https://live.paloaltonetworks.com/t5/next-generation-firewall/site-to-site-vpn-with-static-and-dynamic-routing/m-p/569545#M2264 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; I agree, the scenario is not a good example to explain the route Redistribution concept.</P> Tue, 12 Dec 2023 20:58:03 GMT rmeddane 2023-12-12T20:58:03Z https://live.paloaltonetworks.com/t5/next-generation-firewall/site-to-site-vpn-with-static-and-dynamic-routing/m-p/569513#M2261 <P>&nbsp;</P> <P>I read the following article about Site to Site VPN With Static and Dynamic Routing.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-configs/site-to-site-vpn-with-static-and-dynamic-routing" target="_self">https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-configs/site-to-site-vpn-with-static-and-dynamic-routing</A>&nbsp;</P> <P>&nbsp;</P> <P>The article says that the Satellite Site uses static Routing so the VPN Peer A has a static routes toward the Office LAN subnets let's say 172.16.101.0/24 as shown in the topology. And the Regional office Sie uses OSPF Routing Protocol.</P> <P>The VPN Site to Site is configured between VPN Peer A and VPN Peer B.</P> <P>A tunnel interface is configured on both palo alto firewalls.</P> <P>Then OSPF Routing Protocol is implemented between VPN Peer A and VPN Peer B through the Tunnel VPN in area 1.</P> <P>Finally the VPN Peer B was configured to redistribute the static route to 172.16.101.0/24 into OSPF domain to ensure end to end connectivity.</P> <P>&nbsp;</P> <P>From the scenario explained in the article, we conclude that both VPN Peer A and VPN Peer B are running different routing mechanisms, STATIC Routing and Dynamic Routing.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="VPN Redi Profile 2.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55852iF954AC24E59D6009/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="VPN Redi Profile 2.png" alt="VPN Redi Profile 2.png" /></span></P> <P>&nbsp;</P> <P>Do you think that it should be better to do this once on VPN Peer A firewall only, since it has already static routes to the Satellite Subnets, so we can simply configure the VPN Peer A to redistribute these static routes into OSPF Domain as shown below without the need of adding static routes on VPN Peer B, especially in large deployment.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="VPN Redi Profile 1.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55853i8642F3C6A44D160F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="VPN Redi Profile 1.png" alt="VPN Redi Profile 1.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 12 Dec 2023 17:49:24 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/site-to-site-vpn-with-static-and-dynamic-routing/m-p/569513#M2261 rmeddane 2023-12-12T17:49:24Z https://live.paloaltonetworks.com/t5/next-generation-firewall/site-to-site-vpn-with-static-and-dynamic-routing/m-p/569542#M2263 <P>Hello,</P> <P>Yeah they made it very complicated in the article on purpose. I prefer OSPF where applicable and static if I have to or need to.&nbsp;</P> <P>&nbsp;</P> <P>Cheers.</P> Tue, 12 Dec 2023 20:29:12 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/site-to-site-vpn-with-static-and-dynamic-routing/m-p/569542#M2263 OtakarKlier 2023-12-12T20:29:12Z https://live.paloaltonetworks.com/t5/next-generation-firewall/site-to-site-vpn-with-static-and-dynamic-routing/m-p/569545#M2264 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; I agree, the scenario is not a good example to explain the route Redistribution concept.</P> Tue, 12 Dec 2023 20:58:03 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/site-to-site-vpn-with-static-and-dynamic-routing/m-p/569545#M2264 rmeddane 2023-12-12T20:58:03Z