- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-03-2018 02:26 PM
Hi
I have Palo-220 that move every X- days from one office to another office
the Palo have a Lan interfaces and wan interface
interface Wan (eth1/1) configured with DHCP and automatically add a default route checkbox
also i have a full Site2Site tunnel that all (0.0.0.0/0) network need to go into the tunnel
i have to static route in routeing table 1 for wan interface and one for tunnel
i try to config static route for Ipsec peer via eth1/1 without nexthop ip only nexthop interface
and it's not work if i create a static route with nexthop ip all work but my default gateway change every office that i move
any ideas ?
03-12-2019 03:13 PM - edited 03-12-2019 03:32 PM
Hello Igor,
If I understand correctly, you have two Palo Alto firewalls, each of which has WAN interfaces that obtain their IP addresses via DHCP. Is that correct?
Next, you require the ability to configure site-to-site VPN between these firewalls but do not want to have to make configuration changes each time the firewalls are moved, or if the DHCP-assigned IP address changes. Is that also correct?
If my understanding of both cases is correct, then you can accomplish this through two steps:
1. Dynamic DNS - you will need a DNS provider that supports Dynamic DNS registration - the site-to-site VPN connectivity can be configured such that the firewalls do not need to know the IP address of the remote gateway. Ensure that DDNS is enabled on the external/WAN interface:
Configure Dynamic DNS Registration for Firewall Interfaces
2. IPSec Site-to-Site VPN in Aggressive Mode via FQDN - when you go to configure the IKE Gateway objects define the remote gateway by FQDN as opposed to by IP address.
IKE Gateway General Tab (specifically the Local and Remote Identification settings)
The documentation specific to IKE Gateway settings for PAN-OS 8.1 is labeled differently on the Documentation portal:
FQDN Support for IKE Gateway Peer IP Address
Please come back if you have any additional questions. Thanks again for reaching out!
Jeff Hochberg | Sr. Systems Engineer - Technical Business Development
Palo Alto Networks | Atlanta, GA | USA
The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.
03-23-2019 05:33 PM
If I understand correctly, you have two Palo Alto firewalls, each of which has WAN interfaces that obtain their IP addresses via DHCP. Is that correct?
No, I have one PaloAlto - this Palo moves from office to home and from home to office every day
Next, you require the ability to configure site-to-site VPN between these firewalls but do not want to have to make configuration changes each time the firewalls are moved, or if the DHCP-assigned IP address changes. Is that also correct?
No, I have one PaloAlto in my office that connect to FW on DC via IPsec Tunnel but when I go home I take with me the firewall to connect from home,
In my office and in my home I have a DHCP from my ISP modem and I need to connected via IPsec full tunnel
04-03-2019 03:12 PM
Hi Igor,
Apologies but I do not understand what you mean:
"No, I have one PaloAlto in my office that connect to FW on DC via IPsec Tunnel but when I go home I take with me the firewall to connect from home"
Let me try to break this down:
1. You have a firewall in your data center - what kind of firewall is in the data center? Is it another Palo Alto firewall? Or something else? Is it safe to assume that the firewall in the data center has a static IP address?
2. You have a Palo Alto firewall in your office - you then take that firewall home with you and you want it to be able to connect to the same firewall at the data center?
This is what you need to do...
The Palo Alto firewall that you bring to your office and back home - that firewall must initiate the connection to the data center firewall.
If the firewall in the data center has a static IP address, you can define the "Peer" by IP address in the Palo Alto firewall you move between locations.
If the firewall in the data center has a dynamic IP address, you should configure that firewall to perform a Dynamic DNS registration. That way, you can configure the "Peer" by the fully qualified domain name instead of by IP address.
In either case, the VPN must be configured for "aggressive" mode instead of "main" mode. You can only use "main" mode if the peer IP addresses are static on both ends of the VPN tunnel.
I created some sample configurations - take a look at the screenshots attached to this message.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!