If you want to do 0/0 to 0/0 IPsec SA’s, you must use the vti options to create devices, use vti-routing=no, and manually route things. Look at the libreswan vti page for more examples
Sent from mobile device > On Mar 22, 2019, at 21:25, Tony Phillips <[email protected]> wrote: > > > Hey, folks! > > I was wondering if anyone has any guidance on how to configure LibreSWAN to > connect to a Palo Alto firewall which would terminate an IPSec VPN. > > This is not a Road-warrior connection type use-case -- this will be an > "Always On" case in which the VPN would be invoked as part of the bootup of a > Linux (RHEL) VM. > > I have successfully configured it when both endpoints were LibreSWAN, but now > want to move it onto hardware-based VPN endpoint due to the number of > concurrent connections from different systems. There is no need for L2TP -- > just a basic routed IPSec tunnel. > > The configuration on the Palo right now expects simple User ID and password > to connect. > > No need (or want) split-tunneling -- I expect to modify the route table of > the VPN client to shove every packet into the VPN tunnel. > > All of the VPN clients share a dedicated IP subnet which is routed by the > Palo Alto. Since these clients are NOT road warriors, their real ("eth0") IP > address is always static. > > There is no NATing anywhere in the path. > > I've searched through the mail list archives and google and have found > several examples using Cisco VPN (which uses PSK), but nothing on Palo Alto. > > Any suggestions would be appreciated! > > > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
