This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Site-to-Site VPN with PPPoE

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site-to-Site VPN with PPPoE

Go to solution
Bocsa
L3 Networker

‎12-21-2015 11:00 AM

Hi All,
A somewhat interesting scenario pre-christmas here. I'm tasked with setting up a site-to-site VPN between a PA3020 and PA-200. The PA-200 will be connecting with PPPoE - which I've never set up before. I have some concerns on this and was wondering if anyone with some experience with a similar scenario can help with these questions:

 

1. Despite being PPPoE, the provider has given me a static IP to configure on the Outside interface of the PA. My guess is, the PA-200 will always receive this IP if i do it this way. However, when PPPoE is selected on the PA, and a static IP is configure, the interface list doesn't show me the IP address i stated. It still reads as 'Dynamic-PPPoE' (below). This leads me to question 2

 

PPPoE.png

 

 

 

2. When configuring my IKE-Gateway, I select the interface to terminate the VPN. Because the interface is seen as 'Dynamic-PPPoE', the IP address on that interface is not available to be selected. The only option I get is 'None'. Can the tunnel still form with the interface address set to 'NONE'?

 

3. For the other end of the tunnel (the PA3020), will I need to set the Peer type to dynamic since I've been unable to specify an IP address on the PA200 (as per question 2)? Or can the tunnel work if I set the Peer IP as the static address the Provider has 'assigned' to me?

 

4. Default route: I've asked the provider for a next hop/default route. Their response is that there is usually no requirement for a next hop. My only option at the moment is to choose the outside interface on the Palo and select the next hop as 'None' as well. I'm also ticking the checkbox 'automatically create default route pointing to peer'

Could this cause problems?

 

Apologies for the long string of questions. I've not worked with PPPoE before and would really just like some clarification

 

Your assistance is much appreciated.

 

 

Labels:
1 accepted solution

Accepted Solutions

Go to solution
Bocsa
L3 Networker
In response to pankaku

‎12-22-2015 10:55 AM - edited ‎12-22-2015 10:58 AM

The tunnel actually came up with both peers set to static IP and using the IP address given by the ISP. I didn't need to use dynamic peer on any of them.

I did specify Local ID and Peer ID, just in case but I doubt this had an effect.

No default gateway/default route is required as far as the option to 'automatically create a route' is selected for PPPoE

 

 

Thanks for your suggestions all

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
glastra1
L4 Transporter

‎12-21-2015 06:18 PM

1. You need to setup a /32 in the PPoE interface

2. Setting up the /32 should give you the IP in the drop down list, otherwise you can leave it as none but select "ip address" in the local identification field where you can setup you public ip address.

3. If you're sure the ip address won't change you can leave it as static.

4. With PPoE I believe that the default route is set up during the negotiation, so there's not need to configure it manually. I don't recomend to create  a static and leaving the next hop as none.

 

Regards,

Gerardo.

0 Likes Likes

Go to solution
Bocsa
L3 Networker
In response to glastra1

‎12-22-2015 01:07 AM

Hi Gerardo,

Thanks for your suggestions. Setting a /32 address still doesn't give me the address in the drop-down. I guess I have to leave it as 'NONE'. I'll try configuring the Local ID as the IP address and test though. I'll let you know the results.

 

 

0 Likes Likes

Go to solution
pankaku
L5 Sessionator

‎12-22-2015 02:42 AM

Lets say you have two PA box A,B. A have ppoe link and B have static IP address.

 

To configure IPSec tunnel on A you have to select peer as static. Peer Identification you can type the static IP address of B. In local identication you can take any IP address like 1.1.1.1 this IP address can be any thing need not to be on firewall. If your ISP is providing you static IP you can use that in peer identification.

 

On B you have to select peer type as dynamic and then in local identification use the static ip address that is on the interface. In peer identification use the IP address( sepcified on A as local identification) that you have specified on A.

 

Make sure the local and peer identification as configured properly. A's local will become B's peer. B's local will become A's peer.

 

'automatically create default route pointing to peer' is okay better then static route.

 

Hope this helps!

 

0 Likes Likes

Go to solution
vcappuccio
L3 Networker
In response to pankaku

‎12-22-2015 09:01 AM - edited ‎12-22-2015 09:09 AM

Hi,

 

can you provide the show vpn ike-sa detail gateway <NAME>

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-VPN/ta-p/68931

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-VPN-Connectivity-Issues...

 

it sounds to me that your will need to configure your Dymanic VPN Local/Remote Identifier between your VPN peers in order to identify the VPN Devices.

 

 

Thx

Victor

 

0 Likes Likes

Go to solution
Bocsa
L3 Networker
In response to pankaku

‎12-22-2015 10:55 AM - edited ‎12-22-2015 10:58 AM

The tunnel actually came up with both peers set to static IP and using the IP address given by the ISP. I didn't need to use dynamic peer on any of them.

I did specify Local ID and Peer ID, just in case but I doubt this had an effect.

No default gateway/default route is required as far as the option to 'automatically create a route' is selected for PPPoE

 

 

Thanks for your suggestions all

0 Likes Likes

Go to solution
pankaku
L5 Sessionator
In response to Bocsa

‎12-22-2015 11:06 AM

Local ID and peer ID are not required if IP address are static. They are need in case of dynamic VPN and when you are conofiguring IPSec with some different vendor

0 Likes Likes

Go to solution
pankaku
L5 Sessionator
In response to Bocsa

‎12-24-2015 03:14 AM

one more thing i forgot if you are configuring dynamic vpn the you have to select aggressive mode not main mode.

0 Likes Likes
  • 1 accepted solution
  • 12755 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks