- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-12-2010 12:44 PM
We want to use our PA-500 (3.1.3) at our site to create a tunnel to a remote site which will have a McAfee/Secure Computing Sidewinder.
I've never used IPSEC VPN before so I guess I want to be clear on how I do this.
Our PA-500 is setup in a simple L3 deployment, so:
ethernet1/1 is "trust" private IP of 10.6.1.1/16
ethernet1/2 is "untrust" public IP of 193.35.x.x/24
and a single virtual router.
The remote sites LAN IP range will be 10.7.x.x/16 and for their public IP for testing will also be 193.35.x.x/24 as I'll be connecting the Sidewinder to the same switch/subnet as the PA-500's ethernet1/2 interface.
So at our main site everyone's default gateway is our main router, which routes 0.0.0.0 to 10.6.1.1.
What we want is for all traffic in the remote site to be tunnelled back here, and to go out through out PA-500 so their traffic is subject to the same policies as ours.
I appreciate the Sidewinder is outside the scope here so I'll have to work that out, but with regards to the PA-500 any pointers on a quick and simple config to achieve what I want?
Thanks in advance.
08-13-2010 11:38 AM
Here is good document that provide step by step instructions on setting up IPSec VPN
08-16-2010 06:16 AM
OK I got this working, all by the book apart from having to manually specify local/remote proxy addresses.
I've configured a tunnel and it works, however I've noticed that if I run iperf I get a higher throughput from a client behind the Sidewinder pushing to a server behind the Palo Alto, and a lower throughput with the server behind the Sidewinder and the client behind the Palo Alto.
I'm assuming this isn't normal and VPN throughput should be symmetrical given that for testing both firewalls external interfaces are connected to the same switch?
08-18-2010 07:40 PM
I would begin by checking the policy and inspection order within the security policy on the PAN. Can you provide a latency number in both directions?
08-19-2010 12:49 PM
I haven't defined anything in my security policy, this is just a simple deployment as per the PDFs linked to above.
Latency, well both units are plugged into the same 100mbps switch for testing, so I'd hope it's not that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!