Palo Alto Networks Knowledgebase: Configuring the Palo Alto Networks Device as an IPSec Passthrough

Configuring the Palo Alto Networks Device as an IPSec Passthrough

17716
Created On 11/19/19 04:52 AM - Last Updated 11/19/19 05:19 AM
IPSec VPNs 8.1 7.1 PAN-OS
Environment
Exception : PA-7000, PA-5200 and PA-3200 series

Resolution

Overview

This document describes how to configure the Palo Alto Networks firewall to behave as an IPSec passthrough between VPN terminating devices.

 

Details

Configure a security policy to allow the "ipsec" application traffic between the tunnel endpoints. This will enable the Palo Alto Networks firewall to act as vpn passthrough for traffic between vpn peers.

 

For example

The screenshot below shows devices 198.51.100.1 and 203.0.113.1 (10.0.0.1 internally)  as the vpn peers. The application, "ipsec", is specified under the Application column.

 

ipsec passthrough.png

 

The ipsec application contains the following sub-apps:

  • ike
  • ipsec-ah
  • ipsec-esp
  • ipsec-esp-udp(NAT-T)

The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.

 

owner: saryan



Additional Information
On PA-7000, PA-5200 and PA-3200 series, due to an architectural difference, we use a different technique for session creation of IPSec pass-through traffic.
Security policies must be configured to allow pass-through ESP traffic in both directions on PA-7000, PA-5200 and PA-3200 series platforms.
Please refer to this article.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpXCAS


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language