[Swan] Fwd: Connecting to Palo Alto FW

Tony Phillips tony at tonysown.net
Fri Mar 22 20:25:21 UTC 2019

Hey, folks!

I was wondering if anyone has any guidance on how to configure LibreSWAN to connect to a Palo Alto firewall which would terminate an IPSec VPN.

This is not a Road-warrior connection type use-case -- this will be an "Always On" case in which the VPN would be invoked as part of the bootup of a Linux (RHEL) VM.

I have successfully configured it when both endpoints were LibreSWAN, but now want to move it onto hardware-based VPN endpoint due to the number of concurrent connections from different systems.  There is no need for L2TP -- just a basic routed IPSec tunnel.

The configuration on the Palo right now expects simple User ID and password to connect. 

No need (or want) split-tunneling -- I expect to modify the route table of the VPN client to shove every packet into the VPN tunnel.

All of the VPN clients share a dedicated IP subnet which is routed by the Palo Alto.  Since these clients are NOT road warriors, their real ("eth0") IP address is always static.

There is no NATing anywhere in the path.

I've searched through the mail list archives and google and have found several examples using Cisco VPN (which uses PSK), but nothing on Palo Alto.

Any suggestions would be appreciated!

More information about the Swan mailing list