December 22, 2024

Palo Alto Site-to-Site VPNs

abhimanyu05 mins

Route-Based Site-to-Site VPN

We must understand network topology and be able to determine the required number of tunnels. For example:

  • A single VPN tunnel may be sufficient for connecting between a single central site and remote site.
  • Connections between a central site and multiple remote sites require VPN tunnels for each central-remote site pair.
  • Each tunnel is bound to a tunnel interface.
  • The tunnel interface appears to the system as normal interface, and the existing routing infrastructure can be applied.
  • Each tunnel interface can have a maximum to 10 IPsec tunnels

VPN Tunnel Component Interaction

The diagram shows the various components that must be created to successfully configure an IPsec VPN  tunnel. The arrows indicate the independencies among components.

The three basic requirements for creating a VPN in PAN-OS® software are as follows:

  1. Create the tunnel interface or Phase 1 objects:
    • Interface configuration can be performed in the web interface by selecting Network >  Interfaces > Tunnel. 
    • The new logical interface must be added to a Layer 3 zone and to a virtual router,  just as any other logical Layer 3 interface would be handled.
  2. Configure the IPsec tunnel or Phase 2 objects:
    • You can use the basic interface when you create a tunnel between PANOS devices with  known IP addresses. 
    • The only values needed are the tunnel interface to use, the local peer ID, the remote  peer ID,  and the pre-shared key, or PSK.
    • If the configuration is site-to-site with another Palo Alto Networks firewall, use the  default Crypto Profiles.
    • If the configuration is site-to-site with a different vendor’s firewall, configure the  advanced settings in the Crypto  Profiles to match.
  3. Add a static route to the virtual router or enable an applicable routing protocol such as BGP,  OSPF, or RIP:
    • Add a route table entry for the remote network that points to the tunnel interface used  in Steps 1 and 2. 
    • Create a route for the remote network using the tunnel interface.
    • No next-hop IP address is required when tunnel interfaces are used.
    • Be sure to create a security rule to allow tunneled traffic. 
Pages: 1 2

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Article