I setup IPsec tunnel between palo alto and mikrotik.
I found an example here.
I did everything step by step 1-13(see below)
I have PAlo alto version 9.1.3-h and Router os ver. 6.43.13.
phase 2 doesn’t work. How to befriend these devices? Help me.
Config PALO Alto
1.Create a new interface and add address (gateway default for tunnel in Virtual Router).
2.New Zone security
3. Setup Phase 1 (it is IKE Crypto & IKE Gateway)
4. Phase 2 (profile incryption)
5.setup Ipsec Tunnels
6.In virtual gateway we need add network.
7.Rules of security. first of allow connect and second rule allow traffic throw tunnel.
8.Access to network throw tunnel (without NAT)
9.Allow ports 500 and 4500.
Nobody will guess where the problem is without debugs.
If config is corect in general, then probably issue is about phae2 mismatch.
Everything what you need to find a problem is there:
There is a problem with local networks behind tunnels ipsec
The tunnel went up.
I allowed on Palo Alto:
in property Ipsec tunnel: Proxy id remote and Local address
in Virtual Router static route to network behind Mikrotik throw interface tunnel with nexthop(address tunnel.80)
I allowed in rules:
All traffic from local lan to ipsec tunnel
From address Palo alto to Mikrotik (round trip) added application gre,ike,ipsec
The Mikrotik have done tunnel in logs all good
In setting of ipsec policy I pointed out local networks (throw Mikrotik and Palo Alto)
Added NAT rules allowing traffic from Microtik network to LAN Palo Alto.
Added Firewall rules for Protocols 17,51,50,47
Local Networks are not available between each other.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!