IPSec VPN Tunnel Interface with IP Addresses

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec VPN Tunnel Interface with IP Addresses

L2 Linker

I read the following example of Site to Site VPN IPsec with static routing :

 

https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-c...

 

In the figure the example shown that both Tunnel Interfaces on the peers VPN are 10.10.10.10 and 10.10.10.11 in the same subnet.

Topo VPN.png

 

But in the configuration, they use the following IP Addresses: 172.19.9.2/24 and 192.168.69.2/24, not in the same subnet.

 

Tunnel.png

 

 

 

5 REPLIES 5

L4 Transporter

Hi there,

The section of the diagram which you have highlighted is the Layer3 tunnel interface. It is these interface addresses which would be used for routing within the which ever VR the interface belongs to. These could also be used for routing protocol peering. These IPs need to both be within the same subnet. However, since it is a point to point link a /30 is really preferable.

 

The section of text you have shown and highlighted are the IP addresses for the IPSec endpoints. These are the addresses which the IPSec process will attempt to connect to. In this example the default VR must have a route installed which allows it to reach the remote address. In reality you would expect the peer to be several hops away and certainly not within the same subnet (although in some topologies it is feasible).

 

cheers,

Seb.

L2 Linker

@seb_rupik  The example shown the configuration of tunnel interface with virtual router , security zone and IPv4 Address by instructing to navigate to Interfaces > Tunnel.     And the IP address configured does not match with the IP address 10.10.10.10 displayed in the topology. NOT the IP addresses for the IPSec endpoints which the IPSec process will attempt to connect to.

 

Tunnel1.png

 

 

 

L2 Linker

@seb_rupik  It's definitely a mistake in the article and should be corrected in the configuration section to match the IP addresses of the tunnel interfaces shown in the topology 10.10.10.10 and 10.10.10.11.

 

Look at another example with OSPF, the configuration section shown the correct IP addresses 2.1.1.140 and 2.1.1.141, the same in the topology, and this is correct.

 

OSPF TOPO VPN.png

 

OSPF TOPO1 VPN.png

 

L4 Transporter

hmmmm.... having read the documentation it is indeed conflicting and requires you to pick and choose between the text and the diagram. 

Personally I would take the tunnel IP addresses from the diagram, using a /30 instead and when defining the static route specify the next-hop IP address too. Certainly in Cisco IOS not doing this can result in poor ARP cache performance(...perhaps PA mitigates against this, although this is not mentioned in the text).

 

cheers,

Seb.

L2 Linker

The article can cause confusion for beginners.

  • 1872 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!