12-11-2018 08:58 AM - edited 12-11-2018 10:25 AM
Hi,
I've been trying to get an explanation to the following (working) scenario:
I have a PA 220 with 2 virtual routers:
an "inside-VR" virtual router with a L3 interface (i.e. e1/1 - 192.168.1.0/24 - security zone "INSIDE") + a tunnel interface (also assigned to the "inside-VR" virtual router - security zone "TUNNEL");
the tunnel interface is able to establish an IPSec S2S VPN tunnel to another PA Box.
The IPSec tunnel is terminating between a public IP (let's say 1.2.3.4 - assigned to the other PA Box) and public IP (6.7.8.9 - assigned to a L3 "Outside" interface belonging to the "OUTSIDE" security zone and assigned to a second Virtual Router "external-VR", on the same PA box as before). The Outside VR virtual router has a route to the remote IPSec Peer Public IP; the Inside VR virtual Router has no route for this destination (not even a default route).
The IPSec tunnel works and crypto IDs (or local / remote protected networks) are properly reachable via the tunnel.
Please note that there is no Inter-VR routing setup between the 2 Virtual Routers.
However to me is not 100% clear how logically the traffic (which is sourced in one Virtual Router) is "bridged" to the other Virtual Router without any routing configuration between the 2 VRs ... allowing the whole setup to work ...
Hope my description is detailed enough to grasp the scenario at hand.
I would be grateful for a technical explanation on how traffic is actually "flowing" between the 2 Virtual Routers ....
Thanks
12-11-2018 10:20 AM
Unless there is inter-vsys policies setup of some sort, this should not be working at all. I would verify that you actually don't have something hiding away in the configuration that allows this to function.
12-11-2018 10:29 AM
Hi - thank you for your feedback.
Actually I double checked and the appliances that we are using in this case are PA 220 units which don't support vsys.
I have updated the post under #1 with the correct infos.
Nevertheless, the setup is working (PAN OS 8.0.8) - any ideas / explanation how this might be possible ?
Might it be due to the fact that the Tunnel is bound to an IPSec Profile which is relying on routing information made available only on the VR Outside router ? Just trying to guess here.
Thanks
12-11-2018 10:48 AM - edited 12-11-2018 10:49 AM
In that case let me read your post a bit more ....
Ahh okay, reading is good. Once the tunnel is up the traffic processes through the tunnel interface, so the IPsec Tunnel is essentially taken out of routing at that point. As far as the firewall is concerned the traffic is coming from the tunnel interface, which is assigned to the TUNNEL zone, and the L3 interface obviously is also in that same VR assigned to the INSIDE zone.
Since the traffic is coming from the tunnel interface, which is located in the inside-VR, it doesn't matter that the IPSec Tunnel is terminating in the external-VR. Hopefully that makes sense?
Really I would kind of question why it was originally setup like this? There isn't a lot of reason to seperate these into seperate VRs in the situation given, so unless some other business process was driving the configuration I'm a little lost on why you wouldn't just use one VR.
12-12-2018 07:27 AM
@BPry wrote:There isn't a lot of reason to seperate these into seperate VRs in the situation given, so unless some other business process was driving the configuration I'm a little lost on why you wouldn't just use one VR.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
