https://live.paloaltonetworks.com/t5/general-topics/questions-while-creating-first-ipsec-tunnel/m-p/599988#M119267 <P>We have our egress on Eth1/1 with a public IP assigned by our provider. <BR />We also own a separate public subnet. <BR />We have the internet working and want to add an IPsec tunnel from our PAN to a partner also running PAN. <BR />I'm told to continue using the Eth1/1 interface.</P> <P>&nbsp;</P> <P>Do you see problems with this solution? Diagram attached.</P> <P>Eth1/1 is untrust. It has IP 4.4.4.4. <BR />We add a second public IP to Eth1/1 from the subnet we own (5.5.5.5)<BR />Create a new zone for IPSec. <BR />Create a tunnel.1 interface. Assign it to the IPSec zone. <BR />Create an IKE Gateway Profile that uses our 5.5.5.5 and the public Peer IP 6.6.6.6. <BR />Then we define the IPSec Tunnel to be Tunnel.1 and the IKE Gateway Profile. <BR />Lastly, we configure static route to forward destination traffic to Tunnel.1.</P> <P>&nbsp;</P> <P>Would this work? Are there better ways to set this up?</P> <P>&nbsp;</P> <P>Phase 2 plan would be to add additional tunnel interfaces for other partners.</P> <P>tunnel.2, etc. with 5.5.5.5 being our source IP. 7.7.7.7 being the peer. <BR />But what happens if two partners use the same internal subnets in their respective tunnels? How do you route LAN traffic to the correct tunnel?</P> <P>&nbsp;</P> Wed, 09 Oct 2024 21:34:41 GMT 1treelanedrv 2024-10-09T21:34:41Z https://live.paloaltonetworks.com/t5/general-topics/questions-while-creating-first-ipsec-tunnel/m-p/599988#M119267 <P>We have our egress on Eth1/1 with a public IP assigned by our provider. <BR />We also own a separate public subnet. <BR />We have the internet working and want to add an IPsec tunnel from our PAN to a partner also running PAN. <BR />I'm told to continue using the Eth1/1 interface.</P> <P>&nbsp;</P> <P>Do you see problems with this solution? Diagram attached.</P> <P>Eth1/1 is untrust. It has IP 4.4.4.4. <BR />We add a second public IP to Eth1/1 from the subnet we own (5.5.5.5)<BR />Create a new zone for IPSec. <BR />Create a tunnel.1 interface. Assign it to the IPSec zone. <BR />Create an IKE Gateway Profile that uses our 5.5.5.5 and the public Peer IP 6.6.6.6. <BR />Then we define the IPSec Tunnel to be Tunnel.1 and the IKE Gateway Profile. <BR />Lastly, we configure static route to forward destination traffic to Tunnel.1.</P> <P>&nbsp;</P> <P>Would this work? Are there better ways to set this up?</P> <P>&nbsp;</P> <P>Phase 2 plan would be to add additional tunnel interfaces for other partners.</P> <P>tunnel.2, etc. with 5.5.5.5 being our source IP. 7.7.7.7 being the peer. <BR />But what happens if two partners use the same internal subnets in their respective tunnels? How do you route LAN traffic to the correct tunnel?</P> <P>&nbsp;</P> Wed, 09 Oct 2024 21:34:41 GMT https://live.paloaltonetworks.com/t5/general-topics/questions-while-creating-first-ipsec-tunnel/m-p/599988#M119267 1treelanedrv 2024-10-09T21:34:41Z https://live.paloaltonetworks.com/t5/general-topics/questions-while-creating-first-ipsec-tunnel/m-p/600913#M119358 <P>Hello,</P> <P>This looks correct. I didnt review all of your policies in the pictures, but the steps are correct. If the partners have the same IP's on their internal networks, you'll need to read the following:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0</A></P> <P>&nbsp;</P> <P>Regards,</P> Tue, 15 Oct 2024 20:55:15 GMT https://live.paloaltonetworks.com/t5/general-topics/questions-while-creating-first-ipsec-tunnel/m-p/600913#M119358 OtakarKlier 2024-10-15T20:55:15Z