topic Re: Site to site VPN terminating in DMZ possible? in General Topics

Site to site VPN terminating in DMZ possible?

ajezierski — Tue, 19 Jun 2012 18:49:52 GMT

Is it possible to setup a site to site VPN and have it terminate on the DMZ interface rather than the WAN interface? We have numerous remote locations that are running small sonicwall firewalls and connecting back to our corporate site. They currently terminate on a Sonicwall, but we are migrating over to a Palo Alto unit. The reason for terminating in the DMZ is that we'd like to be able to use redundant WAN connections with BGP routing. This way if one of the ISPs goes down, the VPN will still be accessible through the other ISP.

Any docs on how to do this? I couldn't locate any.

Thanks

Andy

Re: Site to site VPN terminating in DMZ possible?

santonic — Mon, 15 Oct 2012 13:26:14 GMT

I would like some info on this issue as well. I've tried terminating VPN on the DMZ interface with public IP address and it didn't work. VPN tunnel was established quickly and without any problems. But I couldn't get any traffic through it. What was even more confusing I couldn't find any log entries about encrypted traffic at all! I have a default drop rule in the end which logs everything, yet I still didn't get any log entries. I used the packet capturing feature and I could see packets logged in received stage, but not at firewall or transmitted stage.

When I gave up debugging the mentioned situation I've terminated VPN tunnel on WAN interface (with same settings) and everything worked imeediatelly.

Any official info about this?

Re: Site to site VPN terminating in DMZ possible?

mikand — Tue, 16 Oct 2012 03:01:18 GMT

Shouldnt it work if you setup a loopback interface out of your PI range (or whatever you use for BGP announcement) and configure your VPN to use this loopback interface?

Re: Site to site VPN terminating in DMZ possible?

santonic — Tue, 16 Oct 2012 06:30:55 GMT

In my current situation i don't have PI and BGP. But it is something customer is looking into for the near future so any input on this would be welcome too.

I just wanted to terminate VPN in public DMZ but failed to get any actual traffic through VPN despite VPN going up without any problems.

Re: Site to site VPN terminating in DMZ possible?

mikand — Tue, 16 Oct 2012 07:37:18 GMT

This should work before you get BGP aswell, just use an ip out of your public range as loopback.

Then when you configure the tunnel you set it to zone DMZ - this way you wont need any security rules for traffic going to the DMZ servers (because the tunnel and the server will be on the same zone).