VPN Site to site IPSec Tunnel not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN Site to site IPSec Tunnel not working

L1 Bithead

Hello,

I've configured a VPN Tunnel from a PA220 to a PA200. They are able to ping each other but I don't see any ESP Packets in Wireshark. What should I do to get the packets to be encapsulated?

Many thanks in advanced.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you for reply @smshafek

 

The ipsec tunnel between two PA Firewalls does not provide host to host end to end encryption. You will only see ESP traffic on interfaces that are used to build ipsec tunnel. This is typically WAN interface of the Firewall. You can refer to this in ike gateway configuration.

 

If you want to do further verification of the tunnel configuration, I would recommend to take a look into this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTbCAK Please refer to the section: "Tunnel is up but the traffic is not passing". In the output from: "show vpn flow tunnel-id <tunnel id>" the inner interface is where naked traffic comes in and outer interface is where you will only see ESP traffic.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Thank you for the post @smshafek

 

if you see the ipsec tunnel up with packets being encapsulated/decapsulated and routing is set correctly to go through tunnel, there is no other extra step to do for traffic to be encapsulated. Could you please confirm how did you take packet capture? What interface did you use to capture traffic?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi Pavel,

I'm capturing traffic on the two hosts. One connected to the LAN of PA220 and the other to the LAN of PA200.

Best regards

Cyber Elite
Cyber Elite

Thank you for reply @smshafek

 

The ipsec tunnel between two PA Firewalls does not provide host to host end to end encryption. You will only see ESP traffic on interfaces that are used to build ipsec tunnel. This is typically WAN interface of the Firewall. You can refer to this in ike gateway configuration.

 

If you want to do further verification of the tunnel configuration, I would recommend to take a look into this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTbCAK Please refer to the section: "Tunnel is up but the traffic is not passing". In the output from: "show vpn flow tunnel-id <tunnel id>" the inner interface is where naked traffic comes in and outer interface is where you will only see ESP traffic.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi Pavel,

I'm able to capture the traffic now. Many thanks again!

  • 1 accepted solution
  • 3943 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!