Site to Site IPSec VPN Configuration to extend Enterprise Network to a remote office
cancel
Showing results for 
Search instead for 
Did you mean: 

Site to Site IPSec VPN Configuration to extend Enterprise Network to a remote office

L0 Member

I have two PA800 NGFW running in Active-Standby HA mode and they are connected to a Perimeter Switch. Need an insight about a V-P-N Configuration on my PA that is about to connect to remote office. I am new to this and I brought this here because there is a little bit more/less about this configuration for me. My office and the remote office are connected via a dedicated line purchased from a Service provider and it is 10M fiber link. The objective is to extend my Enterprise Network boundary to the remote office so the User in the remote office will be able to use the Cisco collaboration CUCM solution that is implemented in my Enterprise boundary, just simply to put an IP phone in the remote office and that IPT phone could be able to make use of the extension numbers and make calls as if they are inside my Enterprise boundary. The gateway device at the remote end is a Huawei Eudemon 1000E Firewall. So my Service provider had finished setting up the V-P-N link and provided me with two IP subnets, one for each end. So I wanted to seek opinion from this community before I get in to the implementation work incase if I missed anything. Plus, few things are getting me wondering If I made this successfully.

  1. Will the IPT phone on the remote be able to use the DHCP service that is currently working in my boundary to acquire a dynamic IP address via the IPSec tunnel? If not, then what option do I have?

  2. If the SP is providing me with a VPN Leased Line then will I be needing to go further into configuring additional Auth-Encr parameters to get this as an IPSec.

  3. I have started testing the configuration with one sub interface under my L3 aggregate and I have put it in a new zone. Is this a wise move to start it?

  4. Following up on #3, How will my VR look because I currently am using a Single VR for all my routes including Internet connectivity?

  5. If anyone out here has done it before, would you suggest anything to look out for?

Look forward to you responses with Thanks and regards.

No Pain, No Gain
1 REPLY 1

L6 Presenter

Hi @iscofate ,

 

  1. Will the IPT phone on the remote be able to use the DHCP service that is currently working in my boundary to acquire a dynamic IP address via the IPSec tunnel? If not, then what option do I have?

- Yes, if there is reachability with the server over the tunnel, this will work.

  1. If the SP is providing me with a VPN Leased Line then will I be needing to go further into configuring additional Auth-Encr parameters to get this as an IPSec.

-Yes, you need to create site-2-site tunnel configuration on both ends. Both end’s public IPs will act as peer for each other. Below article may help you for the configuration steps on Palo Alto side. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

  1. I have started testing the configuration with one sub interface under my L3 aggregate and I have put it in a new zone. Is this a wise move to start it?

- Where is the internet/lease line is terminated? If it is on dedicated interface then don’t need to add sub-interface. Just configure the interface with proper IP address. If you're going to re-use this interface in future for any other connectivity or you want to use existing interface for this connectivity, you can go for sub-interface.

  1. Following up on #3, How will my VR look because I currently am using a Single VR for all my routes including Internet connectivity?

- In the same VR, you need to add route for the remote office network which is going to communicate via tunnel and pointe that route to the desired tunnel interface. Refer given article.

  1. If anyone out here has done it before, would you suggest anything to look out for?

Yes, we have one site communicating over tunnel. While configuring tunnel, you need to take care of encryption domain, tunnel parameters, required security policies and routing.

 

Hope it helps!

Mayur S.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!