I'm hoping that somebody may be able to answer a few questions I have about the configuration of Palo Alto firewalls please?
I want to set up two differents VPN, one ssl-vpn and one IPsec, i do this because i want to conect to my firewall from wherever place (ssl-vpn) and the second one to conect to another firewall from other networks (IPsec). I configure the ssl-vpn succesfully and i have access to my firewall.
Later I have set up a IPsec tunnel with a Check Point firewall and a Palo Alto firewall each with an inside and outside interface.
In order to get this working I have:
1) Confired IKE and IPSec Cryptos in PA to match CP
2) Created tunnel interface and selected virtual router and the vpn zone (the one that i conect when i use Global Protect)
3) Created IKE gateway specifying local interface, local IP, remote IP, pre-shared key and selected IKE crypto profile
4) Created IPSec tunnel specifying tunnel interface, IKE gateway (pulling in some values) and selecting IPSec crypto profile
4a) Added a proxy ID with the local internal network and the remote internal network
5) Add a static route to virtual router with destination of the remote internal network and tunnel created above as interface
I think that the IPsec was created correctly because the leds turn "green" on and i saw the system logs and i realice that the authentication in phase 1 and 2 was succesfull. But i'm having problem to get to the other side. I tried to do traceroute but i don't see that the package it's trying to get the other side using the tunnel.
In the other side they have an IPS before the firewall, i was wondering if that's can generate me a problem.
I think that the problem could be related with some static route that its missing or with using the ssl-vpn zone.
Please i'll be really greatefull with any help that you could give me.
To check the tunnel status, run the command from cli: show vpn flow
Also, do you have a security rule that allows traffic from your internal zone (the one where your test machine is) to vpn zone in which the tunnel is located? Make sure you also have a route configured on CP for the networks behind PAN.
Thanks for the answer.
Yes i have created a security rule that allows the traffic.
When i don't use the "vpn" zone, the IPsec works fine, but i need to use the same zone for the ssl-vpn and the IPsec, that's because i want to use the tunnel when i connect remotely.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!