based on NAT and virtual router) is destined to some other zone then "interzone-default" will match.

 

Those default rules will not log by default so you don't see any traffic that matches those rules.

To gain this visibility you have to click on the rule and choose "override".

Click on the rule name.

On "Actions" tab check "Log at session end".

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L1 Bithead

Re: What ports are needed for site to site IPsec tunnels to work?

Hi! I suggest install and setting VeePN and servers.
This vpn differs from other vpn providers:
1) Besides vpn you are provided with fully working vps   
a) Personalized configurations for your vpn  
b) Regulated logs
c) Generating your own services, such as http
d) There is no 3rd silent persons, after setting up you are going to be the only owner

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!