https://live.paloaltonetworks.com/t5/general-topics/route-to-ipsec-tunnel/m-p/549555#M112125 <P>Hi All,</P> <P>I need to add a route pointing to a Tunnel interface. As the peer has dynamic IP have created the IPsec tunnel with Dynamic IP Peer Identification as its Hostname.</P> <P>&nbsp;</P> <P>To Add route in the VR as we do not have IP address if i just point it to the tunnel interface and select IP address as none would be enough?</P> <P>&nbsp;</P> <P>Or is there any other way to configure it?</P> <P>Regards,</P> <P>Sanjay S</P> <P>&nbsp;</P> Mon, 17 Jul 2023 10:57:34 GMT Sanjay_Ramaiah 2023-07-17T10:57:34Z https://live.paloaltonetworks.com/t5/general-topics/route-to-ipsec-tunnel/m-p/549555#M112125 <P>Hi All,</P> <P>I need to add a route pointing to a Tunnel interface. As the peer has dynamic IP have created the IPsec tunnel with Dynamic IP Peer Identification as its Hostname.</P> <P>&nbsp;</P> <P>To Add route in the VR as we do not have IP address if i just point it to the tunnel interface and select IP address as none would be enough?</P> <P>&nbsp;</P> <P>Or is there any other way to configure it?</P> <P>Regards,</P> <P>Sanjay S</P> <P>&nbsp;</P> Mon, 17 Jul 2023 10:57:34 GMT https://live.paloaltonetworks.com/t5/general-topics/route-to-ipsec-tunnel/m-p/549555#M112125 Sanjay_Ramaiah 2023-07-17T10:57:34Z https://live.paloaltonetworks.com/t5/general-topics/route-to-ipsec-tunnel/m-p/549593#M112128 <P>Hi there,</P> <P>To add a static route you would specify the tunnel next-hop along with the destination prefix. For the purpose of routing via the tunnel you do not worry about the remote end having a dynamic address, it is the encapsulated address that you are interested in and this will be static.</P> <P>&nbsp;</P> <P>IP address, next-vr and FQDN are valid values for the mandatory next-hop field. Specifying the outbound interface is optional. It is worth noting that creating a static route without a next-hop address comes with the addtional baggage of increasing the ARP table. At least that is the case on other routing platforms, thankfully Palo Alto doesn't let you! I wrote a blog post about it if you are interested:</P> <P><A href="https://cs7networks.co.uk/2022/01/10/static-route-next-hop/" target="_blank">Static route next-hop – CS7 Networks</A></P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Mon, 17 Jul 2023 15:24:43 GMT https://live.paloaltonetworks.com/t5/general-topics/route-to-ipsec-tunnel/m-p/549593#M112128 seb_rupik 2023-07-17T15:24:43Z https://live.paloaltonetworks.com/t5/general-topics/route-to-ipsec-tunnel/m-p/549633#M112129 <P>Hello,</P> <P>When entering the static route, Enter the following:</P> <P>Name: &lt;whatever name you choose&gt;</P> <P>Destination: &lt;Your ip/subnet in CIDR&gt;</P> <P>Interface: &lt;Your tunnel interface&gt;</P> <P>Next Hope: NONE</P> <P>&nbsp;</P> <P>Hopefully there is a corresponding route on the other side to get traffic back.&nbsp;</P> <P>Regards,</P> Mon, 17 Jul 2023 21:41:46 GMT https://live.paloaltonetworks.com/t5/general-topics/route-to-ipsec-tunnel/m-p/549633#M112129 OtakarKlier 2023-07-17T21:41:46Z