Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-02-2018 08:37 AM
I've been given an L2 handoff from Comcast from our data center to our co-location. I can move switched traffic over the link between the Palos at both sites with no issues. My problem comes when I try to add L3 and a a tunnel to the link. I've set up many site-to-site vpns before, but this is my first time trying to add it to an L2 interface.
My first attempt I told the Palo the the L2 interface was an L3, and applied my normal configurations for setting up the tunnel. It does attempt to negotiate, but times out.
My second attempt I used an older KB by Palo from around 2010 where it used a VLAN interface. However, the guide was setting it up to work from a single Palo versus between two separate. I can't even see them attempt to negotiate in the logs, so fairly sure I totally messed that configuration up.
Does any one have any advice, or can point me to a more solid resource for setting this up?
Thank you!
05-02-2018 11:24 AM
Hello,
I agree with @JoeAndreini. I also have L2 connections and that is how i do it. Just give each interface the WAN link connect to a RFC 1918 /30 and do the same on the other side with the corresponding /30 address. I also add static routes for the /30's in each direction along with the associated Polcies to secure the traffic.
Cheers!
05-02-2018 09:38 AM
Let's take this one step at a time.
You say you can move switched traffic over the link. What happens if you add IP addresses to the interfaces connected to comcast (configure them as L3) and add a ping management profile during troubleshooting - can you ping across teh link (you should be able to)
Now configure your IPSEC tunnel using those IP addresses as the targets for the tunnel - does the tunnel come up?
Are you able to share any configuration details? We may need more detail to determine exactly what you have configured and make better recommendations.
If they deliver you a "Layer 2" tunnel, it just means they don't have a gateway you need to reach out to, layer 3 and above are up to you.
05-02-2018 09:39 AM
Thanks for the advice. I'll give that a go after lunch and report back.
05-02-2018 11:24 AM
Hello,
I agree with @JoeAndreini. I also have L2 connections and that is how i do it. Just give each interface the WAN link connect to a RFC 1918 /30 and do the same on the other side with the corresponding /30 address. I also add static routes for the /30's in each direction along with the associated Polcies to secure the traffic.
Cheers!
05-02-2018 11:33 AM
At that point you can configure your IPSEC tunnel as if it was over any other network.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
