topic Re: VPN over MetroE in General Topics

VPN over MetroE

Paul_Lupini — Wed, 02 May 2018 15:37:58 GMT

I've been given an L2 handoff from Comcast from our data center to our co-location. I can move switched traffic over the link between the Palos at both sites with no issues. My problem comes when I try to add L3 and a a tunnel to the link. I've set up many site-to-site vpns before, but this is my first time trying to add it to an L2 interface.

My first attempt I told the Palo the the L2 interface was an L3, and applied my normal configurations for setting up the tunnel. It does attempt to negotiate, but times out.

My second attempt I used an older KB by Palo from around 2010 where it used a VLAN interface. However, the guide was setting it up to work from a single Palo versus between two separate. I can't even see them attempt to negotiate in the logs, so fairly sure I totally messed that configuration up.

Does any one have any advice, or can point me to a more solid resource for setting this up?

Thank you!

Re: VPN over MetroE

JoeAndreini — Wed, 02 May 2018 16:38:17 GMT

Let's take this one step at a time.

You say you can move switched traffic over the link. What happens if you add IP addresses to the interfaces connected to comcast (configure them as L3) and add a ping management profile during troubleshooting - can you ping across teh link (you should be able to)

Now configure your IPSEC tunnel using those IP addresses as the targets for the tunnel - does the tunnel come up?

Are you able to share any configuration details? We may need more detail to determine exactly what you have configured and make better recommendations.

If they deliver you a "Layer 2" tunnel, it just means they don't have a gateway you need to reach out to, layer 3 and above are up to you.

Re: VPN over MetroE

Paul_Lupini — Wed, 02 May 2018 16:39:54 GMT

Thanks for the advice. I'll give that a go after lunch and report back.

Re: VPN over MetroE

OtakarKlier — Wed, 02 May 2018 18:24:06 GMT

Hello,

I agree with @JoeAndreini. I also have L2 connections and that is how i do it. Just give each interface the WAN link connect to a RFC 1918 /30 and do the same on the other side with the corresponding /30 address. I also add static routes for the /30's in each direction along with the associated Polcies to secure the traffic.

Cheers!

Re: VPN over MetroE

JoeAndreini — Wed, 02 May 2018 18:33:33 GMT

At that point you can configure your IPSEC tunnel as if it was over any other network.