Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interfaces

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interfaces

We are having installed a 10 Gbps Light Wave service for a WAN connection and will have PANs on either side. (The PANs will be on the same /30 subnet, and the Wave service appears to be a raw fiber connection terminated on physical PAN L3 interfaces). We want to authenticate the other end and encrypt using IPSEC. Do I need to build a tunnel interface with another /30 in order to leverage IPSEC in the Palo Alto platform, or is there some "short-cut"? Also, would I need to use a third /30 for a tunnel monitor? Thanks! (I'm pretty new to PANs).

 

Mike

 

 


Accepted Solutions
Highlighted
L7 Applicator

With physical interfaces you mean ethernet1/x? (Tunnel interfaces are virtual)

-yes, unnumbered means no ip assigned

-10.10.1.4/30 and 10.10.1.0/30 are unusable addresses (broadcast and network)

The usable ips in that subnet are .1/30 and .2/30

So if the local interface has .1 then the remote should use .2 and monitor would go to .2

-the ipsec packets will happen between the physical ethernet1/x I terfaces, typically untrust to untrust. Intrazone will take care of that (but I do recommend making explicit rules and blocking untrust to untrust at the end)

- the tunnel traffic will come from and will go to the virtual tunnel interfaces' zone

 

Hope this helps

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L7 Applicator

Hi @michaelmertens 

 

Tunnel interfaces are virtual and as such do not necessarily require an IP when connected to another route based vpn device

 

You would apply the /30 to your physical interface

Then configure an 'ike  gateway'for the remote device's IP in the /30 and can then use 'unnumbered' tunnel interfaces

In your VirtualRouter you can just set a destination interface as next hop, no need for an IP

For tunnel monitoring you could add IP  addresses to the tunnel interfaces, but you could also use a loopback interface

In both cases these up addresses do not need to be known outside of the 2 devices

 

 

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L2 Linker

Reaper, 

 

Thanks for your input. I'm still troubleshooting getting the IKE handshake going. (I've got both FWs back-to-back prior to sending out the remote FW). So when you said having the tunnel "unnumbered" you just meant to not assign an IPv4 address in the Tunnel Interface config? And to your point, as I would like to have a tunnel monitor, I'm using a 10.10.1.4/30 for the tunnel monitor and the physical interfaces are using 10.10.1.0/30. Also, I've created new Zone names for the physical interfaces on either end. I don't need to put in explicit rules to allow IPSEC packets (UDP 500, UDP 4500, etc) for IKE/IPSEC SAs? I do have my default Intrazone rule which permits any any...

Anyway, I'm new at the Palo Alto's so appreciate your thoughts and input.

 

Mike

Highlighted
L7 Applicator

With physical interfaces you mean ethernet1/x? (Tunnel interfaces are virtual)

-yes, unnumbered means no ip assigned

-10.10.1.4/30 and 10.10.1.0/30 are unusable addresses (broadcast and network)

The usable ips in that subnet are .1/30 and .2/30

So if the local interface has .1 then the remote should use .2 and monitor would go to .2

-the ipsec packets will happen between the physical ethernet1/x I terfaces, typically untrust to untrust. Intrazone will take care of that (but I do recommend making explicit rules and blocking untrust to untrust at the end)

- the tunnel traffic will come from and will go to the virtual tunnel interfaces' zone

 

Hope this helps

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!