Trouble with multiple IPsec VPN Tunnel

Reply
Highlighted
L1 Bithead

Trouble with multiple IPsec VPN Tunnel

Hi all,

I'm a fresh man to paloalto devices and I'm facing a problem.

Site A has a subnet 192.168.100.0/24. Site B has 192.168.40.0/21. Both sites use PA820.

Site A has a IPsec tunnel to Site B. This tunnel is running good.

Now we have a new Site C, 192.168.52.0/24, using a non-paloalto firewall. I can set up a tunnel between B and C , C can access B now.

The topology looks like below.

Site A =========site B ========= site C

 

For some reasons, I cannot set up a tunnel between A and C. But our business requires C to access A.

My question is, is there any solution that can use PA820 at site B to allow access from C to A?

 

Tags (2)
Highlighted
L0 Member

To access SiteA from SiteC:

In tunnel config between A->B: add subnet of SiteC in remote Proxy ID at Site A and Local Proxy ID at site B
In tunnel config between B->C: add subnet of SiteA in remote encryption domain at Site C and Local Proxy ID at site B

Make sure that subnets 192.168.52.0/24 and 192.168.100.0/24 are not used locally at sites A and C respectively(causes routing issues).

Add required routing and security rules.

As you configured a tunnel between PaloAlto at Site B to Site C, you should be able to configure one between SiteA and SiteC.Please verify the configuration.

Highlighted
L4 Transporter

Hi @mercurr ,

 

If I may summarize as high overview the steps provide from @Lohith_Reddy :

- First add the network in SiteC to the VPN encryption domain/intersting traffic.

- Second create routes for network in SiteC to point to the righr tunnel

- Create appropriate rules for allowing traffic from A to C. Depending on your setup (in which zone you have configured the vpn tunnels) the rule at SiteB most probably will be intrazone rule (ex. If you put all vpn tunnels to "vpn" zone, at siteB your rule will be from zone "vpn" to zone "vpn")

Highlighted
L1 Bithead

Thank you for your reply @Lohith_Reddy , 

from my view, I need to add proxy ID of site C to site A       and     add proxy ID of site A to site C , is that right?

 

And here comes a problem, I don't have access to any settings at site A. I'm trying not to do changes at site A.

Is there any way to avoid changes at site A?

 

Highlighted
L1 Bithead

Hi @AlexanderAstardzhiev ,

Thanks for your summary.

Highlighted
L4 Transporter

Hey @mercurr ,

The proper way would be to make the change all devices.  Reason for that is simple - IPsec needs to know which networks are "allowed" to pass through the vpn tunnel. It doesn't have anything to do with Palo Alto, it just how the protocol works.  So there is no way to send traffic in the tunnel if it is not defined. In addition how do you expect siteA to know where to route the traffic for siteC, if you don't do any change there?

 

The only way to workaround for this would to use NAT, but this will only work if you don't really use the full /24 network at siteB. If on siteB you are using /24 (which is already in the remote proxy ID for siteA), but in reallity you have some free IP addresses, you can NAT those 30 addresses to 30 address at siteC. Let say:

- you have 192.168.20.0/24 at siteB, the IP range 192.168.20.200-250 is actually free (no host are using any of these IPs)

- you have 192.168.30.0/24 at siteC

- on siteB you can configure NAT - when source is siteA network to range 192.168.20.200-250, translate destination ip to 192.168.30.200-250.

- If you don't NAT the source ip, you still need to add siteA network to the vpn tunnel between siteB and siteC.

 

The above example is using IP range, but you can use single IP NAT rules.

 

The main problem with this workaround is that it doesn't scale well if you need lots of host to communicate between sites A and C. It can easily become quite a mess, you I would strongly recommend to reconsider making changes on siteA. I guess you want to avoid contacting the team/person responsible for configuring this device, but I would prefer to have such conversation and keeping my environment nice and tidy.

Highlighted
L0 Member

As you don't want to make changes at Site A, you can use NAT to access Site A from C.

You need to create both source and destination NAT rules translating IPs in Subnets A and C to Subnet B at Site B.

 

Example:

Site A - 192.168.100.0/24
Site B - 192.168.40.0/21 
Site C - 192.168.52.0/24


As the traffic is initiated from C.

Site C                                                              Site B                                           
Source:192.168.52.1  (Subnet C)               Source:192.168.41.1 (Subnet B)
Destination:192.168.40.1  (Subnet B)         Destination:192.168.100.1  (Subnet A)

 

It does not need any changes in the tunnel configuration. If you don't have enough free IPs at site B, use Dynamic IP and Port translation. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!