[Swan] Fwd: Connecting to Palo Alto FW

Paul Wouters paul at nohats.ca
Sun Mar 24 14:13:14 UTC 2019


If you want to do 0/0 to 0/0 IPsec SA’s, you must use the vti options to create devices, use vti-routing=no, and manually route things. Look at the libreswan vti page for more examples 

Sent from mobile device

> On Mar 22, 2019, at 21:25, Tony Phillips <tony at tonysown.net> wrote:
> 
> 
> Hey, folks!
> 
> I was wondering if anyone has any guidance on how to configure LibreSWAN to connect to a Palo Alto firewall which would terminate an IPSec VPN.
> 
> This is not a Road-warrior connection type use-case -- this will be an "Always On" case in which the VPN would be invoked as part of the bootup of a Linux (RHEL) VM.
> 
> I have successfully configured it when both endpoints were LibreSWAN, but now want to move it onto hardware-based VPN endpoint due to the number of concurrent connections from different systems.  There is no need for L2TP -- just a basic routed IPSec tunnel.
> 
> The configuration on the Palo right now expects simple User ID and password to connect. 
> 
> No need (or want) split-tunneling -- I expect to modify the route table of the VPN client to shove every packet into the VPN tunnel.
> 
> All of the VPN clients share a dedicated IP subnet which is routed by the Palo Alto.  Since these clients are NOT road warriors, their real ("eth0") IP address is always static.
> 
> There is no NATing anywhere in the path.
> 
> I've searched through the mail list archives and google and have found several examples using Cisco VPN (which uses PSK), but nothing on Palo Alto.
> 
> Any suggestions would be appreciated!
> 
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan



More information about the Swan mailing list