I have setup a tunnel with IBM cloud and tunnel is UP. However I am unable to ping from both side.
Routing and security policies are configured correctly, I can see on firewall logs byte sent is there but byte received is zero.
There is no traffic arriving from IBM cloud device to palo alto firewal, I suspect issue from IBM cloud side.
I am not sure if palo alto support IBM cloud Ipsec , and I also not sure if IBM cloud VPN is route base or policy based.
So far, excellent troubleshooting and details.
If you can confirm that you see traffic egress out the correct tunnel interface, and you do not see the traffic coming back in, then I would agree with a routing issue on the remote side.
You would also want to confirm you allow traffic from the remote side inbound.
So on a PANW, there would be 2 rules.
Outside to Outside, using applications ipsec/ike on app-default (for creating the tunnel)
Inside to VPN zone (presuming you used this zone name)
VPN to Inside (again, presuming you used this zone name)
You should ask to see if traffic can be initiated from the IBM, if you do not see traffic sourcing from IBM side, then you know.. well, it is on the IBM side.
Let me know how else we can assist you.
We have IPSEC tunnel to IBM cloud.
How is the traffic flow is it initiated from your side or IBM side?
If it is only initiated from your side then you do not need a security rule to allow the traffic from IBM side?
Which ever side initiates traffic you need security rule to allow the traffic in that direction.
How are you doing NAT for tunnel traffic?
Are you doing Source NAT or destination NAT for tunnel traffic ?
You need to check with IBM on interesting traffic that is local and subnet and agree on correct Natting?
Hope this helps.
Thanks for replying!
I am initiating traffic from Palo alto side and I can see it is taking Proper tunnel route.
I have created two security policy from trust to vpn and vpn to trust as I always create only 2 policies for IPsec tunnel. I am not sure outside to outside policy is need because tunnel is UP only problem is with accessing/pinging IBM from on premises network.
I also pinged from IBM cloud system however I am not getting logs on Palo alto firewall.
Hi @DhananjayBhakte ,
As @SteveCantwell already explain it there is default intrazone rule that is allowing the IPsec traffic. So you need explicit allow rule only if you have override this rule and blocking any intrazone traffic that is not explicitly allowed.
One important note - Do you really need the two policy for the IPsec tunnel? @MP18 asked excellent question - from where did you expect the traffic to be initiated in normal operation of the tunnel? The question is not from where are you pinging during the troubleshoot, the question is - do you expect both sides of the tunnel to initiate traffic? You know PAN firewall is statefull firewall so it will automatically allow the reply for given request. I have seen countless time tunnel with rules allow traffic in both direction when only one will be the initiator.
When you say "tunnel is up", do you mean both phase1 and phase2 are up?
If phase2 is up do you see encrypted/decrypted traffic? Which one or both?
I also agree it is time to engage the remote site to doublecheck their config
Thank you for replying!
I agree that there is no need of created two policies for one side initiator but In my case both side are initiator. Hence I created two policies.
I checked both phases are UP and can see encrypted traffic in tunnel only from palo side there is no return traffic from IBM end.
As I mentioned on my first comment, I suspect issue from IBM end I will check it again.
Could you please help how to setup routing and natting on IBM vpn , In IBM VPN its not letting me to add custom route towards vpn gateway.
For Routing between IPSEC we need to know remote and local subnets.
Depending on that you can apply the NAT.
For example if you want to reach subnet 10.7.8.9.0/24 on IBM side and you do not have this subnet on your network then you only
need Routing no NAT.
If you have overlapping subnets then you need Source or Destination NAT and both you and IBM has to agree on that.
Below is link to config Routing between IPSEC
I do not need to configure NAT because I have IBM local subnet available for routing.
I have checked so far on Palo alto =>>
1) Tunnel is UP
2)Traffic egress from proper tunnel interface
3)Bytes are sent but not received.
4)Proxy ID is configured since IBM cloud is policy based.
5)Security policies are in placed and traffic passing from correct policy but no return traffic.
I suspect issue from IBM cloud side.
I did following on IBM side
1) Created VPC
2) Created VPN gateway
3) Allowed all traffic in security group and ACL
however I am non getting option for adding route.
As you mentioned you, configured ipsec tunnel on IBM cloud , can you provide KB article link to configure ipsec tunnel.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!