ssl-vpn and IPsec tunnel Palo Alto with Check Point

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ssl-vpn and IPsec tunnel Palo Alto with Check Point

L0 Member

Hello all,

I'm hoping that somebody may be able to answer a few questions I have about the configuration of Palo Alto firewalls please?

I want to set up two differents VPN, one ssl-vpn and one IPsec, i do this because i want to conect to my firewall from wherever place (ssl-vpn) and the second one to conect to another firewall from other networks (IPsec). I configure the ssl-vpn succesfully and i have access to my firewall.

Later I have set up a IPsec tunnel with a Check Point firewall and a Palo Alto firewall each with an inside and outside interface.

In order to get this working I have:

     1) Confired IKE and IPSec Cryptos in PA to match CP
     2) Created tunnel interface and selected virtual router and the vpn zone (the one that i conect when i use Global Protect)
     3) Created IKE gateway specifying local interface, local IP, remote IP, pre-shared key and selected IKE crypto profile
     4) Created IPSec tunnel specifying tunnel interface, IKE gateway (pulling in some values) and selecting IPSec crypto profile
     4a) Added a proxy ID with the local internal network and the remote internal network
     5) Add a static route to virtual router with destination of the remote internal network and tunnel created above as interface

I think that the IPsec was created correctly because the leds turn "green" on and i saw the system logs and i realice that the authentication in phase 1 and 2 was succesfull. But i'm having problem to get to the other side. I tried to do traceroute but i don't see that the package it's trying to get the other side using the tunnel.

In the other side they have an IPS before the firewall, i was wondering if that's can generate me a problem.

I think that the problem could be related with some static route that its missing or with using the ssl-vpn zone.

Please i'll be really greatefull with any help that you could give me.

Thanks.

2 REPLIES 2

L5 Sessionator

Pablo,

To check the tunnel status, run the command from cli: show vpn flow

Also, do you have a security rule that allows traffic from your internal zone (the one where your test machine is) to vpn zone in which the tunnel is located? Make sure you also have a route configured on CP for the networks behind PAN.

Thanks,

Sri Darapuneni

Hi.

Thanks for the answer.

Yes i have created a security rule that allows the traffic.

When i don't use the "vpn" zone, the IPsec works fine, but i need to use the same zone for the ssl-vpn and the IPsec, that's because i want to use the tunnel when i connect remotely.

Thanks.

  • 3420 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!