Hub and Spoke VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Hub and Spoke VPN

L1 Bithead

Hello,

 

We have one PA firewall in azure cloud and rest we have Sophos on Mutiple sites with Dynamic IP's

We want to configure Hub and spoke VPN. with all sophos means PA site is Hub and rest of the site Spoke we dont want mutiple tunnel of each and every site. 

Request will come from the peer site with dynamic IP's is this configuration is possible in PALO ALTO. If yes, how i can achieve this can any one help me.

 

jhussain1_0-1706876545946.png

 

 

 

 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

yes, this is possible and not very difficult:

 

VPN in palo alto relies on zones and routing, so all you really need is to establish all your tunnels, assign a zone to each tunnel interface, and set up routing for the remote subnets pointed towards the right tunnel (e.g. 192.168.0.0/24 to tunnel.1, 192.168.1.0/24 to tunnel.2 etc.)

then on the remote sites you also need to add the 'other' remote subnets to their respective tunnel routing, e.g site 1 192.168.0.0/24 needs to have a route for site2 (192.168.1.0/24) into the tunnel towards azure

site 2 192.168.1.0/24 needs to have a route for site 1 192.168.0.0/24 into the tunnel towards azure

 

once that's done all you need is security rules that allow vpn1 to go to vpn2, vpn2 to go to vpn1 and so on

 

 

P.S. if in need to have PROXY IDs for your tunnels, you'll need to mix and match all the allowed pairs there as well

proxyID1: local: 192.168.1.0/24 (for site 2) remote 192.168.0.0/24 (for site 1)  <- used on site 1 tunnel

proxyID2: local: 192.168.0.0/24 (for site 1) remote 192.168.1.0/24 (for site 2)  <- used on site 2 tunnel

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper  is this possible by LSVPN.

 

Large Scale VPN (LSVPN) (paloaltonetworks.com)

 

@reaper I have one query only we will configure dynamic ip for peer site how this PA understand from where the traffic is coming.

Means Site A is having different dynamic IP address and Site B having different dynamic IP address. How the PA Hub site work on phase-1 and phase-2

honestly i would not recommend LSVPN unless you have a lot of devices that move around. if they're sitting in an office and there's only 3, it makes more sense to configure a proper IPSec tunnel

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

in the ike gateway object, configure a local and remote ID, that will ensure all endpoints can use a dynamic IP

 

reaper_0-1706885148011.png

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2534 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!