Is "Nested" IPSec (IPSec-over-IPSec) terminating on the same PA firewall supported?

Is "Nested" IPSec (IPSec-over-IPSec) terminating on the same PA firewall supported?

15823
Created On 04/27/19 19:12 PM - Last Modified 03/26/26 00:39 AM


Question


Is "Nested" IPSec (IPSec-over-IPSec) terminating on the same PA firewall supported?

Environment


  • Next-Gen Firewalls
  • Supported PAN-OS
  • IPSec VPN tunnels.

Answer


  1. Currently "Nested" IPSec (IPSec-over-IPSec) terminating on the same firewall is NOT supported.
  2. A "Nested" tunnel termed here is created by terminating tunnels on two of the firewall's interfaces and then setting up a routing configuration to tunnel the inner tunnel's traffic via the outer tunnel.
  3. Packets for such a  "Nested" tunnel is dropped by design.

Additional Information


Note:

The behavior to drop the nested tunnel traffic was incorporated via the following issue, to avoid any loops (which would be misconfiguration), though this ends up denying a legitimate design.

Following is a setup to understand the perspective and implementation/design  :  

Inner tunnel (t.2) terminates on lo.0 interface:
lo.0 on local firewall : 192.168.21.10
lo.0 on remote firewall : 192.168.22.10

Outer tunnel (t.1) terminates on e1/1 interface:

e1/1 on local firewall : 192.168.15.135
e1/1 on remote firewall : 192.168.15.136

t.1 on local firewall : 172.16.128.11
t.1 on remote firewall : 172.16.128.12

Tested traffic:

src : t.2 IP on PA1 : 172.16.129.11 
dst : t.2 IP on PA2 : 172.16.129.12
Protocol : ICMP

Error seen in global counters :

flow_tunnel_encap_err    2 0   drop flow  tunnel  Packet dropped: tunnel encapsulation error
flow_tunnel_encap_nested 2 0   drop flow  tunnel  Packet dropped: nested tunnel decapsulation
 

Detailed packet_diag debugs :

== 20xx-04-10 22:21:49.331 -0700 ==
Packet received at fastpath stage
Packet info: len 98 port 4 interface 259 vsys 1
wqe index 11267 packet 0x0x7f0014c79dca
Packet decoded dump:
L2: 58:49:3b:e4:95:04->00:70:76:69:66:00, type 0x0800
IP: 172.16.129.11->172.16.129.12, protocol 1
version 4, ihl 5, tos 0x00, len 84,
id 0, frag_off 0x4000, ttl 64, checksum 28896
ICMP: type 8, code 0, checksum 14159, id 23837, seq 1
Flow fastpath, session 1177
IP checksum valid
2017-04-10 22:21:49.331 -0700 pan_flow_process_fastpath(src/pan_flow_proc.c:1572): SESSION-DSCP: set session DSCP: 0x00
Forwarding lookup, ingress interface 259
L3 mode, virtual-router 1
Route lookup in virtual-router 1, IP 172.16.129.12
Route found, interface tunnel.2, zone 5
Packet enters tunnel encap stage, tunnel interface tunnel.2
Resolving tunnel 4
Tunnel outbound msg
Forwarding lookup, ingress interface 260
L3 mode, virtual-router 1
Route lookup in virtual-router 1, IP 192.168.22.10
Route found, interface tunnel.1, zone 4, nexthop 172.16.128.12
Packet enters tunnel encap stage, tunnel interface tunnel.1
Packet dropped, nested tunnel encap , previous tunnel 3763828867, current interface 258



Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLoyCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail