I am working on a PA-220 LAB, in preparation for a PA 820 rollout. I have setup and configured my Global protect VPN. When it comes to DHCP, I know I can't use my DHCP servers but have to rely on DHCP from the firewall. That is OK. My question is this:
For my VPN users, If I create a DHCP scope in Network>GatewayS>MyGateway>Agent>Client Settings>Configs>IP Pools>IP Pool, and the DHCP addresses are not sub set of an existing Ethernet Interface\sub-interface, will I have to create a layer 3 sub interface so the VPN traffic is routed correctly? IE; all Interfaces\sub interfaces are 10.0.x.x and I want VPN addresses to be 192.168.x.x. Will I need to create a layer 3 interface for the 192.168.x.x so traffic flows correctly?
I am sure this is simple but I want to make sure I do it correctly in the building\testing stage
Ok, I added the L3 interface and added the VLAN to my switches and committed all changes. I can connect to VPN by computer but not by an app on my iPhone (I do have the correct licensing for the GP app). The error I get is " The network connection is unreachable or the gateway is unresponsive.
Also, when I have a laptop successfully connected to the VPN, I can't seem to get to any VLAN's on my network. I do have the VLAN's identified in the split tunnel. I tried adding the VLA's individually as well as specifying 0.0.0.0/0 to no avail.
Any thoughts or suggestions?
Absolutely as @MickBall says, you need to treat the Global protect environment as you would any other so
Using the 0.0.0.0/0 route will tunnel everything back to the Gateway so you may want to just use the subnets that you require.
OK, I have the VPN client working now on the client PC's & MAC's. I forwent adding the tunnel to my untrusted (Internet) zone and went with Mick's suggestion. I created a new zone, configured the tunnel, and added a security policy and access to the VLAN's works just fine. The only issue I have is our iPhones will not connect to the VPN. I still get the following error:
Gateway <My Gateway>: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
Could this be caused by the self signed certificate I am using for testing (I will have a real, valid cert in production)? If this is the case, I guess I am looking for validation since I ran out of time until this weekend to do more testing. I found this article:
Thoughts on if will resolve the issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!