This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPSec VPN Tunnel Interface with IP Addresses

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec VPN Tunnel Interface with IP Addresses

rmeddane
L2 Linker

‎12-27-2023 02:30 AM

I read the following example of Site to Site VPN IPsec with static routing :

 

https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-c...

 

In the figure the example shown that both Tunnel Interfaces on the peers VPN are 10.10.10.10 and 10.10.10.11 in the same subnet.

Topo VPN.png

 

But in the configuration, they use the following IP Addresses: 172.19.9.2/24 and 192.168.69.2/24, not in the same subnet.

 

Tunnel.png

 

 

 

0 Likes Likes
5 REPLIES 5

seb_rupik
L4 Transporter

‎12-27-2023 02:47 AM

Hi there,

The section of the diagram which you have highlighted is the Layer3 tunnel interface. It is these interface addresses which would be used for routing within the which ever VR the interface belongs to. These could also be used for routing protocol peering. These IPs need to both be within the same subnet. However, since it is a point to point link a /30 is really preferable.

 

The section of text you have shown and highlighted are the IP addresses for the IPSec endpoints. These are the addresses which the IPSec process will attempt to connect to. In this example the default VR must have a route installed which allows it to reach the remote address. In reality you would expect the peer to be several hops away and certainly not within the same subnet (although in some topologies it is feasible).

 

cheers,

Seb.

0 Likes Likes

rmeddane
L2 Linker

‎12-27-2023 03:06 AM - edited ‎12-27-2023 03:08 AM

@seb_rupik  The example shown the configuration of tunnel interface with virtual router , security zone and IPv4 Address by instructing to navigate to Interfaces > Tunnel.     And the IP address configured does not match with the IP address 10.10.10.10 displayed in the topology. NOT the IP addresses for the IPSec endpoints which the IPSec process will attempt to connect to.

 

Tunnel1.png

 

 

 

0 Likes Likes

rmeddane
L2 Linker

‎12-27-2023 03:15 AM

@seb_rupik  It's definitely a mistake in the article and should be corrected in the configuration section to match the IP addresses of the tunnel interfaces shown in the topology 10.10.10.10 and 10.10.10.11.

 

Look at another example with OSPF, the configuration section shown the correct IP addresses 2.1.1.140 and 2.1.1.141, the same in the topology, and this is correct.

 

OSPF TOPO VPN.png

 

OSPF TOPO1 VPN.png

 

0 Likes Likes

seb_rupik
L4 Transporter

‎12-27-2023 03:17 AM

hmmmm.... having read the documentation it is indeed conflicting and requires you to pick and choose between the text and the diagram. 

Personally I would take the tunnel IP addresses from the diagram, using a /30 instead and when defining the static route specify the next-hop IP address too. Certainly in Cisco IOS not doing this can result in poor ARP cache performance(...perhaps PA mitigates against this, although this is not mentioned in the text).

 

cheers,

Seb.

0 Likes Likes

rmeddane
L2 Linker

‎12-27-2023 03:20 AM

The article can cause confusion for beginners.

0 Likes Likes
  • 1869 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks