We need to connect with a remote site (new temporary business partner) via IPSec. We already have 3 tunnels (with other partners) which were easy to configure but that new remote vpn gateway might use different naming for some options which is hard to translate to UTM9 since it could be just a missing feature)
They sent us list with their recommended settings for the tunnel but it's difficult to match them with the available IPSec Policy options in the UTM9.
I suppose they use a Palo Alto VPN solution and some settings may just have a different naming.
Not explicitly selectable (does the UTM9 have IKEv2 ?)
Available on UTM9:AES 128 CTR (128 bit)AES 192 CTR (192 bit)AES 256 CTR (256 bit)AES 128 GCM (96 bit)AES 192 GCM (96 bit)AES 256 GCM (96 bit)AES 128 GCM (128 bit)AES 192 GCM (128 bit)AES 256 GCM (128 bit)...does any of them match aes-256-cbc ?
Our main subnett with workstations is actually 192.168.91.0/24 . They say to have that subnet already occupied and want us to use the 172... subnet.
Do we have to create that subnet and move all affected workstations (currently just 2) into this subnet (open FW between our 192.168.91.0 subnet, etc.) or is there a method to do a 1:1 NAT traversal between the IPSec tunnel and our existing 192... subnet?Every hint is highly appreciated!
You didn't say what hardware your UTM is running on.
They should make some changes.
Cheers - Bob
Assuming they give us some kind of 18.104.22.168/24 class (that could be mapped to our /24 class) and we would only need to connect to hosts on their side....I would create the tunnel like:
Tunnel:- Create the tunnel in IPSec -> "New IPSec Connection" - In that "Local Network" list create that Network 22.214.171.124/24- Automatic firewall rules: offNAT Mapping:- In Network Protection -> NAT -> Create rule "1:1 NAT" with...For traffic from: 192.168.91.0/24 (our real physical network)Using service: AnyGoing to: 10.159.0.0/16 (their real physical network)Action: 1:1 NAT mode: Map source ???Map to: 126.96.36.199/24Automatic firwall rules: offFirewall (since I didn't select automatic firewall rules):- In Firewall ... create a rule like:Sources: 192.168.91.0/24 (our physical network)Services: AnyDestinations: 10.159.0.0/16 (their physical network)Automatic firwall rules: off...or would I need 2 firewall entries like one from 192.xxx to 172.xxx and then the second from 172.xxx to 10.159.0.0/16 ?Anything else?Thank you in advance for your help!
If all traffic is originated on your side, then the connection tracker will pass the response traffic without another firewall rule. I would just select Automatic rules in the NAT, though.
Cheers - Bob