05-07-2020 11:28 AM
We are having installed a 10 Gbps Light Wave service for a WAN connection and will have PANs on either side. (The PANs will be on the same /30 subnet, and the Wave service appears to be a raw fiber connection terminated on physical PAN L3 interfaces). We want to authenticate the other end and encrypt using IPSEC. Do I need to build a tunnel interface with another /30 in order to leverage IPSEC in the Palo Alto platform, or is there some "short-cut"? Also, would I need to use a third /30 for a tunnel monitor? Thanks! (I'm pretty new to PANs).
Mike
05-11-2020 06:08 AM
With physical interfaces you mean ethernet1/x? (Tunnel interfaces are virtual)
-yes, unnumbered means no ip assigned
-10.10.1.4/30 and 10.10.1.0/30 are unusable addresses (broadcast and network)
The usable ips in that subnet are .1/30 and .2/30
So if the local interface has .1 then the remote should use .2 and monitor would go to .2
-the ipsec packets will happen between the physical ethernet1/x I terfaces, typically untrust to untrust. Intrazone will take care of that (but I do recommend making explicit rules and blocking untrust to untrust at the end)
- the tunnel traffic will come from and will go to the virtual tunnel interfaces' zone
Hope this helps
05-07-2020 10:52 PM
Tunnel interfaces are virtual and as such do not necessarily require an IP when connected to another route based vpn device
You would apply the /30 to your physical interface
Then configure an 'ike gateway'for the remote device's IP in the /30 and can then use 'unnumbered' tunnel interfaces
In your VirtualRouter you can just set a destination interface as next hop, no need for an IP
For tunnel monitoring you could add IP addresses to the tunnel interfaces, but you could also use a loopback interface
In both cases these up addresses do not need to be known outside of the 2 devices
05-11-2020 05:56 AM
Reaper,
Thanks for your input. I'm still troubleshooting getting the IKE handshake going. (I've got both FWs back-to-back prior to sending out the remote FW). So when you said having the tunnel "unnumbered" you just meant to not assign an IPv4 address in the Tunnel Interface config? And to your point, as I would like to have a tunnel monitor, I'm using a 10.10.1.4/30 for the tunnel monitor and the physical interfaces are using 10.10.1.0/30. Also, I've created new Zone names for the physical interfaces on either end. I don't need to put in explicit rules to allow IPSEC packets (UDP 500, UDP 4500, etc) for IKE/IPSEC SAs? I do have my default Intrazone rule which permits any any...
Anyway, I'm new at the Palo Alto's so appreciate your thoughts and input.
Mike
05-11-2020 06:08 AM
With physical interfaces you mean ethernet1/x? (Tunnel interfaces are virtual)
-yes, unnumbered means no ip assigned
-10.10.1.4/30 and 10.10.1.0/30 are unusable addresses (broadcast and network)
The usable ips in that subnet are .1/30 and .2/30
So if the local interface has .1 then the remote should use .2 and monitor would go to .2
-the ipsec packets will happen between the physical ethernet1/x I terfaces, typically untrust to untrust. Intrazone will take care of that (but I do recommend making explicit rules and blocking untrust to untrust at the end)
- the tunnel traffic will come from and will go to the virtual tunnel interfaces' zone
Hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
