Is "Nested" IPSec (IPSec-over-IPSec) terminating on the same PA firewall supported?
15065
Created On 04/27/19 19:12 PM - Last Modified 05/06/19 08:42 AM
Question
Is "Nested" IPSec (IPSec-over-IPSec) terminating on the same PA firewall supported?
Answer
Currently "Nested" IPSec (IPSec-over-IPSec) terminating on the same firewall is NOT supported.
A "Nested" tunnel termed here is created by terminating tunnels on two of the firewall's interfaces and then setting up a routing configuration to tunnel the inner tunnel's traffic via the outer tunnel. Packets for such a "Nested" tunnel is dropped by design.
The behavior to drop the nested tunnel traffic was incorporated via the following issue, to avoid any loops (which would be misconfiguration), though this ends up denying a legitimate design.
Following is a setup to understand the perspective and implementation/design :
Inner tunnel (t.2) terminates on lo.0 interface : lo.0 on local firewall : 192.168.21.10 lo.0 on remote firewall : 192.168.22.10 Outer tunnel (t.1) terminates on e1/1 interface : e1/1 on local firewall : 192.168.15.135 e1/1 on remote firewall : 192.168.15.136 t.1 on local firewall : 172.16.128.11 t.1 on remote firewall : 172.16.128.12 Tested traffic: src : t.2 IP on PA1 : 172.16.129.11 dst : t.2 IP on PA2 : 172.16.129.12 Protocol : ICMP
Error seen in global counters :
flow_tunnel_encap_err 2 0 drop flow tunnel Packet dropped: tunnel encapsulation errorflow_tunnel_encap_nested 2 0 drop flow tunnel Packet dropped: nested tunnel decapsulation
Detailed packet_diag debugs :
== 2017-04-10 22:21:49.331 -0700 ==Packet received at fastpath stage
Packet info: len 98 port 4 interface 259 vsys 1
wqe index 11267 packet 0x0x7f0014c79dca
Packet decoded dump:
L2: 58:49:3b:e4:95:04->00:70:76:69:66:00, type 0x0800
IP: 172.16.129.11->172.16.129.12, protocol 1
version 4, ihl 5, tos 0x00, len 84,
id 0, frag_off 0x4000, ttl 64, checksum 28896
ICMP: type 8, code 0, checksum 14159, id 23837, seq 1
Flow fastpath, session 1177
IP checksum valid
2017-04-10 22:21:49.331 -0700 pan_flow_process_fastpath(src/pan_flow_proc.c:1572): SESSION-DSCP: set session DSCP: 0x00
Forwarding lookup, ingress interface 259
L3 mode, virtual-router 1
Route lookup in virtual-router 1, IP 172.16.129.12
Route found, interface tunnel.2, zone 5
Packet enters tunnel encap stage, tunnel interface tunnel.2
Resolving tunnel 4
Tunnel outbound msg
Forwarding lookup, ingress interface 260
L3 mode, virtual-router 1
Route lookup in virtual-router 1, IP 192.168.22.10
Route found, interface tunnel.1, zone 4, nexthop 172.16.128.12
Packet enters tunnel encap stage, tunnel interface tunnel.1
Packet dropped, nested tunnel encap, previous tunnel 3763828867, current interface 258