IPSEC Tunne with IBM cloud

Reply
Highlighted
L1 Bithead

IPSEC Tunne with IBM cloud

HI 

 

I have setup a tunnel with IBM cloud and tunnel is UP. However I am unable to ping from both side. 

Routing and security policies are configured correctly, I can see on firewall logs byte sent is there but byte received is zero.

There is no traffic arriving from IBM cloud device to palo alto firewal, I suspect issue from IBM cloud side.

 

I am not sure if palo alto support IBM  cloud Ipsec , and I also not sure if IBM cloud VPN is route base or policy based.

 

Thanks

Dhananjay Bhakte

Tags (4)
Highlighted
Cyber Elite

Good Day.

 

So far, excellent troubleshooting and details.

 

If you can confirm that you see traffic egress out the correct tunnel interface, and you do not see the traffic coming back in, then I would agree with a routing issue on the remote side.

 

You would also want to confirm you allow traffic from the remote side inbound.

So on a PANW, there would be 2 rules.

 

Outside to Outside, using applications ipsec/ike on app-default (for creating the tunnel)

Inside to VPN zone (presuming you used this zone name)

VPN to Inside (again, presuming you used this zone name)

 

You should ask to see if traffic can be initiated from the IBM, if you do not see traffic sourcing from IBM side, then you know.. well, it is on the IBM side.

 

Let me know how else we can assist you.

 

 

Help the community: Like helpful comments and mark solutions
Highlighted
Cyber Elite

@DhananjayBhakte 

 

We have IPSEC tunnel to IBM cloud.

How is the traffic flow is it initiated from your side or IBM side?

 

If it is only initiated from your side then you do not need a security rule to allow the traffic from IBM side?

Which ever side initiates traffic you need  security rule to allow the traffic in that direction.

 

How are you doing NAT for tunnel traffic?

Are you doing Source NAT or destination NAT for tunnel traffic ?

 

You need to check with IBM on interesting traffic that is local and subnet and agree on correct Natting?

Hope this helps.

 

Regards

MP
Highlighted
L1 Bithead

HI Steve,

 

Thanks for replying!

 

I am initiating traffic from Palo alto side and I can see it is taking Proper tunnel route.

I have created two security policy from trust to vpn and vpn to trust as I always create only 2 policies for IPsec tunnel. I am not sure outside to outside policy is need because tunnel is UP only problem is with accessing/pinging IBM from on premises network.

 

I also pinged from IBM cloud system however I am not getting logs on Palo alto firewall.

 

 Thanks 

Dhananjay Bhakte

Highlighted
L4 Transporter

Hi @DhananjayBhakte ,

 

As @SteveCantwell already explain it there is default intrazone rule that is allowing the IPsec traffic. So you need explicit allow rule only  if you have override this rule and blocking any intrazone traffic that is not explicitly allowed.

 

One important note - Do you really need the two policy for the IPsec tunnel? @MP18 asked excellent question - from where did you expect the traffic to be initiated in normal operation of the tunnel? The question is not from where are you pinging during the troubleshoot, the question is - do you expect both sides of the tunnel to initiate traffic? You know PAN firewall is statefull firewall so it will automatically allow the reply for given request. I have seen countless time tunnel with rules allow traffic in both direction when only one will be the initiator.

 

When you say "tunnel is up", do you mean both phase1 and phase2 are up?

If phase2 is up do you see encrypted/decrypted traffic? Which one or both?

 

I also agree it is time to engage the remote site to doublecheck their config

 

Highlighted
L1 Bithead

HI Alexander,

 

Thank you for replying!

 

I agree that there is no need of created two policies for one side initiator but In my case both side are initiator. Hence I created two policies.

 

I checked both phases are UP and can see encrypted traffic in tunnel only from palo side there is no return traffic from IBM end.

 

As I mentioned on my first comment, I suspect issue from IBM end I will check it again.

 

@MP18 

 

Could you please help how to setup routing and natting on IBM vpn , In IBM VPN its not letting me to add custom route towards vpn gateway.

 

Thanks

Dhananjay Bhakte 

Highlighted
Cyber Elite

@DhananjayBhakte 

 

For Routing between IPSEC we need to know remote and local subnets.

Depending on that you can apply the NAT.

For example if you want to reach subnet 10.7.8.9.0/24 on IBM side and you do not have this subnet on your network then you only

need Routing no NAT.

 

If you have overlapping subnets then you need Source or Destination NAT and both you and IBM has to agree on that.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSGCA0

 

Below is link to config Routing between IPSEC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

 

Regards

MP
Highlighted
L1 Bithead

Hi MP,

 

I do not need to configure NAT because  I have IBM local subnet available for routing.

 

I have checked so far on Palo alto  =>>

 

1) Tunnel is UP

2)Traffic egress from proper tunnel interface

3)Bytes are sent but not received.

4)Proxy ID is configured since IBM cloud is policy based.

5)Security policies are in placed and traffic passing from correct policy but no return traffic.

 

I suspect issue from IBM cloud side.

I did following on IBM side

 

1) Created VPC

2) Created VPN gateway

3) Allowed all traffic in security group and ACL

 

however I am non getting option for adding route.

As you mentioned you, configured ipsec tunnel on IBM cloud , can you provide KB article link to configure ipsec tunnel. 

 

Thanks

Dhananjay Bhakte

Highlighted
L1 Bithead

Thank You All for your help!

 

After enabling NAT traversal on PA firewall, Issue got resolved.

Now I am able to ping IBM VPC machines from on-prem machine

 

Thanks 

Dhananjay Bhakte

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!