Palo Alto Networks Knowledgebase: IPSec VPN Tunnel with NAT Traversal

IPSec VPN Tunnel with NAT Traversal

34489
Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:45 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Details

How to configure IPSec VPN tunnel on Palo Alto Firewalls with NAT Device in between.

 

Topology,

PA1 ----- PA_NAT ----- PA2

Public IP of PA1 - 172.16.9.163

Public IP of PA2 - 172.16.9.160

Public IP of PA_NAT - 172.16.9.171

 

PA2 Public IP 172.16.9.160 will get NATTED to PA_NAT Public IP 172.16.9.171

 

Configuration on PA1:

Note:

  • Use default values for IKE Crypto and IPSec Crypto Profiles.
  • Nat Traversal option is mandatory

 

NAT-Traversal in an IPSEC Gateway:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMkCAK

 

IKE Gateway:

 

 

IPSec Tunnel:

 

 Configuration on PA2:

 IKE Gateway:

 

 

IPSec Tunnel:

 

Bi-Directional NAT Configuration on PA_NAT Device:

Shown below NAT is configured for traffic from Untrust to Untrust as PA_NAT device is receiving UDP traffic from PA2 on its Untrust interface and it is being routed back to PA1 after applying NAT Policy.

 

 

 

 

Shown below is the bi-directional NAT rule for both UDP Ports 500 and 4500:

 

> show running nat-policy
NAT_T_IPSEC {
from Untrust;
source 172.16.9.160;
to Untrust;
to-interface  ;
destination 172.16.9.163;
service [ udp/any/500 udp/any/4500 ];
translate-to "src: 172.16.9.171 (static-ip) (pool idx: 2)";
terminal no;
}

NAT_T_IPSEC {
from any;
source any;
to Untrust;
to-interface  ;
destination 172.16.9.171;
service [ udp/any/500 udp/any/4500 ];
translate-to "dst: 172.16.9.160";
terminal no;
}

 

 Initiate IPSec VPN tunnel from PA2 (172.16.9.160),

 

> test vpn ike-sa
Initiate IKE SA: Total 1 gateways found. 1 ike sa found.

 

> test vpn ipsec-sa
Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

On PA_NAT Device, see the following sessions:

> show session all filter application ike
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14211        ike            ACTIVE  FLOW  NS   172.16.9.160[500]/Untrust/17  (172.16.9.171[500])
vsys1                                          172.16.9.163[500]/Untrust  (172.16.9.163[500])

 

 > show session all filter destination-port 4500
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14210        ipsec-esp-udp  ACTIVE  FLOW  NS   172.16.9.160[4500]/Untrust/17  (172.16.9.171[4500])
vsys1                                          172.16.9.163[4500]/Untrust  (172.16.9.163[4500])

 

Tunnels are UP on both PA1 and PA2:

 

PA1:

 

PA2:

 

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language