Site-to-Site VPN with PPPoE

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN with PPPoE

L3 Networker

Hi All,
A somewhat interesting scenario pre-christmas here. I'm tasked with setting up a site-to-site VPN between a PA3020 and PA-200. The PA-200 will be connecting with PPPoE - which I've never set up before. I have some concerns on this and was wondering if anyone with some experience with a similar scenario can help with these questions:


1. Despite being PPPoE, the provider has given me a static IP to configure on the Outside interface of the PA. My guess is, the PA-200 will always receive this IP if i do it this way. However, when PPPoE is selected on the PA, and a static IP is configure, the interface list doesn't show me the IP address i stated. It still reads as 'Dynamic-PPPoE' (below). This leads me to question 2






2. When configuring my IKE-Gateway, I select the interface to terminate the VPN. Because the interface is seen as 'Dynamic-PPPoE', the IP address on that interface is not available to be selected. The only option I get is 'None'. Can the tunnel still form with the interface address set to 'NONE'?


3. For the other end of the tunnel (the PA3020), will I need to set the Peer type to dynamic since I've been unable to specify an IP address on the PA200 (as per question 2)? Or can the tunnel work if I set the Peer IP as the static address the Provider has 'assigned' to me?


4. Default route: I've asked the provider for a next hop/default route. Their response is that there is usually no requirement for a next hop. My only option at the moment is to choose the outside interface on the Palo and select the next hop as 'None' as well. I'm also ticking the checkbox 'automatically create default route pointing to peer'

Could this cause problems?


Apologies for the long string of questions. I've not worked with PPPoE before and would really just like some clarification


Your assistance is much appreciated.




Accepted Solutions

The tunnel actually came up with both peers set to static IP and using the IP address given by the ISP. I didn't need to use dynamic peer on any of them.

I did specify Local ID and Peer ID, just in case but I doubt this had an effect.

No default gateway/default route is required as far as the option to 'automatically create a route' is selected for PPPoE



Thanks for your suggestions all

View solution in original post


L4 Transporter

1. You need to setup a /32 in the PPoE interface

2. Setting up the /32 should give you the IP in the drop down list, otherwise you can leave it as none but select "ip address" in the local identification field where you can setup you public ip address.

3. If you're sure the ip address won't change you can leave it as static.

4. With PPoE I believe that the default route is set up during the negotiation, so there's not need to configure it manually. I don't recomend to create  a static and leaving the next hop as none.




Hi Gerardo,

Thanks for your suggestions. Setting a /32 address still doesn't give me the address in the drop-down. I guess I have to leave it as 'NONE'. I'll try configuring the Local ID as the IP address and test though. I'll let you know the results.



L5 Sessionator

Lets say you have two PA box A,B. A have ppoe link and B have static IP address.


To configure IPSec tunnel on A you have to select peer as static. Peer Identification you can type the static IP address of B. In local identication you can take any IP address like this IP address can be any thing need not to be on firewall. If your ISP is providing you static IP you can use that in peer identification.


On B you have to select peer type as dynamic and then in local identification use the static ip address that is on the interface. In peer identification use the IP address( sepcified on A as local identification) that you have specified on A.


Make sure the local and peer identification as configured properly. A's local will become B's peer. B's local will become A's peer.


'automatically create default route pointing to peer' is okay better then static route.


Hope this helps!




can you provide the show vpn ike-sa detail gateway <NAME>


it sounds to me that your will need to configure your Dymanic VPN Local/Remote Identifier between your VPN peers in order to identify the VPN Devices.






Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!