IPSec S2S VPN Tunnel (PAN OS 8.1) using 2 virtual routers - setup working - but how possible ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec S2S VPN Tunnel (PAN OS 8.1) using 2 virtual routers - setup working - but how possible ?

L0 Member

Hi,

I've been trying to get an explanation to the following (working) scenario:

 

I have a PA 220 with 2 virtual routers:

 

an "inside-VR" virtual router with a L3 interface (i.e. e1/1 - 192.168.1.0/24 - security zone "INSIDE") + a tunnel interface (also assigned to the "inside-VR" virtual router - security zone "TUNNEL");

 

the tunnel interface is able to establish an IPSec S2S VPN tunnel to another PA Box.

 

The IPSec tunnel is terminating between a public IP (let's say 1.2.3.4 - assigned to the other PA Box) and public IP (6.7.8.9 - assigned to a L3 "Outside" interface belonging to the "OUTSIDE" security zone and assigned to a second Virtual Router "external-VR", on the same PA box as before). The Outside VR virtual router has a route to the remote IPSec Peer Public IP; the Inside VR virtual Router has no route for this destination (not even a default route).

 

The IPSec tunnel works and crypto IDs (or local / remote protected networks) are properly reachable via the tunnel.

 

Please note that there is no Inter-VR routing setup between the 2 Virtual Routers.

 

However to me is not 100% clear how logically the traffic (which is sourced in one Virtual Router) is "bridged" to the other Virtual Router without any routing configuration between the 2 VRs ... allowing the whole setup to work ...

 

Hope my description is detailed enough to grasp the scenario at hand.

 

I would be grateful for a technical explanation on how traffic is actually "flowing" between the 2 Virtual Routers ....

 

Thanks 

 

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

@CarloInt,

Unless there is inter-vsys policies setup of some sort, this should not be working at all. I would verify that you actually don't have something hiding away in the configuration that allows this to function. 

Hi - thank you for your feedback.

 

Actually I double checked and the appliances that we are using in this case are PA 220 units which don't support vsys.

 

I have updated the post under #1 with the correct infos.

 

Nevertheless, the setup is working (PAN OS 8.0.8) - any ideas / explanation how this might be possible ?

 

Might it be due to the fact that the Tunnel is bound to an IPSec Profile which is relying on routing information made available only on the VR Outside router ? Just trying to guess here.

 

Thanks

Cyber Elite
Cyber Elite

@CarloInt,

In that case let me read your post a bit more ....

Ahh okay, reading is good. Once the tunnel is up the traffic processes through the tunnel interface, so the IPsec Tunnel is essentially taken out of routing at that point. As far as the firewall is concerned the traffic is coming from the tunnel interface, which is assigned to the TUNNEL zone, and the L3 interface obviously is also in that same VR assigned to the INSIDE zone. 

 

Since the traffic is coming from the tunnel interface, which is located in the inside-VR, it doesn't matter that the IPSec Tunnel is terminating in the external-VR. Hopefully that makes sense? 

Really I would kind of question why it was originally setup like this? There isn't a lot of reason to seperate these into seperate VRs in the situation given, so unless some other business process was driving the configuration I'm a little lost on why you wouldn't just use one VR. 

L7 Applicator

@BPry wrote:

There isn't a lot of reason to seperate these into seperate VRs in the situation given, so unless some other business process was driving the configuration I'm a little lost on why you wouldn't just use one VR. 


  • Routing domain isolation
  • If you want to run a routing protocol over the runnels -> better separarion if you only need to enable it on the inside VR
  • With the separation you can have a default route rather than PBF if a remote location connects over VPN to HQ and there over another FW to the internet
  • Avoid configuration mistakes, so the VPN Firewall can never be used as Internetfirewall from admins that only have rights to change policies but not configs in the network tab and the same for connections from the internet to internal
  • 4191 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!