02-06-2024 10:03 AM
I'm moving from a Cisco ASA to a Palo Alto firewall for the first time. I've imported the config to Expedition and am prepping it for import to the firewall, but I noticed only the first of my crypto peers for each tunnel was imported to an IKE gateway. After some research it seems I'm going to need a separate IKE gateway for each remote peer as well as for each local interface from which my tunnel needs to connect.
So, for instance, assuming I have two WAN interfaces on my local firewall and the remote end has two WAN IPs, and on each side we're connecting a single subnet to the tunnel, then I would need the following IKE gateways:
Local WAN1 -> Remote WAN1
Local WAN1 -> Remote WAN2
Local WAN2 -> Remote WAN1
Local WAN2 -> Remote WAN2
In Expedition I can't seem to add an IKE gateway to test, but on the firewall if I add each of the gateways mentioned above then I presume that adds tunnel interfaces for each, then I just add the tunnel to the corresponding trust zone?
Does that all sound right, or am I completely botching this? Is there a better way to create tunnels that can utilize either of my WAN interfaces and multiple peer IPs?
Thanks for any help anybody can provide and I apologize if I'm missing something obvious here.
02-07-2024 02:13 AM
you are right
an IKE Gateway needs to be created for each IP pair so if you have 2 ISPs and the remote has 2 isps and you want to full mesh all pairs, you would need 4 ike gateway objects and 4 ipsec tunnel objects
On the other hand: Does it make sense to full mesh all pairs, is it likely both sides will have a simultaneous outage on one of their ISPs ?
02-07-2024 02:13 AM
you are right
an IKE Gateway needs to be created for each IP pair so if you have 2 ISPs and the remote has 2 isps and you want to full mesh all pairs, you would need 4 ike gateway objects and 4 ipsec tunnel objects
On the other hand: Does it make sense to full mesh all pairs, is it likely both sides will have a simultaneous outage on one of their ISPs ?
02-07-2024 06:12 AM
Yeah, that's a good point. I am going to be more largely affected by an outage here at my office than at the other end, simply because we don't access the remote end every day at every location, but we access "some" locations every day. Perhaps the more economical solution is to build gateways and tunnels from 2 of my IPs to one at the remote end, that way I don't lose access to every location when the one ISP goes down. It doesn't happen often, but when it does I don't want to lose access entirely.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
