IPsec VTI with Palo Alto



  • Hello,

    I'm testing the IPsec VTI feature with pfSense 2.4.5 dev and a Palo Alto firewall.

    An existing tunnel with a vyatta router is working. The tunnel with pfSense not.

    The difference is on the requestes phase 2 sa. The pfSense tries to create a phase 2 with the public ips.

    Sep 27 09:51:13	charon		05[KNL] received an SADB_ACQUIRE with policy id 8 but no matching policy found
    Sep 27 09:51:13	charon		05[KNL] creating acquire job for policy x.y.z.251/32|/0 === x.y.z.250/32|/0 with reqid {0}
    Sep 27 09:51:13	charon		05[CFG] trap not found, unable to acquire reqid 0
    

    The vyatta creates a tunnel with 0.0.0.0/0:

    src 0.0.0.0/0 dst 0.0.0.0/0
            dir out priority 2051 ptype main
            mark 9437185/0xffffffff
            tmpl src x.y.z.68 dst x.y.z.234
                    proto esp reqid 16408 mode tunnel
    src 0.0.0.0/0 dst 0.0.0.0/0
            dir fwd priority 2051 ptype main
            mark 9437185/0xffffffff
            tmpl src x.y.z.234 dst x.y.z.68
                    proto esp reqid 16408 mode tunnel
    src 0.0.0.0/0 dst 0.0.0.0/0
            dir in priority 2051 ptype main
            mark 9437185/0xffffffff
            tmpl src x.y.z.234 dst x.y.z.68
                    proto esp reqid 16408 mode tunnel
    
    

    Has anyone an idea?

    Thanky, Martin


  • Rebel Alliance Developer Netgate

    Normally it would not request a P2 with the public IP addresses. P1, sure, but not P2. Not unless you accidentally put the public addresses in the VTI P2 settings where the internal tunnel endpoints should be.



  • Hello,

    I already tried to add the wan ips to Palo Altos phase 2 - no success.

    Regards
    Martin



  • @msnetworks you should NOT add the WAN IPs to the phase 2 configuration. For phase 2 configuration you should choose an unused /30 network and configure your tunnel interfaces with two IPs out of this network.



  • Hello,

    I have not configured an explicit phase 2. The proxy id section is empty.

    The tunnel interfaces on pa and pfsense have both an ip address from an /30 network.
    pfsense net + 1 and pa net + 2.

    I also checked the whole phase 2 settings.

    Phase 1 comes up - but phase two not.

    3_1538464630057_vti (1).png 2_1538464630056_vti (4).png 1_1538464630056_vti (3).png 0_1538464630056_vti (2).png

    Regards,
    Martin



  • Hello,

    pfSense should send a phase 2 proxy id with 0.0.0.0/0-0.0.0.0/0 to PA, but doesn't do it.

    I think this is a bug?

    Regards,
    Martin


  • Rebel Alliance Developer Netgate

    Try the attached patch and see if it helps. I could not get the VTI to come up and pass traffic with only 0.0.0.0/0 in the rightsubnet and leftsubnet, but it did seem to connect and work with the attached patch that has both the VTI endpoints and all zeroes. I haven't testing to see if it interferes with anything else yet, though, just VTI itself (BGP connects and exchanges routes, traffic passes)

    0_1538745996158_ipsec-vti-0.0.0.0.diff

    Use the System Patches package to apply the diff, or make the changes by hand. After applying the patch, stop IPsec, then edit/save/apply the IPsec VTI P1 or P2 and it should restart with the new policy in place.



  • Hello,

    a first test was successfull. I will test it this weekend.

    Thank you!