IP Sec VPN Paloalto - Starlink

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IP Sec VPN Paloalto - Starlink

L1 Bithead

I'm testing Starlink business and having issues passing traffic over my tunnel. This remote site connects to our data center via an IPsec tunnel. I can get the tunnel up and traceroute to the remote side of the tunnel, but I'm unable to pass traffic. I have "Enable NAT Traversal" selected on my IKE Gateway. The Starlink is set to IP passthrough.

 

Any help would be appreciated.

Cheers,
CS
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

Sorry I didnt see the traffic screen shots before. But it looks like there are missing policies so the traffic is hitting the 'default' policies.

Regards,

View solution in original post

13 REPLIES 13

Cyber Elite
Cyber Elite

If you can traceroute to other side over the tunnel it means that some traffic does cross the tunnel successfully right?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Yes, I agree, however, I'm unable to ping the management interface of the PA-220. Also from the remote side, I can't ping the gateway that is on the PA-220 for any of my vlans and my Cisco phones do not register. 

 

Cheers,
CS

Cyber Elite
Cyber Elite

Both sides have Palo?

Do you have access to firewalls on both side?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes, both sides have Palo Altos. When I'm on-site I have access to both firewalls. I have to unplug the Starlink cable to keep my other tunnel running.

Cheers,
CS

Cyber Elite
Cyber Elite

Check firewall policies on both sides if they permit traffic to/from tunnel zone.

Can you share screenshot of working and not working traffic log from both sides and have at least those columns visible.

 

Raido_Rattameister_0-1680104836923.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Thank you for your response. Both sides have policies that permit traffic to/from the tunnel zone. I have another circuit that works with no issues at this site. However, when getting the screenshots you requested I noticed that on Starlink most of the traffic goes Interzone-default policy and is denied.

 

Cheers,
CS

Cyber Elite
Cyber Elite

Hello,

Do you have policies in place to allow the traffic to flow via the tunnel? Also how is the 'default', 0.0.0.0/0 route getting advertised on the 'remote' side, or is it a static route?

Regards,

Cyber Elite
Cyber Elite

Hello,

Sorry I didnt see the traffic screen shots before. But it looks like there are missing policies so the traffic is hitting the 'default' policies.

Regards,

L1 Bithead

I'm having the same problem. It dosn't happen all the time. I think it has to do with esp traffic being blocked 

L0 Member

Is there any solution.?

Cyber Elite
Cyber Elite

Hello,

For the policy that handles the VPN traffic, do not perform and inspections or ssl decryption, etc. Basically allow all traffic to/from the two IP's that are the VPN endpoints and see how that works out. My guess is that there is UDP traffic getting blocked/dropped.

Regards,

Sorry for not responding. I abandoned this project.

Yes the routes are static and looking back at my screenshots I think you are correct that policies were missing. 

 

I'm considering trying StarLink again, I was reviewing what went wrong. Thank you for your help.

Cheers,
CS

L0 Member

We had the same issue and StarLink confirmed the following so we are looking into a solution

 

ESP packets are dropped.

VPNs that rely on protocols 47 (GRE), 50 (ESP), 51 (AH), 115 (L2TP) are dropped by CGNAT at this time.

  • 1 accepted solution
  • 6788 Views
  • 13 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!