Palo Alto Networks Knowledgebase: Configuring the Palo Alto Networks Device as an IPSec Passthrough

Configuring the Palo Alto Networks Device as an IPSec Passthrough

(1987 Views)
Created On 09/25/18 17:27 PM - Last Updated 09/25/18 23:10 PM
Categories:  VPNs

Issue:


Solution:


Overview

This document describes how to configure the Palo Alto Networks firewall to behave as an IPSec passthrough between VPN terminating devices.

 

Details

Configure a security policy to allow the "ipsec" application traffic between the tunnel endpoints. This will enable the Palo Alto Networks firewall to act as vpn passthrough for traffic between vpn peers.

 

For example

The screenshot below shows devices 198.51.100.1 and 203.0.113.1 (10.0.0.1 internally)  as the vpn peers. The application, "ipsec", is specified under the Application column.

 

ipsec passthrough.png

 

The ipsec application contains the following sub-apps:

  • ike
  • ipsec-ah
  • ipsec-esp
  • ipsec-esp-udp(NAT-T)

The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.

 

owner: saryan

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: