topic Re: Bind multiple VPNs to a single tunnel interface? in General Topics

Bind multiple VPNs to a single tunnel interface?

wmclendon — Thu, 10 Feb 2011 15:48:50 GMT

greetings all,

I come from a ScreenOS background, and in their world, you can terminate multiple route-based VPNs onto a single logical tunnel interface.

We have 30-40 remote sites with VPN tunnels back to HQ, which will soon be a new PAN firewall. In our lab I have tried to configure multiple IPSec VPNs terminating onto the same tunnel interface and I get the following error:

Tunnel interface tunnel.1 multiple binding with different IKE gateways.

This leads me to believe I will have to create a tunnel interface per each remote site -- is this the case? or is there a configuration setting I am missing that will allow this configuration?

If it is the case, i'm a little worried about having to run a routing protocol on each and every one of those interfaces (we need to dynamically learn routes from the remote sites in our scenario)

Thanks,

Will

Re: Bind multiple VPNs to a single tunnel interface?

odaos — Thu, 17 Feb 2011 23:07:06 GMT

Hello,

Yes, you can bind multiple VPNs to an interface. It would be best to have a zone specified to a tunnel interface so to be able to create separate VPN policies. Heres a doc for configuring IPSEC VPN: https://live.paloaltonetworks.com/docs/DOC-1163

Re: Bind multiple VPNs to a single tunnel interface?

ncampagna — Wed, 23 Feb 2011 06:35:22 GMT

Hi Will,

We do support adding multiple phase 2's to a single tunnel interface. However your question is specific to phase 1's or IKE gateway configurations. For this you will need an additional tunnel interface for each site to which you want to connect.

Thanks,

Nick

Re: Bind multiple VPNs to a single tunnel interface?

johng — Wed, 20 Jun 2012 16:47:43 GMT

Hi Nick,

I have the same issue where I can't bind phase 2 to the same tunnel interface and I got this error message.

Operation

Commit

Result

Failed

Details:
· Tunnel interface tunnel.1 multiple binding with different IKE gateways. IPSec tunnel: johng-fw-01. IKE gateway: johng-fw-01.

· Tunnel interface tunnel.1 multiple binding with different IKE gateways. IPSec tunnel: VPN-Z-Test-PA200. IKE gateway: VPN-Z-Test-PA200.

· Configuration is invalid

Can you please tell me how do you achive that?

Thanks,

Johnson

Re: Bind multiple VPNs to a single tunnel interface?

ncampagna — Wed, 20 Jun 2012 17:13:00 GMT

Hi Johnson,

You cannot attach an IPSec tunnel to multiple IKE gateways. You can attach multiple IPSec tunnels to a common IKE gateway. This is commonly done to support >10 proxy IDs on a connection to a single VPN (IKE) peer. Can you please share a bit more information on what you're trying to do? That way we can recommend the correct configuration.

Thanks,

Nick

Re: Bind multiple VPNs to a single tunnel interface?

alexander_conn — Tue, 16 Jul 2013 03:03:54 GMT

So for example, I could have 3 remote sites. Say site A, B and C. Then on the firewall I have 1 IKE Gateway configured. Site A, B and C could establish a VPN tunnel via the 1 IKE gateway I've configured on the firewall? In other words, each VPN tunnel configured on the firewall, would have the same IKE gateway set for it?

Re: Bind multiple VPNs to a single tunnel interface?

ncampagna — Tue, 16 Jul 2013 17:48:04 GMT

Hi Alexander,

If you have three separate sites, you'll need a separate IKE gateway for each. The IKE gateway specifies the local and remote IP addresses that will be the termination points for each tunnel. In your case, you would configure three IKE gateways, and associate unique tunnel to each one.

Thanks,

Nick

Re: Bind multiple VPNs to a single tunnel interface?

rparamati — Mon, 29 Jul 2013 10:49:36 GMT

Hi Nick,

I have worked with juniper SRX earlier, In order to configure site to multisite VPN's I use to configure "multipoint" option for the tunnel interface.

What is the additional option to used in PA , in order to configure Site-Multi Site VPN ?

Thanks

Re: Bind multiple VPNs to a single tunnel interface?

Retired Member — Mon, 29 Jul 2013 20:52:13 GMT

I believe that the feature that Juniper ScreenOS/SRX uses to support binding multiple VPNs to single tunnel interface is called next-hop tunnel binding (NHTB). This is not part of the RFC standard for IPsec and should be considered proprietary for Juniper. For the most part this allows to save on the number of tunnel interfaces that would need to be configured and is meant for hub-and-spoke configurations. The configuration though is not that simple in that despite sharing single tunnel interface as you still need to populate the NHTB table with either static NHTB entries or via routing protocol such as OSPF p2mp.

For PAN-OS there are two options to do similar scenario.

1. With 5.0 you can deploy large-scale VPN with Global Protect Satellite configuration. This is closest to Juniper NHTB. It is actually similar in that you can use a single tunnel interface and then can either specify routes to advertise to GP gateway or use OSPF to learn routes from all spoke sites. But also can do much more in that the configs on each satellite site is rather easy since you point each satellite site to the GP portal to automatically get all configs about each GP gateway to connect to.

2. Configure separate tunnel interface for each spoke site. There should not be an issue with limit on number of tunnel interfaces that can be configured (actually the limit is higher than the max number if SAs that can be configured). Then you can add each of the interfaces into OSPF p2p to learn each spoke site routes.

For reference, here is a good doc on the Large-Scale VPN feature in 5.0.

https://live.paloaltonetworks.com/docs/DOC-4139

Hope this helps.

-Richard