VPN over MetroE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN over MetroE

L1 Bithead

I've been given an L2 handoff from Comcast from our data center to our co-location. I can move switched traffic over the link between the Palos at both sites with no issues. My problem comes when I try to add L3 and a a tunnel to the link. I've set up many site-to-site vpns before, but this is  my first time trying to add it to an L2 interface. 

 

My first attempt I told the Palo the the L2 interface was an L3, and applied my normal configurations for setting up the tunnel. It does attempt to negotiate, but times out.

 

My second attempt I used an older KB by Palo from around 2010 where it used a VLAN interface. However, the guide was setting it up to work from a single Palo versus between two separate. I can't even see them attempt to negotiate in the logs, so fairly sure I totally messed that configuration up.

 

Does any one have any advice, or can point me to a more solid resource for setting this up?

 

Thank you!

1 accepted solution

Accepted Solutions

Hello,

I agree with @JoeAndreini. I also have L2 connections and that is how i do it. Just give each interface the WAN link connect to a RFC 1918 /30 and do the same on the other side with the corresponding /30 address. I also add static routes for the /30's in each direction along with the associated Polcies to secure the traffic.

 

Cheers!

View solution in original post

4 REPLIES 4

L4 Transporter

Let's take this one step at a time.

 

You say you can move switched traffic over the link.  What happens if you add IP addresses to the interfaces connected to comcast (configure them as L3) and add a ping management profile during troubleshooting - can you ping across teh link (you should be able to)

 

Now configure your IPSEC tunnel using those IP addresses as the targets for the tunnel - does the tunnel come up?

 

Are you able to share any configuration details?  We may need more detail to determine exactly what you have configured and make better recommendations.

 

If they deliver you a "Layer 2" tunnel, it just means they don't have a gateway you need to reach out to, layer 3 and above are up to you.

Thanks for the advice. I'll give that a go after lunch and report back. 

Hello,

I agree with @JoeAndreini. I also have L2 connections and that is how i do it. Just give each interface the WAN link connect to a RFC 1918 /30 and do the same on the other side with the corresponding /30 address. I also add static routes for the /30's in each direction along with the associated Polcies to secure the traffic.

 

Cheers!

At that point you can configure your IPSEC tunnel as if it was over any other network.

  • 1 accepted solution
  • 3083 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!