https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336587#M84788 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62286">@Alex_Samad</a>&nbsp;</P> <P>&nbsp;</P> <P>In IPSEC if you need to reach &nbsp;remote network on other side say 192.168.10.0/24 then you need to put Static route saying</P> <P>to reach remote network 192.168.10.0/24 interface is tunnel .50</P> <P>&nbsp;</P> <P>There is no need to apply the IP 192.168.10.0/24 to any PA &nbsp;interface as any traffic for 192.168.10.0/24 will have tunnel interface as outgoing interface and tunnel interface is virtual and it knows it has to pass the traffic to interface with public IP address which in your</P> <P>case is ae1</P> <P>&nbsp;</P> <P>PA public IP ---------------ipsec tunnel --------------------------------------------Remote Device Public IP</P> <P>&nbsp;</P> <P>Regards</P> Sat, 04 Jul 2020 04:32:33 GMT MP18 2020-07-04T04:32:33Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336586#M84787 <P>Hi</P><P>&nbsp;</P><P>So i have my public interface ae1.10</P><P>I attached a ikev2 interface to that and attach it to tunnel.50</P><P>&nbsp;</P><P>no the other side of the ipsec tunnel are providing 192.168.10.0/24 and I am providing 192.168.250.0/24</P><P>&nbsp;</P><P>do I have to place a static route in the v_router saying 192.168.10.0/24 via tunnel.50</P><P>how do i do that if I haven't applied a ip address to the tunnel interface, do I have to&nbsp;</P><P>do I have to add the static route ?</P> Sat, 04 Jul 2020 02:17:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336586#M84787 Alex_Samad 2020-07-04T02:17:46Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336587#M84788 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62286">@Alex_Samad</a>&nbsp;</P> <P>&nbsp;</P> <P>In IPSEC if you need to reach &nbsp;remote network on other side say 192.168.10.0/24 then you need to put Static route saying</P> <P>to reach remote network 192.168.10.0/24 interface is tunnel .50</P> <P>&nbsp;</P> <P>There is no need to apply the IP 192.168.10.0/24 to any PA &nbsp;interface as any traffic for 192.168.10.0/24 will have tunnel interface as outgoing interface and tunnel interface is virtual and it knows it has to pass the traffic to interface with public IP address which in your</P> <P>case is ae1</P> <P>&nbsp;</P> <P>PA public IP ---------------ipsec tunnel --------------------------------------------Remote Device Public IP</P> <P>&nbsp;</P> <P>Regards</P> Sat, 04 Jul 2020 04:32:33 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336587#M84788 MP18 2020-07-04T04:32:33Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336592#M84793 <P>So because the destination address is part of the proxy, it will route it via the tunnel.</P><P>&nbsp;</P><P>Thought that might be the case.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>edit</P><P>did a quick check remove the static routes and tested the FIB for that destination it wasn't going via the tunnel !</P><P>&nbsp;</P><P>Did a quick test the packets are not going out the tunnel - they are going out the public ae.</P><P>&nbsp;</P><P>so my ae.7 is my internet and I have a few ip's on here. one of them is my end of the ipsec ike</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 04 Jul 2020 08:05:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336592#M84793 Alex_Samad 2020-07-04T08:05:45Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336654#M84829 <P>This covers it</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK</A></P> Mon, 06 Jul 2020 09:46:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-question/m-p/336654#M84829 Alex_Samad 2020-07-06T09:46:43Z