[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device
Tuomo Soini
tis at foobar.fi
Thu Aug 18 13:42:51 EDT 2011
On Thu, 18 Aug 2011 18:58:33 +0200
Roberto Suarez Soto <roberto.suarez.soto at gmail.com> wrote:
> Hi,
>
> I'm trying to establish a IPSec VPN between a PaloAlto
> Networks device (don't know which exactly, it's out of our control)
> and openswan (v2.4.12, Debian "Lenny"). This is my configuration (IP
> addresses obfuscated by customer's request):
>
> conn myconnection
> left=XXX.XXX.XXX.XXX
> leftnexthop=XXX.XXX.XXX.XXY
> right=ZZZ.ZZZ.ZZZ.ZZZ
> auto=start
> type=transport
> authby=secret
> ike=aes256-sha1
> esp=aes256-sha1
> leftsubnet=AA.AA.AA.AA/BB
> rightsubnet=CC.CC.CC.CC/DD
>
> As you can see, it's a transport mode connection, but I've
> defined leftsubnet and rightsubnet anyway. The result is that I can
> route packets without problems between AA.AA.AA.AA/BB and
> CC.CC.CC.CC/BB, but I also accept traffic from the other side not in
> this networks. These networks are defined in the PaloAlto
> configuration as "proxy IDs".
This is configuration error. This must be tunnel mode to carry ip
networks. proxy IDs are actually tunneled subnets.
Only host-host can be transport mode.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list