[Swan] Fwd: Connecting to Palo Alto FW
Paul Wouters
paul at nohats.ca
Sun Mar 24 14:13:14 UTC 2019
If you want to do 0/0 to 0/0 IPsec SA’s, you must use the vti options to create devices, use vti-routing=no, and manually route things. Look at the libreswan vti page for more examples
Sent from mobile device
> On Mar 22, 2019, at 21:25, Tony Phillips <tony at tonysown.net> wrote:
>
>
> Hey, folks!
>
> I was wondering if anyone has any guidance on how to configure LibreSWAN to connect to a Palo Alto firewall which would terminate an IPSec VPN.
>
> This is not a Road-warrior connection type use-case -- this will be an "Always On" case in which the VPN would be invoked as part of the bootup of a Linux (RHEL) VM.
>
> I have successfully configured it when both endpoints were LibreSWAN, but now want to move it onto hardware-based VPN endpoint due to the number of concurrent connections from different systems. There is no need for L2TP -- just a basic routed IPSec tunnel.
>
> The configuration on the Palo right now expects simple User ID and password to connect.
>
> No need (or want) split-tunneling -- I expect to modify the route table of the VPN client to shove every packet into the VPN tunnel.
>
> All of the VPN clients share a dedicated IP subnet which is routed by the Palo Alto. Since these clients are NOT road warriors, their real ("eth0") IP address is always static.
>
> There is no NATing anywhere in the path.
>
> I've searched through the mail list archives and google and have found several examples using Cisco VPN (which uses PSK), but nothing on Palo Alto.
>
> Any suggestions would be appreciated!
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list