There is a Palo Alto firwall (which I have to configure) and an industrial controller (they call it CP) which I don't control.
Say Palo Alto has external IP 1.1.1.1 and CP has 2.2.2.2. These are the IPs they use to communicate to each other, and these IPs can be seen on a sniffer attached to PA's external Interface.
IPSec Tunnel gets established, and if the CP has a second interface, everything works as expected. But some of these CPs have only one Interface, only one IP, and this IP should be reachable throug the tunnel, but it is not.
Pinging 2.2.2.2 from PA and watching the sniffer shows why: PA sends an unencrypted ICMP echo request, which is not answered. When instead the CP admin pings 1.1.1.1, sniffer shows an ESP packet comming from 2.2.2.2 to 1.1.1.1, then PA answers with an unencrypted ICMP echo reply.
How can I make my PA send all traffic through the tunnel, except IPSec traffic?
I've tried to set up a route to 2.2.2.2 through the tunnel - of course the tunnel doesn't come up, because no network packets get sent through the unestablished tunnel.
I've tried to "explain" the PA to send IPSec traffic another way than other traffic - routing table doesn't allow to specify traffic type.
I've tried to set a policy based forwarding, which requires an IP for the tunnel. The tunnel only has 2 IPs; I tried to attach 1.1.1.1 to it, which PA didn't like.
I found similar questions, even here on serverfailt, and yes, it's the same struggle how to route some packets straight through the internet and other packets through the tunnel, but it was about open vpn on Linux, not Palo Alto.
Some log output the CP admin talked about gave me the idea, that CPs use Strong Swan, and I have been able to replicate the above behaviour using my PA and Strong Swan on a Linux box.
Now I can test faster, but no idea remains how to make PA differentiate between encrypted and unencrypted packets in matters of routing.
Any better ideas anyone?
Thank you! TomTomTom
