Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interfaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Two Directly Connected PANs via IPSEC- Do I Need to Build Tunnel Interfaces

L2 Linker

We are having installed a 10 Gbps Light Wave service for a WAN connection and will have PANs on either side. (The PANs will be on the same /30 subnet, and the Wave service appears to be a raw fiber connection terminated on physical PAN L3 interfaces). We want to authenticate the other end and encrypt using IPSEC. Do I need to build a tunnel interface with another /30 in order to leverage IPSEC in the Palo Alto platform, or is there some "short-cut"? Also, would I need to use a third /30 for a tunnel monitor? Thanks! (I'm pretty new to PANs).

 

Mike

 

 

1 accepted solution

Accepted Solutions

With physical interfaces you mean ethernet1/x? (Tunnel interfaces are virtual)

-yes, unnumbered means no ip assigned

-10.10.1.4/30 and 10.10.1.0/30 are unusable addresses (broadcast and network)

The usable ips in that subnet are .1/30 and .2/30

So if the local interface has .1 then the remote should use .2 and monitor would go to .2

-the ipsec packets will happen between the physical ethernet1/x I terfaces, typically untrust to untrust. Intrazone will take care of that (but I do recommend making explicit rules and blocking untrust to untrust at the end)

- the tunnel traffic will come from and will go to the virtual tunnel interfaces' zone

 

Hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @michaelmertens 

 

Tunnel interfaces are virtual and as such do not necessarily require an IP when connected to another route based vpn device

 

You would apply the /30 to your physical interface

Then configure an 'ike  gateway'for the remote device's IP in the /30 and can then use 'unnumbered' tunnel interfaces

In your VirtualRouter you can just set a destination interface as next hop, no need for an IP

For tunnel monitoring you could add IP  addresses to the tunnel interfaces, but you could also use a loopback interface

In both cases these up addresses do not need to be known outside of the 2 devices

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Reaper, 

 

Thanks for your input. I'm still troubleshooting getting the IKE handshake going. (I've got both FWs back-to-back prior to sending out the remote FW). So when you said having the tunnel "unnumbered" you just meant to not assign an IPv4 address in the Tunnel Interface config? And to your point, as I would like to have a tunnel monitor, I'm using a 10.10.1.4/30 for the tunnel monitor and the physical interfaces are using 10.10.1.0/30. Also, I've created new Zone names for the physical interfaces on either end. I don't need to put in explicit rules to allow IPSEC packets (UDP 500, UDP 4500, etc) for IKE/IPSEC SAs? I do have my default Intrazone rule which permits any any...

Anyway, I'm new at the Palo Alto's so appreciate your thoughts and input.

 

Mike

With physical interfaces you mean ethernet1/x? (Tunnel interfaces are virtual)

-yes, unnumbered means no ip assigned

-10.10.1.4/30 and 10.10.1.0/30 are unusable addresses (broadcast and network)

The usable ips in that subnet are .1/30 and .2/30

So if the local interface has .1 then the remote should use .2 and monitor would go to .2

-the ipsec packets will happen between the physical ethernet1/x I terfaces, typically untrust to untrust. Intrazone will take care of that (but I do recommend making explicit rules and blocking untrust to untrust at the end)

- the tunnel traffic will come from and will go to the virtual tunnel interfaces' zone

 

Hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4174 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!