The IPSEC Tunnel Comes Up But Hosts Behind Peer Are Not Reachable
Occasionally, on a site-to-site IPSec VPN between a Palo Alto Networks device and another device, Phase 1 and Phase 2 will be up. However, the hosts behind the peer are not reachable.
Determine what zone the tunnel interface is located. If the tunnel interface is in the untrust zone, the traffic will be NATed to the public IP, while leaving the tunnel, by the default NAT rule on the Palo Alto Networks device.
There are two options to resolve this issue:
- Move the tunnel interface to one of the inside zones, so that the traffic will not get NATed while leaving the tunnel.
- Create a No-NAT rule for traffic from the inside zones to those destination addresses behind the peer.