VPN site-2-site configuration and OSPF

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN site-2-site configuration and OSPF

L2 Linker

Hello forum members,

 

I have been testing the VPN site-2-site configurations on my Palo Alto VM lab, prior to deploying on our production environment. I have successfully set up a VPN connection where both firewalls use static routing. Trouble I'm having now is setting up the VPN connection where the 3rd party site uses static routing and my corp LAN uses OSPF.

 

I can't get the tunnel up between the two sites. I followed the Site-2-Site VPN with Static and Dynamic Routing example in the PAN-OS Admin guide, but some of the steps seem vague (vague to me any way). My R1 router has formed an OSPF neighbour relation ship with the Palo Alto VM-PA-01 fine and the PC host 172.19.9.10 can ping the E1/2 interface (10.216.7.1) of the Palo Alto fine.

 

The following is my lab topology and screen shots of the configs.

 

topology.PNG

 

VM-PA-01 config.

 

interfaces.PNG

tunnel.PNG

 

VR.PNG

 

static.PNG

 

ospf1.PNG

 

redist profile.PNG

 

IPSEC tunn.PNG

 

IKE gate1.PNG

 

*** I also tried this IKE Gateway config with the FQDNs, as in the PAN-OS guide ***

 

IKE gate2.PNG

 

Security.PNG

VM-PA-02 config.

 

interfaces.PNG

tunnel int.PNG

 

VR.PNG

static.PNG

 

IPSEC tun.PNG

 

ike 1.PNG

 

*** I also tried this IKE Gateway config with the FQDNs, as in the PAN-OS guide ***

 

ike 2.PNG

 

security.PNG

 

Any suggestions and advice will be much appreciated.

 

 

10 REPLIES 10

Cyber Elite
Cyber Elite

Hello,

I took a bit of a look, and I didnt see a route between the PAN's? Can the external interfaces of the two ping each other? You will have to add a monitoring profile to it so they can reply as well as a security policy. What I do is always have a static route between the two for monitoring, but they need to be able to see each other.

 

Just a thought.

L7 Applicator

In the OSPF configuration, do you have the redistribution rule setup to pull in the static route pointed to the remote site vpn and distribute it down to your "corp" lan for the return path.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

@OtakarKlier

 

Thank you for your reply. I can't ping between the two Palo's on IPs 192.168.210.26 and 192.168.210.120, which are assigned to their e1/1 interfaces. I have set up statics routes anda security policy as follows on both Palo's as suggested.

 

ping.PNG

 

VM-PA-01 config.

 

Static 1.PNG

 

Policy 1.PNG

 

VM-PA-02 config.

 

Static.PNG

 

policy.PNG

 

Any further advice is appreciated.

@pulukas

 

Hi pulkas,

 

I have created this profile (underlined in red), is this what you mean?

 

ospf redis.PNG

 

 

Hello,

Make sure you have set an Interface Management Profile and at least allow ping on both PAN's. It looked like your security profile would already allow ping.

 

image.png

 

Keep an eye on the logs to see what is getting blocked if anything. 

 

Regards,

Hello,

I just noticed you didnt source your pings so they would have come from the maangement interface. Try the following:

 

From VM-PA-01
Ping source 192.168.210.26 host 192.168.210.120

From VM-PA-02
Ping source 192.168.210.120 host 192.168.210.26

 

See if that returns any good replies. But the fact that the pings stated 'Destination Host unreachable' tells me that routing could be an issues from your management interface.

Have you assigned the underlined redistribution profile to an export rule in OSPF? 

As rmfalconer notes, you also need to assign the redistribution profile to OSPF for it to become active.  Without both steps the local static route will not be redistributed to the rest of the OSPF infrastructure for the return path.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi pulukas, rmfalconer, Otakar.Klier,

 

Thank you for your responses and advice.

 

@OtakarKlier- Both the Palo's can ping each other if I source the IPs, even when I don't have static rule set up

 

I lab'd this up again following the Site-to-Site VPN with Static and Dynamic Routing config guide in the PAN-OS 8.1 Admin guide and got the tunnels up with the remote sites pinging each other.

 

top.PNG

 

However, it did take a bit of tweaking with trial and errors, until I got the config working.  The config steps are not clear in the Admin guide, if one is new to Palo Alto and VPNs.

 

These are the observations I made when I lab'd this up again.

 

1. On the IKE Gateway configuration, the Admin. guide said use the FQDN for the local and peer identification. This did not work for me in my lab.

 

FQDN.PNG

Instead, I used the following config on both Palo's, by specifying the Peer IP address and the local and the IP peer addresses for the Local and Peer identification:

 

IKE gate.PNG

 

2. I was told that static routes pointing down tunnels should not have a next hop address defined. If it did not, how would the secure traffic travel across the tunnel? in order for my config to work, i had to specify the Next Hop IP address of the tunnel interface.

 

static.PNG

 

3. Both my Palo Alto's do not see each other as OSPF neighbours. Surely they would only see each other as OSPF neighbours, if both Palo's had OSPF running on them? Not sure why the guide stated this, only one of the Palo's has OSPF configured. The peer VM-PA-02 which has OSPF configured. has formed a neighbour relationship with router R1 fine.

 

Anyone else had to tweak things to their configs working?

 

Many thanks.

 

Glad you got it working!

  • 6171 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!