Talked to PAN tech support and they weren't able to get ipsec to work with the loopback set up. still looking into it.   in the meantime, I have looked at various documents on setting up GP but none of them had info on any policies needed to allow traffic.   What traffic needs to be allowed? I don't want to anything that could lead to security issues if it is on the external interface.   Keep in mind, I created a security zone for VPN. not sure if that changes things. ... View more

well...I added a 2nd ip to external interface, created new tunnel, security zone, gateway, portal, added new security policy and altered the local host file on my laptop and was able to connect using IPSec.   at least I know it is a firewall issue and not a client side issue.   now to see if I can get it to work using loopback interface. ... View more

is there supposed to be a specific policy or NAT rule that allows UDP 4501? ... View more

I have a Deny All rule for all source and destination zones with the log at end of session enabled so I believe the firewall should log all blocked traffic, hopefully. ... View more

Thanks for the feedback   I looked at the logs on one of the clients and it can see it trying to connect using ipsec but failing.    Logs: - Trying to do ipsec connection to IP_Address [4501] - Network is reachable - Connected to: IP_Address [4501], Sending keep alive to ipsec socket - failed to receive keep alive - IPSec anti-replay statistics: outside window count 0, replay count 0 - Disconnect udp socket   This happens with every client (all Windows 10 clients with standard configurations, including mine), so I am leaning toward it being a firewall issue. Pan-OS is 9.1.8 and GP Client is 5.2.5-c84.   I was thinking of trying to add a 2nd external ip address and bypassing loopback set up as well as creating a test environment separate from what's being used in production but I wasn't sure how. Sounds like if my external interface was an ip address of 1.1.1.1/29, I can add 1.1.1.2 as a 2nd ip address, create a new tunnel and VPN security zone, use the same authentication, certificate profiles and test the set up.   I will update this post if I see anything else in the logs ... View more

we have a  PA-3020.   I am mainly concerned about web-based emails   mail.google.com doesn't decrypt   eas.outlook.com doesn't decrypt ... View more