[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device

Tuomo Soini tis at foobar.fi
Thu Aug 18 13:42:51 EDT 2011

On Thu, 18 Aug 2011 18:58:33 +0200
Roberto Suarez Soto <roberto.suarez.soto at gmail.com> wrote:

> Hi,
> 	I'm trying to establish a IPSec VPN between a PaloAlto
> Networks device (don't know which exactly, it's out of our control)
> and openswan (v2.4.12, Debian "Lenny"). This is my configuration (IP
> addresses obfuscated by customer's request):
> conn myconnection
> 	leftnexthop=XXX.XXX.XXX.XXY
> 	right=ZZZ.ZZZ.ZZZ.ZZZ
> 	auto=start
> 	type=transport
> 	authby=secret
> 	ike=aes256-sha1
> 	esp=aes256-sha1
>          leftsubnet=AA.AA.AA.AA/BB
> 	rightsubnet=CC.CC.CC.CC/DD
> 	As you can see, it's a transport mode connection, but I've
> defined leftsubnet and rightsubnet anyway. The result is that I can
> route packets without problems between AA.AA.AA.AA/BB and
> CC.CC.CC.CC/BB, but I also accept traffic from the other side not in
> this networks. These networks are defined in the PaloAlto
> configuration as "proxy IDs".

This is configuration error. This must be tunnel mode to carry ip
networks. proxy IDs are actually tunneled subnets.

Only host-host can be transport mode.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list