IP Sec VPN Paloalto - Starlink

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IP Sec VPN Paloalto - Starlink

L1 Bithead

I'm testing Starlink business and having issues passing traffic over my tunnel. This remote site connects to our data center via an IPsec tunnel. I can get the tunnel up and traceroute to the remote side of the tunnel, but I'm unable to pass traffic. I have "Enable NAT Traversal" selected on my IKE Gateway. The Starlink is set to IP passthrough.

 

Any help would be appreciated.

8 REPLIES 8

L7 Applicator

If you can traceroute to other side over the tunnel it means that some traffic does cross the tunnel successfully right?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Yes, I agree, however, I'm unable to ping the management interface of the PA-220. Also from the remote side, I can't ping the gateway that is on the PA-220 for any of my vlans and my Cisco phones do not register. 

 

L7 Applicator

Both sides have Palo?

Do you have access to firewalls on both side?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes, both sides have Palo Altos. When I'm on-site I have access to both firewalls. I have to unplug the Starlink cable to keep my other tunnel running.

L7 Applicator

Check firewall policies on both sides if they permit traffic to/from tunnel zone.

Can you share screenshot of working and not working traffic log from both sides and have at least those columns visible.

 

Raido_Rattameister_0-1680104836923.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Thank you for your response. Both sides have policies that permit traffic to/from the tunnel zone. I have another circuit that works with no issues at this site. However, when getting the screenshots you requested I noticed that on Starlink most of the traffic goes Interzone-default policy and is denied.

 

Cyber Elite
Cyber Elite

Hello,

Do you have policies in place to allow the traffic to flow via the tunnel? Also how is the 'default', 0.0.0.0/0 route getting advertised on the 'remote' side, or is it a static route?

Regards,

Cyber Elite
Cyber Elite

Hello,

Sorry I didnt see the traffic screen shots before. But it looks like there are missing policies so the traffic is hitting the 'default' policies.

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!