topic Re: Hub and Spoke VPN in VM-Series in the Public Cloud

Hub and Spoke VPN

jhussain1 — Fri, 02 Feb 2024 12:25:03 GMT

Hello,

We have one PA firewall in azure cloud and rest we have Sophos on Mutiple sites with Dynamic IP's

We want to configure Hub and spoke VPN. with all sophos means PA site is Hub and rest of the site Spoke we dont want mutiple tunnel of each and every site.

Request will come from the peer site with dynamic IP's is this configuration is possible in PALO ALTO. If yes, how i can achieve this can any one help me.

Re: Hub and Spoke VPN

reaper — Fri, 02 Feb 2024 13:10:28 GMT

yes, this is possible and not very difficult:

VPN in palo alto relies on zones and routing, so all you really need is to establish all your tunnels, assign a zone to each tunnel interface, and set up routing for the remote subnets pointed towards the right tunnel (e.g. 192.168.0.0/24 to tunnel.1, 192.168.1.0/24 to tunnel.2 etc.)

then on the remote sites you also need to add the 'other' remote subnets to their respective tunnel routing, e.g site 1 192.168.0.0/24 needs to have a route for site2 (192.168.1.0/24) into the tunnel towards azure

site 2 192.168.1.0/24 needs to have a route for site 1 192.168.0.0/24 into the tunnel towards azure

once that's done all you need is security rules that allow vpn1 to go to vpn2, vpn2 to go to vpn1 and so on

P.S. if in need to have PROXY IDs for your tunnels, you'll need to mix and match all the allowed pairs there as well

proxyID1: local: 192.168.1.0/24 (for site 2) remote 192.168.0.0/24 (for site 1) <- used on site 1 tunnel

proxyID2: local: 192.168.0.0/24 (for site 1) remote 192.168.1.0/24 (for site 2) <- used on site 2 tunnel

Re: Hub and Spoke VPN

jhussain1 — Fri, 02 Feb 2024 13:21:26 GMT

@reaper is this possible by LSVPN.

Large Scale VPN (LSVPN) (paloaltonetworks.com)

Re: Hub and Spoke VPN

jhussain1 — Fri, 02 Feb 2024 13:39:23 GMT

@reaper I have one query only we will configure dynamic ip for peer site how this PA understand from where the traffic is coming.

Means Site A is having different dynamic IP address and Site B having different dynamic IP address. How the PA Hub site work on phase-1 and phase-2

Re: Hub and Spoke VPN

reaper — Fri, 02 Feb 2024 14:43:02 GMT

honestly i would not recommend LSVPN unless you have a lot of devices that move around. if they're sitting in an office and there's only 3, it makes more sense to configure a proper IPSec tunnel

Re: Hub and Spoke VPN

reaper — Fri, 02 Feb 2024 14:46:00 GMT

in the ike gateway object, configure a local and remote ID, that will ensure all endpoints can use a dynamic IP