Site to Site IPSEC Clarification

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Site to Site IPSEC Clarification

L0 Member

I'm moving from a Cisco ASA to a Palo Alto firewall for the first time. I've imported the config to Expedition and am prepping it for import to the firewall, but I noticed only the first of my crypto peers for each tunnel was imported to an IKE gateway. After some research it seems I'm going to need a separate IKE gateway for each remote peer as well as for each local interface from which my tunnel needs to connect.

 

So, for instance, assuming I have two WAN interfaces on my local firewall and the remote end has two WAN IPs, and on each side we're connecting a single subnet to the tunnel, then I would need the following IKE gateways:

 

Local WAN1 -> Remote WAN1

Local WAN1 -> Remote WAN2

Local WAN2 -> Remote WAN1

Local WAN2 -> Remote WAN2

 

In Expedition I can't seem to add an IKE gateway to test, but on the firewall if I add each of the gateways mentioned above then I presume that adds tunnel interfaces for each, then I just add the tunnel to the corresponding trust zone?

 

Does that all sound right, or am I completely botching this? Is there a better way to create tunnels that can utilize either of my WAN interfaces and multiple peer IPs? 

 

Thanks for any help anybody can provide and I apologize if I'm missing something obvious here. 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

you are right

 

an IKE Gateway needs to be created for each IP pair so if you have 2 ISPs and the remote has 2 isps and you want to full mesh all pairs, you would need 4 ike gateway objects and 4 ipsec tunnel objects

 

On the other hand: Does it make sense to full mesh all pairs, is it likely both sides will have a simultaneous outage on one of their ISPs ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

you are right

 

an IKE Gateway needs to be created for each IP pair so if you have 2 ISPs and the remote has 2 isps and you want to full mesh all pairs, you would need 4 ike gateway objects and 4 ipsec tunnel objects

 

On the other hand: Does it make sense to full mesh all pairs, is it likely both sides will have a simultaneous outage on one of their ISPs ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Yeah, that's a good point. I am going to be more largely affected by an outage here at my office than at the other end, simply because we don't access the remote end every day at every location, but we access "some" locations every day. Perhaps the more economical solution is to build gateways and tunnels from 2 of my IPs to one at the remote end, that way I don't lose access to every location when the one ISP goes down. It doesn't happen often, but when it does I don't want to lose access entirely.

  • 1 accepted solution
  • 1256 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!