Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Configure IPSec VPN Tunnel with NAT Traversal - Knowledge Base - Palo Alto Networks

How to Configure IPSec VPN Tunnel with NAT Traversal

227318
Created On 09/26/18 13:47 PM - Last Modified 11/09/23 01:15 AM


Environment


  • Next-Gen Firewall
  • IPSec VPN Tunnel with NAT Traversal
  • Example Topology used
    • PA1 ----- PA_NAT ----- PA2
    • Public IP of PA1 - 172.16.9.163
    • Public IP of PA2 - 172.16.9.160
    • Public IP of PA_NAT - 172.16.9.171
    • PA2 Public IP 172.16.9.160 will get NATTED to PA_NAT Public IP 172.16.9.171


Procedure


Note:

  1. Configure IKE Gateway on PA1
    1. Network> Network Profiles> IKE Gateway> click Add

  1. Configure IPSec Tunnel on PA1
    1. Network> IPSec Tunnel> Click Add
IPSec Tunnel PA1
  1. Configure IKE Gateway on PA2
    1. Network> Network Profiles> IKE Gateway> click Add

  1. Configure IPSec Tunnel on PA2
    1. Network> IPSec Tunnel> Click Add

  1. Configure Bi-Directional NAT Configuration on PA_NAT Device from POLICIES> NAT> Click Add
    1. Shown below NAT is configured for traffic from Untrust to Untrust as PA_NAT device is receiving UDP traffic from PA2 on its Untrust interface and it is being routed back to PA1 after applying NAT Policy.

Shown below is the bi-directional NAT rule for both UDP Ports 500 and 4500:

> show running nat-policy
NAT_T_IPSEC {
from Untrust;
source 172.16.9.160;
to Untrust;
to-interface  ;
destination 172.16.9.163;
service [ udp/any/500 udp/any/4500 ];
translate-to "src: 172.16.9.171 (static-ip) (pool idx: 2)";
terminal no;
}

NAT_T_IPSEC {
from any;
source any;
to Untrust;
to-interface  ;
destination 172.16.9.171;
service [ udp/any/500 udp/any/4500 ];
translate-to "dst: 172.16.9.160";
terminal no;
}
  1.  Initiate IPSec VPN tunnel from PA2 (172.16.9.160) from CLI

    > test vpn ike-sa
    Initiate IKE SA: Total 1 gateways found. 1 ike sa found.
    
    
    > test vpn ipsec-sa
    Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

     

On PA_NAT Device, see the following sessions:

> show session all filter application ike
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14211        ike            ACTIVE  FLOW  NS   172.16.9.160[500]/Untrust/17  (172.16.9.171[500])
vsys1                                          172.16.9.163[500]/Untrust  (172.16.9.163[500])


 > show session all filter destination-port 4500
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14210        ipsec-esp-udp  ACTIVE  FLOW  NS   172.16.9.160[4500]/Untrust/17  (172.16.9.171[4500])
vsys1                                          172.16.9.163[4500]/Untrust  (172.16.9.163[4500])

 

  1. Verify Tunnels are UP on both PA1 and PA2 on GUI from NETWORK> IPSec Tunnels

PA1:

PA2:

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language