IPSec between Palo Alto and Strong Swan – traffic between tunnel endpoint IPs (used for ESP transport) should pass through tunnel

There is a Palo Alto firwall (which I have to configure) and an industrial controller (they call it CP) which I don't control.

Say Palo Alto has external IP 1.1.1.1 and CP has 2.2.2.2. These are the IPs they use to communicate to each other, and these IPs can be seen on a sniffer attached to PA's external Interface.

IPSec Tunnel gets established, and if the CP has a second interface, everything works as expected. But some of these CPs have only one Interface, only one IP, and this IP should be reachable throug the tunnel, but it is not.

Pinging 2.2.2.2 from PA and watching the sniffer shows why: PA sends an unencrypted ICMP echo request, which is not answered.
When instead the CP admin pings 1.1.1.1, sniffer shows an ESP packet comming from 2.2.2.2 to 1.1.1.1, then PA answers with an unencrypted ICMP echo reply.

How can I make my PA send all traffic through the tunnel, except IPSec traffic?

I've tried to set up a route to 2.2.2.2 through the tunnel – of course the tunnel doesn't come up, because no network packets get sent through the unestablished tunnel.
I've tried to "explain" the PA to send IPSec traffic another way than other traffic – routing table doesn't allow to specify traffic type.
I've tried to set a policy based forwarding, which requires an IP for the tunnel. The tunnel only has 2 IPs; I tried to attach 1.1.1.1 to it, which PA didn't like.
I found similar questions, even here on serverfailt, and yes, it's the same struggle how to route some packets straight through the internet and other packets through the tunnel, but it was about open vpn on Linux, not Palo Alto.

Some log output the CP admin talked about gave me the idea, that CPs use Strong Swan, and I have been able to replicate the above behaviour using my PA and Strong Swan on a Linux box.

Now I can test faster, but no idea remains how to make PA differentiate between encrypted and unencrypted packets in matters of routing.

Any better ideas anyone?

Thank you! TomTomTom

Best Answer

I regret to inform you that you are now able to share in my frustration:

PANs do not do IPsec transport mode

Why? I haven't the faintest idea. It's broken beyond belief. I'm hoping someone corrects me.

gateway charon: 11[IKE] <con3|14> establishing CHILD_SA con3{15}
gateway charon: 11[ENC] <con3|14> generating CREATE_CHILD_SA request 205 [ N(USE_TRANSP) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
gateway charon: 11[ENC] <con3|14> parsed CREATE_CHILD_SA response 205 [ N(TS_UNACCEPT) ]
gateway charon: 11[IKE] <con3|14> received TS_UNACCEPTABLE notify, no CHILD_SA built

The solution I'm trying to deploy is, of course, junking these over-priced pieces of crap.

Best Answer

Related Solutions

Firewall – Log incoming traffic on PAN-OS (Palo Alto Networks) firewall

Iptables – IPSec VPN routing

Related Topic