Problem with IPSec and GRE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problem with IPSec and GRE

Not applicable

Hello

I have a bg problem

The need is to create such a configuration: external IPSec tunnel and next GRE tunnel inside the previous one. IPSec tunnel must be created between my PA device and external gateway. GRE tunnel mus be created between my cisco router inside my network and other cisco router behind external gateway. Then there must be allowed traffic from another network to this tunnels and also to my internal LAN network.

So I created IPSec tunnel between my PA and external gateway (it's not PaloAlto device - probably Cisco). To be sure that it works I configured also local and remote proxy ID.

Next I added routing to my virtual router which is:

name_of_routing DESTINATION (network_behind_peer_gateway) INTERFACE (tunnel.id) NEXT HOP TYPE (none) METRIC (1)

commited everything

At this moment I must add that PA firewall is the second in row, looking from the internet side. On the first firewall is static NAT for external IP of PaloAlto device.

I think tunnel is working properly, both phases are ok. Checked system log and statuses of tunnel - both are green.

Now I need to allow traffic between hosts behind gateways (those gre traffic)

I created two rules. At the beggining simple because I wanted to be sure that it works without filtering protocols or applications

Source

zone

Destination

Zone

Source

Address

Destination

Address

ApplicationService
ActionOptions
internal_LAN zonetunnel zoneanyanyanyanyacceptlogged
tunnel zoneinternal_LAN zoneanyanyanyanyacceptlogged

And something is wrong beacause I can't see any traffice between those hosts behind gateways.

I have confirmed proper configuration of both endpoints of gre tunnel

At this moment I can't see any traffic in PalAlto logs besides ipsec logs in system log and traffic from gre tunnel is not working.

I also don't have nay logs with gre protocol.

Can you help me how to solve this problem

I'd be very grateful

Thanks a lot and waiting for any response.

Pawel

2 REPLIES 2

L4 Transporter

Hi Pawel,

1) When you are adding a route on PAN you are using the destination address of the GRE peer gateway behind the Cisco IPSec Gw ,correct ?

2) If you are not seeing the traffic in the traffic logs, can you please go to the CLI and do a "show session all filter source-ip destination-ip" and see if the session is there? Please send us the output. Alternatively you can check the same info in the session browser as well inte monitor tab.

3) Can you also try to add a app override policy under the policy tab which would include the source and destination IP address of the routers terminating the GRE tunnel.

4) You can also check the statistics for the VPN flow using the command "show vpn flow tunnel-id <id-num>" to check if there is traffic being send and received on this IPSec VPN tunnel.

Hope this helps, do please let me know if you have any further questions and have any other output which we can check from above.

Thanks

Hello

Thanks for response

Today morning we did strange thing. At the end of gre tunnel on our side we change IP address of port to something different and changed again to proper one.

Everything started work immediately.

Strange situation but it appeared that problem wasn't on Palo Alto side :smileylaugh:

So once againg thanks for response

By

Regards

Pawel

  • 2577 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!