This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IP Sec VPN Paloalto - Starlink

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IP Sec VPN Paloalto - Starlink

Go to solution
CraigSmith2
L1 Bithead

‎03-27-2023 09:16 AM

I'm testing Starlink business and having issues passing traffic over my tunnel. This remote site connects to our data center via an IPsec tunnel. I can get the tunnel up and traceroute to the remote side of the tunnel, but I'm unable to pass traffic. I have "Enable NAT Traversal" selected on my IKE Gateway. The Starlink is set to IP passthrough.

 

Any help would be appreciated.

Cheers,
CS
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-04-2023 02:39 PM

Hello,

Sorry I didnt see the traffic screen shots before. But it looks like there are missing policies so the traffic is hitting the 'default' policies.

Regards,

View solution in original post

0 Likes Likes
14 REPLIES 14

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎03-27-2023 11:23 AM

If you can traceroute to other side over the tunnel it means that some traffic does cross the tunnel successfully right?

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
CraigSmith2
L1 Bithead

‎03-28-2023 01:33 PM

Yes, I agree, however, I'm unable to ping the management interface of the PA-220. Also from the remote side, I can't ping the gateway that is on the PA-220 for any of my vlans and my Cisco phones do not register. 

 

Cheers,
CS
0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎03-28-2023 05:59 PM

Both sides have Palo?

Do you have access to firewalls on both side?

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
CraigSmith2
L1 Bithead
In response to Raido_Rattameister

‎03-29-2023 08:31 AM

Yes, both sides have Palo Altos. When I'm on-site I have access to both firewalls. I have to unplug the Starlink cable to keep my other tunnel running.

Cheers,
CS
0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎03-29-2023 08:47 AM - edited ‎03-29-2023 08:48 AM

Check firewall policies on both sides if they permit traffic to/from tunnel zone.

Can you share screenshot of working and not working traffic log from both sides and have at least those columns visible.

 

Raido_Rattameister_0-1680104836923.png

 

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
CraigSmith2
L1 Bithead

‎04-04-2023 09:30 AM

Thank you for your response. Both sides have policies that permit traffic to/from the tunnel zone. I have another circuit that works with no issues at this site. However, when getting the screenshots you requested I noticed that on Starlink most of the traffic goes Interzone-default policy and is denied.

 

Cheers,
CS
notworking_traffic.png
Preview file
176 KB
working_traffic.png
Preview file
161 KB
0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-04-2023 02:37 PM

Hello,

Do you have policies in place to allow the traffic to flow via the tunnel? Also how is the 'default', 0.0.0.0/0 route getting advertised on the 'remote' side, or is it a static route?

Regards,

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-04-2023 02:39 PM

Hello,

Sorry I didnt see the traffic screen shots before. But it looks like there are missing policies so the traffic is hitting the 'default' policies.

Regards,

0 Likes Likes

Go to solution
ChrisThornton
L1 Bithead

‎01-06-2024 03:35 PM

I'm having the same problem. It dosn't happen all the time. I think it has to do with esp traffic being blocked 

0 Likes Likes

Go to solution
Pollack32
L0 Member

‎01-08-2024 03:07 AM - edited ‎01-08-2024 11:05 PM

Is there any solution.?

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎01-08-2024 07:36 AM

Hello,

For the policy that handles the VPN traffic, do not perform and inspections or ssl decryption, etc. Basically allow all traffic to/from the two IP's that are the VPN endpoints and see how that works out. My guess is that there is UDP traffic getting blocked/dropped.

Regards,

0 Likes Likes

Go to solution
CraigSmith2
L1 Bithead
In response to OtakarKlier

‎08-23-2024 10:50 AM

Sorry for not responding. I abandoned this project.

Yes the routes are static and looking back at my screenshots I think you are correct that policies were missing. 

 

I'm considering trying StarLink again, I was reviewing what went wrong. Thank you for your help.

Cheers,
CS
0 Likes Likes

Go to solution
dkaliel
L0 Member

‎10-18-2024 08:24 AM

We had the same issue and StarLink confirmed the following so we are looking into a solution

 

ESP packets are dropped.

VPNs that rely on protocols 47 (GRE), 50 (ESP), 51 (AH), 115 (L2TP) are dropped by CGNAT at this time.

0 Likes Likes

Go to solution
PktBlocker
L2 Linker

‎03-28-2025 06:47 PM - edited ‎03-28-2025 06:50 PM

Just going to chime in for folks like myself who have limited choices. I found a good article on a competitor site that helped me and i managed to get a site to site up thru starlink residential.

my setup is PA-->FTG-->Starlink--->ISP--->PA Corp. 

PA on Corp side is in passive mode since it has the static ip

Both PAs are running ikev1 in aggressive mode with NAT-T

The FTG in my case is just acting like a service provider

 

https://community.fortinet.com/t5/Support-Forum/IPSEC-tunnels-behind-CGNAT-Starlink/m-p/226976

https://www.starlink.com/support/article/aa5aecf3-e97c-e84e-3f87-8d2ecdfde857

 

I am a bit curious if anyone has run any testing to see if any of the ports are blocked per the article from starlink below? I would think the traffic thru the vpn would be immune to this.

https://www.starlink.com/support/article/c3caacdf-1c1f-98db-b821-bbb36ca9d89b

0 Likes Likes
  • 1 accepted solution
  • 9674 Views
  • 14 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks