This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPSec Tunnel from vsys1 to vsys2

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSec Tunnel from vsys1 to vsys2

Solomonsands
L1 Bithead

‎03-05-2018 08:28 AM - edited ‎03-05-2018 08:30 AM

Hello All,

 

I have a design issue to mull over, and one of the options is to look at having ipsec tunnels between vsys isntances on the same box.

 

So, I have vsys1 as my default vr, what I may need to do is turn up vsys2 and have certain traffic in vsys1 'hop' over to vsys2.  Sounds problmeatic so my first instinct is to encap it between vsys instances.  Is there a built-in mechanism to allow virtual systems to securely pass traffic to one-another? I assume that they are all isolated from one another by design, which again makes me think that a tunnel of some type needs to be established for them to communicate.

 

This is a 5220 in active/passive.

 

Thoughts?

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎03-05-2018 09:05 AM

@Solomonsands,

Honestly it seems unnecessary to include an IPSec tunnel in this situation. Palo Alto includes a number of ways to allow inter-vsys communication, and adding a tunnel into this would be rather messy. So options I would look at are the following

 

1) Utilizing an existing switch to simply loop 2 interfaces to bridge the gap. Easy and you get the same benefits with a little less complex of a situation. 

 

2) Utilize intervsys routing; which can be found in more detail in this LIVE article HERE. This is the 'best' answer in my mind, but it does get a little more complex. 

 

The Built-in option for this type of traffic would be #2 as listed above. 

0 Likes Likes

Solomonsands
L1 Bithead
In response to BPry

‎03-05-2018 09:43 AM

@BPry

 

Thanks for the reply.  From what I gathered, traffic between vsys have to egress to their respective external zone before traversing the firewall in to the destination external zone.  My concern is the encryption state of each hop.

 

I have the 5220 at edge with vsys1.  He takes an IPSec tunnel from a crappy remote router with less-than-optimal encryption.  Per our sec posture, only FIPS crypto can be used to get in to our environment.  Our solution thus far is to stand up an intermediate ipsec router that can speak non-FIPS, and then it routes the traffic to the 5220 with FIPS crypto in to a dmz. We believe the use of another vsys can take the place of the intermediate router, but need to be sure that the traffic passing from vsys to vsys is secure and observable.  Is this what inter-vsys routing does by default?

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to Solomonsands

‎03-05-2018 11:34 AM

Hello,

If its only one or a few machines that need to connect to you via VPN, what about giving them the GlobalProtect client? That way you can ensure your security posture.

 

Just a thought.

0 Likes Likes
  • 2016 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks