Configure Captive Portal for Users Over Site to Site IPSec VPN
This document describes how to correctly configure Captive Portal for users over site to site IPSec VPN.
See the following example scenario:
172.16.16.x --> PANFW1 ==> VPN ==> PANFW2 ==> Captive Portal ==> Internet
Note: There are two Palo Alto Networks firewalls (PANFW1 and PANFW2) used in this scenario.
Common issue with the example scenario:
A common issue when configuring Captive Portal (CP) for this sample scenario is that CP does not work for vpn users behind PANFW1 that come over the site-to-site IPSec vpn to the PANFW2 in order to access the internet. Common symptoms are:
- Site-to-site vpn is up and working
- Captive Portal works for local users behind PANFW2
- Users located behind the PANFW1 are not prompted for the Captive Portal login hence access to internet fails.
- Set up the site-to-site IPSec vpn
Refer to the following document for more details: https://live.paloaltonetworks.com/docs/DOC-1163
- Setup captive portal configuration.
Refer to the following document for more details: https://live.paloaltonetworks.com/docs/DOC-1159
- Most importantly, for Captive Portal to work for users over site-to-site IPSec vpn:
Enable the Response Page option in the management profile and add the management profile to the tunnel interface in question. This would be the interface associated with the IPSec vpn on firewall configured with Captive Portal (which is PANFW2, in the above scenario).