- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-05-2017 11:04 AM
Hi all,
I've currently got a site-to-site VPN tunnel already configured for one of our cloud services but we've got a request to add another service from another provider. Our current config has a single floating IP address with the associated tunnel configuration and assigned to a "Site-to-Site" security zone.
I'm wondering what best practices are concerning multiple site-to-site configurations. I've already started creating separate Crypto configs and, obviously, I'll need a separate actual IPSec Tunnel config. What I'm wondering is if it is best practicles to re-use the same public floating IP, loopback, tunnel interface, etc. or is best practices or common just to create a whole new setup?
07-05-2017 11:13 AM
I keep the public IP the same, other than that I modify everything else specific to that tunnel besides the zone as I have one IPSec zone that terminates all site-to-sites. I'm not sure if that is really the 'proper' way to do it but I find it easy enough to manage and it hasn't given me any issues so far.
07-05-2017 12:11 PM
@BPry so you keep the public IP and the associated virtual loopback interface the same but create a new virtual tunnel interface (configured with no IP... just used in the IPSec Tunnel config)?
07-05-2017 12:23 PM
I actually don't use the loopback interface and assign the tunnel interface a private IP address strictly for monitoring. The tunnels all have one shared local public IP address. I imagine that you could do the same thing without issue utilizing the loopback instead.
07-06-2017 12:46 PM
You can have a single public IP that represents your systems and then have this IP address as the "local-address" crossing into multiple VPN tunnels. Each site-to-site VPN tunnel should terminate into it's own interface and it's own zone.
tunnel.1 = zone VPN-PartnerName1
tunnel.2 = zone VPN-PartnerName2
This allows you to write specific security rules and NAT rules that match your traffic. This gives you full control over each tunnel and won't allow traffic to cross from tunnel to tunnel. Putting them into a single zone could allow the u-turn or hair-pin type traffic and could allow VPN to VPN flows (inadvertently).
Each VPN tunnel will have a Phase2 configuration (IPSec Tunnels in the PA). On the PROXY-ID's tab, this is where you create your interesting traffic list (think crypto map for vendor VPN's). Your Local entry will be the public "local-address" (from above) and the Remote will be the unique IP address that your VPN partner is using. This is what allows you to re-use your single IP into mutiple tunnels.
07-07-2017 06:27 AM
Thanks for the feedback guys. I have the loopback involved mainly because it is tied to a floating IP since we're running A/A.
I had originally thought to do all Site-to-Site as the same zone and do the policy rules all according to IP addresses but I can definitely see how having them in separate zones will make things a little clearer and provide an extra layer of functionality against accidental or unintended traffic flow.
07-07-2017 07:23 AM
I'm not sure of your platform but before you start assigning every single site-to-site a new security zone specific to that tunnel I would look at your max zone capability and how many tunnels you actually plan on forming during the expected lifetime of your firewalls. I've had to help a few people cut zone count retroactively because they haven't thought about it being a ceiling for them, it's not a very fun process.
07-07-2017 07:27 AM
We're on the PAN-5060 platform. It looks like it supports 900 security zones and we've only got 10 or so now I think.
07-07-2017 07:31 AM
Sweet that should be good to go then. Some of the smaller firewalls have insanely limited zone counts where you could easily hit the max if you start setting up site-to-sites like this. Once you get past the 3000 series it really becomes a non-issue 🙂
07-11-2017 08:37 AM
Hello,
Anothing thing to think about when using zones, is that you can have one VPN zone and still seperate the traffic by IP address's. This way you dont run low on zones or try to keep them all seperated.
i.e.
Source IP range x.x.x.x/x zone VPN
Source IP range y.y.y.y/y zone VPN
Let me know if you would like me to expand on that.
Cheers!
07-11-2017 10:41 AM
Thanks @OtakarKlier for the info.
That is actually how I was originally planning on doing it but I ended up liking the suggesting of creating security zones for the other site-to-site configs we add. They can all use the same public IP (and associated loopback that I use for the floating IP HA part) and then everything else is different. I feel like this gives me some extra control and options when designing security policy and with 900 maximum security zones on our platform I don't have to worry about running out any time soon.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!