08-23-2023 05:06 PM
I have setup a valid VPN connection to Oracle Cloud Infrastructure leveraging to IPSEC tunnels and we can route traffic like ICMP with no problem. When trying to access public cloud services via the VPN with private transit routing through the tunnel into the Oracle Virtual Cloud Network, we simply get no response and se no traffic going over the tunnel.
Effectively we have created static routing rules for the 2 public CIDR routes for the cloud service, and specified the next hop as the Oracle side of the IPSEC tunnels. We've also tried with next hope set for None but the result is the same.
Anyone have any insight into sending public traffic across a VPN tunnel successfully?
08-25-2023 03:07 AM
Hello @coltsfanatic07
PaloAlto firewall provides route-based VPN compared to the legacy ASA firewalls which provide policy-based VPN (e.g., Access List to match the traffic).
The routing in the PaloAlto firewall for the affected CIDR traffic should be as below:
destination = CIDR
interface = IPSec tunnel interface
next hop = None
The above routing is sufficient to route the traffic to the IPSec tunnel, given that necessary security policies are in place to allow the traffic.
If the remote side is a policy-based VPN, then you may need to add the required proxy-IDs in the IPSec tunnel configuration.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
08-23-2023 08:34 PM
Hello @coltsfanatic07
IPSec tunnel can carry any IP traffic irrespective of whether the payload contains public IPs or private IPs.
You may want to check how the routing is configured on both sides and also whether the necessary security policies are in place to allow the required traffic.
08-24-2023 04:26 AM
Thank you @akuzhuppilly for your reply. I appreciate your patience as I have no familiarity or access to the Palo Alto equipment in use as its a customers environment.
We have to active tunnels configured. Our tunnel interfaces to not have explicit IP addresses associated to them. So, we have tried two different static routes. The first, is using the CIDR as the destination, leveraging the tunnel interfaces, and then setting the next hop to "none". We also attempting to do the same, but set the next hop to the explicit IP Address of the peers tunnel IP address. Do either of those approaches seem correct?
I've analyzed the OCI rules and they suggest they are configured appropriate for security and routing for on prem traffic to leverage the gateway appliance to access the appropriate CIDR. The only other caveat that comes to mind is that OCI Site-to-Site VPN uses Asymmetric Routing by default. As previously mentioned we see no problem with ICMP traffic so I don't think that is an issue. The source traffic is also not being NAT'ed, so that was another one of my concerns from a security perspective on the remote side.
08-25-2023 03:07 AM
Hello @coltsfanatic07
PaloAlto firewall provides route-based VPN compared to the legacy ASA firewalls which provide policy-based VPN (e.g., Access List to match the traffic).
The routing in the PaloAlto firewall for the affected CIDR traffic should be as below:
destination = CIDR
interface = IPSec tunnel interface
next hop = None
The above routing is sufficient to route the traffic to the IPSec tunnel, given that necessary security policies are in place to allow the traffic.
If the remote side is a policy-based VPN, then you may need to add the required proxy-IDs in the IPSec tunnel configuration.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
08-25-2023 04:12 AM
This is great @akuzhuppilly. It confirms what I thought I researched. So we do have static routing on the remote peer to allow all of the network CIDRs through. Its possible there are some additional security rules that are somehow not allowing it, but confirming the static routes on the PaloAlto side is great.
I'll accept your answer. Can you tell me if PAN > 8 has any issues with asymmetric routing at all? Also, given that we configure the static route, are there any other security settings on the PaloAlto side that would still block the traffic potentially?
08-27-2023 06:25 PM
Hello @coltsfanatic07
Asymmetric routing can occasionally lead to dropped traffic due to firewall settings. To determine if packet drops are occurring, consider performing a packet capture. You can refer to the following link for assistance:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSHCA0
If you suspect that the Palo Alto Firewall might be dropping valid traffic, the recommended approach is to conduct a packet capture and review the global counters. This will provide a clearer understanding of the situation. For guidance, you can visit:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS
08-28-2023 04:04 AM
Awesome. Thanks again for all of your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
