topic Re: Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interf in General Topics

Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interfaces

michaelmertens — Thu, 07 May 2020 18:28:30 GMT

We are having installed a 10 Gbps Light Wave service for a WAN connection and will have PANs on either side. (The PANs will be on the same /30 subnet, and the Wave service appears to be a raw fiber connection terminated on physical PAN L3 interfaces). We want to authenticate the other end and encrypt using IPSEC. Do I need to build a tunnel interface with another /30 in order to leverage IPSEC in the Palo Alto platform, or is there some "short-cut"? Also, would I need to use a third /30 for a tunnel monitor? Thanks! (I'm pretty new to PANs).

Mike

Re: Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interf

reaper — Fri, 08 May 2020 05:52:36 GMT

Hi @michaelmertens

Tunnel interfaces are virtual and as such do not necessarily require an IP when connected to another route based vpn device

You would apply the /30 to your physical interface

Then configure an 'ike gateway'for the remote device's IP in the /30 and can then use 'unnumbered' tunnel interfaces

In your VirtualRouter you can just set a destination interface as next hop, no need for an IP

For tunnel monitoring you could add IP addresses to the tunnel interfaces, but you could also use a loopback interface

In both cases these up addresses do not need to be known outside of the 2 devices

Re: Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interf

michaelmertens — Mon, 11 May 2020 12:56:10 GMT

Reaper,

Thanks for your input. I'm still troubleshooting getting the IKE handshake going. (I've got both FWs back-to-back prior to sending out the remote FW). So when you said having the tunnel "unnumbered" you just meant to not assign an IPv4 address in the Tunnel Interface config? And to your point, as I would like to have a tunnel monitor, I'm using a 10.10.1.4/30 for the tunnel monitor and the physical interfaces are using 10.10.1.0/30. Also, I've created new Zone names for the physical interfaces on either end. I don't need to put in explicit rules to allow IPSEC packets (UDP 500, UDP 4500, etc) for IKE/IPSEC SAs? I do have my default Intrazone rule which permits any any...

Anyway, I'm new at the Palo Alto's so appreciate your thoughts and input.

Mike

Re: Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interf

reaper — Mon, 11 May 2020 13:08:15 GMT

With physical interfaces you mean ethernet1/x? (Tunnel interfaces are virtual)

-yes, unnumbered means no ip assigned

-10.10.1.4/30 and 10.10.1.0/30 are unusable addresses (broadcast and network)

The usable ips in that subnet are .1/30 and .2/30

So if the local interface has .1 then the remote should use .2 and monitor would go to .2

-the ipsec packets will happen between the physical ethernet1/x I terfaces, typically untrust to untrust. Intrazone will take care of that (but I do recommend making explicit rules and blocking untrust to untrust at the end)

- the tunnel traffic will come from and will go to the virtual tunnel interfaces' zone

Hope this helps