This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Hub and Spoke VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Hub and Spoke VPN

jhussain1
L1 Bithead

‎02-02-2024 04:25 AM

Hello,

 

We have one PA firewall in azure cloud and rest we have Sophos on Mutiple sites with Dynamic IP's

We want to configure Hub and spoke VPN. with all sophos means PA site is Hub and rest of the site Spoke we dont want mutiple tunnel of each and every site. 

Request will come from the peer site with dynamic IP's is this configuration is possible in PALO ALTO. If yes, how i can achieve this can any one help me.

 

jhussain1_0-1706876545946.png

 

 

 

 

 

0 Likes Likes
5 REPLIES 5

reaper
Cyber Elite
Cyber Elite

‎02-02-2024 05:09 AM - edited ‎02-02-2024 05:10 AM

yes, this is possible and not very difficult:

 

VPN in palo alto relies on zones and routing, so all you really need is to establish all your tunnels, assign a zone to each tunnel interface, and set up routing for the remote subnets pointed towards the right tunnel (e.g. 192.168.0.0/24 to tunnel.1, 192.168.1.0/24 to tunnel.2 etc.)

then on the remote sites you also need to add the 'other' remote subnets to their respective tunnel routing, e.g site 1 192.168.0.0/24 needs to have a route for site2 (192.168.1.0/24) into the tunnel towards azure

site 2 192.168.1.0/24 needs to have a route for site 1 192.168.0.0/24 into the tunnel towards azure

 

once that's done all you need is security rules that allow vpn1 to go to vpn2, vpn2 to go to vpn1 and so on

 

 

P.S. if in need to have PROXY IDs for your tunnels, you'll need to mix and match all the allowed pairs there as well

proxyID1: local: 192.168.1.0/24 (for site 2) remote 192.168.0.0/24 (for site 1)  <- used on site 1 tunnel

proxyID2: local: 192.168.0.0/24 (for site 1) remote 192.168.1.0/24 (for site 2)  <- used on site 2 tunnel

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jhussain1
L1 Bithead
In response to reaper

‎02-02-2024 05:21 AM

@reaper  is this possible by LSVPN.

 

Large Scale VPN (LSVPN) (paloaltonetworks.com)

 

0 Likes Likes

jhussain1
L1 Bithead
In response to jhussain1

‎02-02-2024 05:39 AM

@reaper I have one query only we will configure dynamic ip for peer site how this PA understand from where the traffic is coming.

Means Site A is having different dynamic IP address and Site B having different dynamic IP address. How the PA Hub site work on phase-1 and phase-2

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jhussain1

‎02-02-2024 06:43 AM

honestly i would not recommend LSVPN unless you have a lot of devices that move around. if they're sitting in an office and there's only 3, it makes more sense to configure a proper IPSec tunnel

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jhussain1

‎02-02-2024 06:46 AM

in the ike gateway object, configure a local and remote ID, that will ensure all endpoints can use a dynamic IP

 

reaper_0-1706885148011.png

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 918 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks