Hello forum members,
I have been testing the VPN site-2-site configurations on my Palo Alto VM lab, prior to deploying on our production environment. I have successfully set up a VPN connection where both firewalls use static routing. Trouble I'm having now is setting up the VPN connection where the 3rd party site uses static routing and my corp LAN uses OSPF.
I can't get the tunnel up between the two sites. I followed the Site-2-Site VPN with Static and Dynamic Routing example in the PAN-OS Admin guide, but some of the steps seem vague (vague to me any way). My R1 router has formed an OSPF neighbour relation ship with the Palo Alto VM-PA-01 fine and the PC host 172.19.9.10 can ping the E1/2 interface (10.216.7.1) of the Palo Alto fine.
The following is my lab topology and screen shots of the configs.
VM-PA-01 config.
*** I also tried this IKE Gateway config with the FQDNs, as in the PAN-OS guide ***
VM-PA-02 config.
*** I also tried this IKE Gateway config with the FQDNs, as in the PAN-OS guide ***
Any suggestions and advice will be much appreciated.
Thank you for your reply. I can't ping between the two Palo's on IPs 192.168.210.26 and 192.168.210.120, which are assigned to their e1/1 interfaces. I have set up statics routes anda security policy as follows on both Palo's as suggested.
VM-PA-01 config.
VM-PA-02 config.
Any further advice is appreciated.
Hello,
Make sure you have set an Interface Management Profile and at least allow ping on both PAN's. It looked like your security profile would already allow ping.
Keep an eye on the logs to see what is getting blocked if anything.
Regards,
Hi pulukas, rmfalconer, Otakar.Klier,
Thank you for your responses and advice.
@OtakarKlier- Both the Palo's can ping each other if I source the IPs, even when I don't have static rule set up
I lab'd this up again following the Site-to-Site VPN with Static and Dynamic Routing config guide in the PAN-OS 8.1 Admin guide and got the tunnels up with the remote sites pinging each other.
However, it did take a bit of tweaking with trial and errors, until I got the config working. The config steps are not clear in the Admin guide, if one is new to Palo Alto and VPNs.
These are the observations I made when I lab'd this up again.
1. On the IKE Gateway configuration, the Admin. guide said use the FQDN for the local and peer identification. This did not work for me in my lab.
Instead, I used the following config on both Palo's, by specifying the Peer IP address and the local and the IP peer addresses for the Local and Peer identification:
2. I was told that static routes pointing down tunnels should not have a next hop address defined. If it did not, how would the secure traffic travel across the tunnel? in order for my config to work, i had to specify the Next Hop IP address of the tunnel interface.
3. Both my Palo Alto's do not see each other as OSPF neighbours. Surely they would only see each other as OSPF neighbours, if both Palo's had OSPF running on them? Not sure why the guide stated this, only one of the Palo's has OSPF configured. The peer VM-PA-02 which has OSPF configured. has formed a neighbour relationship with router R1 fine.
Anyone else had to tweak things to their configs working?
Many thanks.
