https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-and-description-ssl-in-wires-mode/m-p/296515#M77980 <P>Hello there</P><P>&nbsp;</P><P>In both situations, you can do SSL and S2S VPNs with VWire...&nbsp; but... you will also need to configure a L3 interface/address that is private on your network.&nbsp; I have configured this on my PA220, when my ISP had its DHCP public IP (residential cable modem/router/all in one) and I wanted to setup a VPN.&nbsp;&nbsp;</P><P>&nbsp;</P><P>For S2S VPN, you need to ensure that L3 interface is connected to your downstream switch (so that the Vwire AND this L3 interface are on the same broadcast domain).</P><P>&nbsp;</P><P>Configure the IKE Gateway using the L3 interface and traffic will be able to pass through the VWire.</P><P>&nbsp;</P><P>Now, SSL Inbound Inspection (where you take the public/private keys from your servers and put onto the FW, should allow you do decrypt traffic as it passes through the FW downstream to your DMZ, or vice versa.</P><P>&nbsp;</P><P>For SSL Forward Proxy, you may want to test it out, but you can try to leverage the ability to do SNAT or DNAT on traffic.</P><P>Example:&nbsp; When VWire-trusted goes to VWire-Untrusted, then SNAT the traffic using a Translated Address object (vs an Interface Address).&nbsp; If I created an Address Object called VWire-Translate with an IP of 9.9.9.9, then it would be this Translated Address object (of 9.9.9.9) that your traffic would be using.</P><P>&nbsp;</P><P>If this does not work, then you would need to create a L3 interface to use for SSL Forward Proxy.</P><P>&nbsp;</P><P>Read SSL Decryption documentation and substitute your L3 interface for CN field and you should be fine.&nbsp;</P> Tue, 05 Nov 2019 23:54:44 GMT S.Cantwell 2019-11-05T23:54:44Z https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-and-description-ssl-in-wires-mode/m-p/296396#M77975 <PRE><SPAN>Hello, I have a couple of doubts and I would like you to help me about it. 1.- Is it possible to perform an Ipsec VPN when the firewall is in V-Wires mode? Only having an IP in the administration interface? 2.- Is it possible to perform SSL decryption when the firewall is in V-Wires mode? If so, what parameters should the digital certificate have? Thank you very much for your help in this regard.</SPAN></PRE> Tue, 05 Nov 2019 19:05:27 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-and-description-ssl-in-wires-mode/m-p/296396#M77975 Lcarocas 2019-11-05T19:05:27Z https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-and-description-ssl-in-wires-mode/m-p/296515#M77980 <P>Hello there</P><P>&nbsp;</P><P>In both situations, you can do SSL and S2S VPNs with VWire...&nbsp; but... you will also need to configure a L3 interface/address that is private on your network.&nbsp; I have configured this on my PA220, when my ISP had its DHCP public IP (residential cable modem/router/all in one) and I wanted to setup a VPN.&nbsp;&nbsp;</P><P>&nbsp;</P><P>For S2S VPN, you need to ensure that L3 interface is connected to your downstream switch (so that the Vwire AND this L3 interface are on the same broadcast domain).</P><P>&nbsp;</P><P>Configure the IKE Gateway using the L3 interface and traffic will be able to pass through the VWire.</P><P>&nbsp;</P><P>Now, SSL Inbound Inspection (where you take the public/private keys from your servers and put onto the FW, should allow you do decrypt traffic as it passes through the FW downstream to your DMZ, or vice versa.</P><P>&nbsp;</P><P>For SSL Forward Proxy, you may want to test it out, but you can try to leverage the ability to do SNAT or DNAT on traffic.</P><P>Example:&nbsp; When VWire-trusted goes to VWire-Untrusted, then SNAT the traffic using a Translated Address object (vs an Interface Address).&nbsp; If I created an Address Object called VWire-Translate with an IP of 9.9.9.9, then it would be this Translated Address object (of 9.9.9.9) that your traffic would be using.</P><P>&nbsp;</P><P>If this does not work, then you would need to create a L3 interface to use for SSL Forward Proxy.</P><P>&nbsp;</P><P>Read SSL Decryption documentation and substitute your L3 interface for CN field and you should be fine.&nbsp;</P> Tue, 05 Nov 2019 23:54:44 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-and-description-ssl-in-wires-mode/m-p/296515#M77980 S.Cantwell 2019-11-05T23:54:44Z https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-and-description-ssl-in-wires-mode/m-p/296669#M77986 <PRE><SPAN>Hi, Thank you very much for your response, I will do the indicated and I will tell you the results. Regards.</SPAN></PRE><P>&nbsp;</P> Wed, 06 Nov 2019 12:32:15 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-and-description-ssl-in-wires-mode/m-p/296669#M77986 Lcarocas 2019-11-06T12:32:15Z