08-07-2015 11:06 PM
Hi all.
I am trying to set up an IPsec s2s tunnel with non-Palo Alto peers. So far I have tried 3 different peers (Strongswan 5.3.2, Cisco router, Cisco SOHO router) and every time I have problems seeing incoming decrypted traffic to the PA.
"Local site" being the PA one, here's the info I have so far:
- IPsec tunnel is up
- "show session all filter protocol 50" shows one active tunnel session (for the ipsec tunnel)
- "show vpn flow tunnel-id name <tunnel name>" shows encap packets, but no decap packets
- Proxy-ID is set to the local NAT address range after translation has been done, and to the native address range for the remote site (no NAT is being done there)
- Remote site end hosts receive packets from the local site, via the tunnel (e.g. echo requests from the post-NAT IPs. NAT range is specific to the PA tunnel interface)
- Local site end hosts never receive replies (e.g. echo replies)
- I have tried putting the (internal) tunnel interface in both the "internal" zone, as well as the "vpn" zone, no luck
- I am using a loopback as the external interface, set in the vpn zone
- Policies from vpn to internal zone and vice versa allow all traffic
UPDATE (some additional notes):
- IPsec tunnel is terminated in a logical loopback interface on the PA, which is configured in the VPN zone.
- Although all policies have logging enabled at session end, I never see logs of tunneled packets incoming from the other peer
- I have thought of configuring the IPsec tunnel to terminate on a logical interface in case it's the loopback interface causing the problem, but all external physical interfaces are set on the untrust zone and I would like to keep
VPN and untrust zones/policies separate.
- The PA is directly connected via a VLAN to our two edge routers. The edge routers have an ingress L3 ACL permitting esp/ahp packets towards the PA loopback address. Removing the L3 ACL entirely also did not help.
Any advice/insight would be greatly appreciated!
Message was edited by: Aris Lamprianidis
