02-02-2024 04:25 AM
Hello,
We have one PA firewall in azure cloud and rest we have Sophos on Mutiple sites with Dynamic IP's
We want to configure Hub and spoke VPN. with all sophos means PA site is Hub and rest of the site Spoke we dont want mutiple tunnel of each and every site.
Request will come from the peer site with dynamic IP's is this configuration is possible in PALO ALTO. If yes, how i can achieve this can any one help me.
02-02-2024 05:09 AM - edited 02-02-2024 05:10 AM
yes, this is possible and not very difficult:
VPN in palo alto relies on zones and routing, so all you really need is to establish all your tunnels, assign a zone to each tunnel interface, and set up routing for the remote subnets pointed towards the right tunnel (e.g. 192.168.0.0/24 to tunnel.1, 192.168.1.0/24 to tunnel.2 etc.)
then on the remote sites you also need to add the 'other' remote subnets to their respective tunnel routing, e.g site 1 192.168.0.0/24 needs to have a route for site2 (192.168.1.0/24) into the tunnel towards azure
site 2 192.168.1.0/24 needs to have a route for site 1 192.168.0.0/24 into the tunnel towards azure
once that's done all you need is security rules that allow vpn1 to go to vpn2, vpn2 to go to vpn1 and so on
P.S. if in need to have PROXY IDs for your tunnels, you'll need to mix and match all the allowed pairs there as well
proxyID1: local: 192.168.1.0/24 (for site 2) remote 192.168.0.0/24 (for site 1) <- used on site 1 tunnel
proxyID2: local: 192.168.0.0/24 (for site 1) remote 192.168.1.0/24 (for site 2) <- used on site 2 tunnel
02-02-2024 05:39 AM
@reaper I have one query only we will configure dynamic ip for peer site how this PA understand from where the traffic is coming.
Means Site A is having different dynamic IP address and Site B having different dynamic IP address. How the PA Hub site work on phase-1 and phase-2
02-02-2024 06:43 AM
honestly i would not recommend LSVPN unless you have a lot of devices that move around. if they're sitting in an office and there's only 3, it makes more sense to configure a proper IPSec tunnel
02-02-2024 06:46 AM
in the ike gateway object, configure a local and remote ID, that will ensure all endpoints can use a dynamic IP
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
