IPSec site-to-site tunnel not allowing all traffic both ways

Reply
Highlighted
L0 Member

IPSec site-to-site tunnel not allowing all traffic both ways

I followed the guides to set up an IPSec site to site VPN tunnel between our main office and satellite office using static routing, but I can't access our servers through the tunnel. From the main office, I can access everything on the satellite office's subnet, but from the satellite office, the only thing I'm able to access through the tunnel is the management interface of the firewall itself.

Both offices have GlobalProtect gateways set up so I can log in and access everything that way, but not through the IPSec tunnel.

 

The firewalls are set up as close to identical as possible. Every relevant config setting I could find is the same. They're on distinct subnets, all the checks on the tunnel show that the connection is working, the security policies are is set to allow all traffic through the tunnel in both directions, and I added a route on each firewall's virtual router to direct traffic bound for the other subnet to the tunnel interface. On both firewalls, the management interface is at a static address on the subnet.

 

Can anyone shed some light on what might be happening?

Highlighted
Cyber Elite

@Jordan.Dick,

When you connect to the satellite office gateway, are you seeing associated traffic logs on the satellite firewall? I'd double check the traffic logs on the satellite and see if it's getting the traffic and properly forwarding the traffic through the tunnel to your main office. Then do the same on the main office; are you actually seeing the traffic coming through from the satellite office? 

Highlighted
L0 Member

Looking at the traffic logs, the traffic is passing through in both directions.

 

I spent some time on the phone with the support team and discovered the source of the problem.

The tunnel was working correctly the whole time, but the devices I was trying to connect to are all connected to two separate networks at the main office, and their default gateways are all pointing at the router on the other subnet, so whenever I tried to open a session with any of them, their reply packets would all be sent out to the other router instead of back through the tunnel.

To get around this, I set up a NAT for all traffic coming through the tunnel, so the devices' reply packets are directed to the Palo Alto firewall on the subnet they have routing table entries for.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!