[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device

Paul Wouters paul at xelerance.com
Fri Aug 19 09:56:21 EDT 2011 

On Thu, 18 Aug 2011, Roberto Suarez Soto wrote:

> 	I'm trying to establish a IPSec VPN between a PaloAlto Networks device (don't
> know which exactly, it's out of our control) and openswan (v2.4.12, Debian
> "Lenny"). This is my configuration (IP addresses obfuscated by customer's
> request):
>
> conn myconnection
> 	left=XXX.XXX.XXX.XXX
> 	leftnexthop=XXX.XXX.XXX.XXY
> 	right=ZZZ.ZZZ.ZZZ.ZZZ
> 	auto=start
> 	type=transport
> 	authby=secret
> 	ike=aes256-sha1
> 	esp=aes256-sha1
>         leftsubnet=AA.AA.AA.AA/BB
> 	rightsubnet=CC.CC.CC.CC/DD
>
> 	As you can see, it's a transport mode connection, but I've defined leftsubnet
> and rightsubnet anyway. The result is that I can route packets without
> problems between AA.AA.AA.AA/BB and CC.CC.CC.CC/BB, but I also accept traffic
> from the other side not in this networks. These networks are defined in the
> PaloAlto configuration as "proxy IDs".

I doubt thatworks. For hacks with "proxy ID" or "NATed IP"s inside invalid ipsec
policies, you might want to look at:

https://gsoc.xelerance.com/projects/openswan/wiki/Juniper_NAT-IPsec_hack_workaround

Paul
> 	Part of the intended setup is dynamic routing, so we can route several
> networks through this IPSec link. After discarding OSPF, we're going with RIP.
> It seems that the PaloAlto devices can't use GRE tunnels, so this has to be
> made directly through the IPSec connection.
>
> 	And here comes the problem. The RIP traffic that comes from the PaloAlto
> device uses the local IP of its "IPSec tunnel" (no idea of what it means),
> which is, of course, from a network that I can't route anywhere (let's say
> "EE.EE.EE.EE". So I can see packets from that IP through the IPSec link, but
> can't reply to them because I don't know where to send them.
>
> 	If I used KLIPS, I guess I could just route EE.EE.EE.EE/32 through some
> ipsec* device; but alas, I'm using NETKEY. So I'm stuck because I can't
> communicate with the PaloAlto device in any way to send it RIP information.
>
> 	Any idea of how could I do to achieve this?
>
> 	Thanks in advance.
>
>
> --
>     Roberto Suarez Soto                     Hurt me plenty
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list