We have been using GlobalProtect for awhile but I just became aware that none of our clients are connected using IPSec even though the option is checked.
I can't see anything being blocked so I am wondering if it is a configuration issue of some kind.
Note: we are using loopback interfaces and both the gateway and portal use the same loopback
Start on the client, check the \Program Files\Palo Alto Networks\GlobalProtect\PANgps.log - you should see if the client is (or not) trying to connect via IPsec, or falling back to SSL.
You can also check if the client does not have anything blocking outgoing IPSEC from his location/s.
On the firewall - kind reminder that this traffic usually is source=internet zone; destination=internet zone and that the default rule here is Intrazone default (2nd from last rule). Also these rules by default do NOT have log at session end enabled so this could be why you do not see logs. You have not written the loopback assigned zone name - this will impact which rule is being hit.
You can also try a packet capture on the firewall - filter by a single test client source IP and see what ports exactly are being received.
If you are using a loopback because you want GP to listen on a different IP than the Interface default, for example the Interface is 203.0.113.20/24 and you want GP to listen on 203.0.113.55 - just add this IP in the IPv4 tab of the ethernet1/x (which will now show 203.0.113.20/24 and 203.0.113.55). This way you will be able to select this IP and Ethernet in the GP configuration pages and not use a loopback at all.
Hope this help,
Thanks for the feedback
I looked at the logs on one of the clients and it can see it trying to connect using ipsec but failing.
- Trying to do ipsec connection to IP_Address 
- Network is reachable
- Connected to: IP_Address , Sending keep alive to ipsec socket
- failed to receive keep alive
- IPSec anti-replay statistics: outside window count 0, replay count 0
- Disconnect udp socket
This happens with every client (all Windows 10 clients with standard configurations, including mine), so I am leaning toward it being a firewall issue. Pan-OS is 9.1.8 and GP Client is 5.2.5-c84.
I was thinking of trying to add a 2nd external ip address and bypassing loopback set up as well as creating a test environment separate from what's being used in production but I wasn't sure how. Sounds like if my external interface was an ip address of 18.104.22.168/29, I can add 22.214.171.124 as a 2nd ip address, create a new tunnel and VPN security zone, use the same authentication, certificate profiles and test the set up.
I will update this post if I see anything else in the logs
well...I added a 2nd ip to external interface, created new tunnel, security zone, gateway, portal, added new security policy and altered the local host file on my laptop and was able to connect using IPSec.
at least I know it is a firewall issue and not a client side issue.
now to see if I can get it to work using loopback interface.
Talked to PAN tech support and they weren't able to get ipsec to work with the loopback set up. still looking into it.
in the meantime, I have looked at various documents on setting up GP but none of them had info on any policies needed to allow traffic.
What traffic needs to be allowed? I don't want to anything that could lead to security issues if it is on the external interface.
Keep in mind, I created a security zone for VPN. not sure if that changes things.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!