About cmateam

Hi there, Here is our scenario that I am trying to figure out. We have two sites (main office and a rack in a data center) that are connected via PAN-2020's on both sides through a IPsec Tunnel. I am trying to route Client VPN traffic that connects at our main office to go over the site-to-site tunnel to access some web servers there. It seems the traffic goes over the tunnel, but all is marked as incomplete. Below is my config..is it a route metric issue or a routing issue in the Client VPN traffic config? Our VPN clients are obtaining DNS from internal domain controllers. Our web server are defined with internal zones on those domain controllers, that is why I am having this issue. Any help would be appreciated.  Can provide additional details as needed. Main Office: Zones: Trust Zone - (192.168.x.x/16) SSL-VPN Zone - (172.x.x.x/24) - no split brained routing (0.0.0.0/0) Site-to-Site Tunnel Routes: Default Route: 0.0.0.0/0 - metric 10 Trust Zone - metric 5 SSL-VPN Zone - next hop 0.0.0.0 - metric 8 All traffic over tunnel to remote zones - metric 5 Security Policies: Trust Zone & SSL-VPN zone to Tunnel - allow all traffic Data Center Rack: Zones: Trust Zone - (10.20.x.x/16) Untrust Zone - (10.30.x.x/16) - were web servers are Site-to-Site Tunnel Routes: Default Route: 0.0.0.0/0 - metric 10 Trust Zone - metric 1 Untrust Zone - metric 1 All traffic over tunnel to remote zones - metric 1 Security Policies: Trust Zone & Untrust Zone to Tunnel - allow all traffic ... View more

All, First, please forgive me if this has been asked before, I wasn't able to find anything conclusive with any good explanation. Recently I renewed a couple of web server certificates and in doing so the CA recommended that I use SHA2 with a 256-bit message digest as SHA1 was known to have been cracked and was weak. This lead to some further digging on some of the crypto stuff for the PAN firewalls and noticed that a site-to-site IPsec tunnel I had setup nearly a year ago is using SHA1 (both are PAN firewalls). My current config is: IKE Crypto is using: Encryption - aes128, 3des Authentication - sha1 DH Group - group2 Lifetime - 8 hours IPsec Crypto is using: ESP/AH - ESP Encryption - aes128, 3des Authentication - sha1 DH Group - group2 Lifetime - 1 hours I kinda followed the 'book' based on PAN's documentation from a couple years ago, and some of the details are coming back to me, but what I am wondering if implementing some of the higher encryption/authentication standards can be done by stacking.  I believe I can do this on both sides with no problem, but what I am little fuzzy on is the DH group setting and does that need to be adjusted. I found this site that explained the details a little bit more: Help - IBM z/OS Management Facility. Additionally what has been your experience with using AES256 over AES128 for encryption - any performance issues? (IPsec crypto also supports AES128 CCM16). And for Authentication SHA512 over SHA256? Thanks for any help. ... View more