10-09-2024 02:34 PM
We have our egress on Eth1/1 with a public IP assigned by our provider.
We also own a separate public subnet.
We have the internet working and want to add an IPsec tunnel from our PAN to a partner also running PAN.
I'm told to continue using the Eth1/1 interface.
Do you see problems with this solution? Diagram attached.
Eth1/1 is untrust. It has IP 4.4.4.4.
We add a second public IP to Eth1/1 from the subnet we own (5.5.5.5)
Create a new zone for IPSec.
Create a tunnel.1 interface. Assign it to the IPSec zone.
Create an IKE Gateway Profile that uses our 5.5.5.5 and the public Peer IP 6.6.6.6.
Then we define the IPSec Tunnel to be Tunnel.1 and the IKE Gateway Profile.
Lastly, we configure static route to forward destination traffic to Tunnel.1.
Would this work? Are there better ways to set this up?
Phase 2 plan would be to add additional tunnel interfaces for other partners.
tunnel.2, etc. with 5.5.5.5 being our source IP. 7.7.7.7 being the peer.
But what happens if two partners use the same internal subnets in their respective tunnels? How do you route LAN traffic to the correct tunnel?
10-15-2024 01:55 PM
Hello,
This looks correct. I didnt review all of your policies in the pictures, but the steps are correct. If the partners have the same IP's on their internal networks, you'll need to read the following:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
