Site-to-Site VPN with Static Routing
Updated on
Apr 4, 2024
Focus
Download PDF
Updated on
Apr 4, 2024
Focus
- Home
- Network Security
- Site-to-Site VPN Configuration Examples
- Site-to-Site VPN with Static Routing
Download PDF
Network Security
Table of Contents
Where Can I Use This? | What Do I Need? |
---|---|
| No license required |
The following example shows a VPN connection between two sites that use static routes. Without dynamic routing, the tunnel interfaces on VPN Peer A and VPN Peer B don’t require an IP address because the firewall automatically uses the tunnel interface as the next hop for routing traffic across the sites. However, to enable tunnel monitoring, a static IP address has been assigned to each tunnel interface.
Configure a Layer 3 interface.
This interface is used for the IKE phase-1 tunnel.
Select
andthen select the interface you want to configure for VPN.Network
Interfaces
Ethernet
Select
Layer3
from theInterfaceType
.On the
Config
tab, select theSecurityZone
to which the interface belongs:The interface must be accessible from a zone outsideof your trust network. Consider creating a dedicated VPN zone forvisibility and control over your VPN traffic.
If you haven’t yet created the zone, select
New Zone
from theSecurity Zone
, define aName
for the new zone, and then clickOK
.
Select the
Virtual Router
touse.To assign an IP address to the interface, select the
IPv4
tab,clickAdd
in the IP section, and enter theIP address and network mask to assign to the interface, for example 192.168.210.26/24.To save the interface configuration, click
OK
.In this example, the configuration for VPN Peer A is:
Interface
—ethernet1/7Security Zone
—untrustVirtual Router
—defaultIPv4
—192.168.210.26/24
Theconfiguration for VPN Peer B is:
Interface
—ethernet1/11Security Zone
—untrustVirtual Router
—defaultIPv4
—192.168.210.120/24
Create a tunnel interface and attach it to a virtualrouter and security zone.
Select
andclickNetwork
Interfaces
Tunnel
Add
.In the
Interface Name
field,specify a numeric suffix, such as.1
.On the
Config
tab, expand theSecurityZone
to define the zone as follows:To use your trust zone as the termination pointfor the tunnel, select the zone.
(
Recommended
) To create a separate zone for VPN tunnel termination, click
New Zone
. In the Zone dialog, define aName
for a new zone (for example vpn-tun), and then clickOK
.
Select the
Virtual Router
.(
Optional
) Assign an IP address to the tunnelinterface, select the
IPv4
orIPv6
tab,clickAdd
in the IP section, and enter theIP address and network mask to assign to the interface.With static routes, the tunnel interface doesn’t require an IP address. For traffic that is destined to a specified subnet/IP address, the tunnel interface will automatically become the next hop. Consider adding an IP address if you want to enable tunnel monitoring.
To save the interface configuration, click
OK
.In this example, the configuration for VPN Peer A is:
Interface
—tunnel.10Security Zone
—vpn_tunVirtual Router
—defaultIPv4
—172.19.9.2/24
Theconfiguration for VPN Peer B is:
Interface
—tunnel.11Security Zone
—vpn_tunVirtual Router
—defaultIPv4
—192.168.69.2/24
Configure a static route, on the virtual router, to thedestination subnet.
Select
and click therouter you defined in the prior step.Network
Virtual Router
Select
Static Route
, clickAdd
,and enter a new route to access the subnet that is at the otherend of the tunnel.In this example, the configuration for VPN Peer A is:
Destination
—192.168.69.0/24Interface
—tunnel.10
Theconfiguration for VPN Peer B is:
Destination
—172.19.9.0/24Interface
—tunnel.11
Set up the crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase 2).
Complete this task on both peers and make sure to set identical values.
Select
. In this example, we use the default profile.Network
Network Profiles
IKE Crypto
Select
. In this example, we use the default profile.Network
Network Profiles
IPSec Crypto
Set up the IKE Gateway.
Select
.Network
Network Profiles
IKE Gateway
Click
Add
and configure theoptions in theGeneral
tab.In this example, the configuration for VPN Peer A is:
Interface
—ethernet1/7Local IP address
—192.168.210.26/24Peer IP type/address
—static/192.168.210.120Preshared keys
—enter a valueLocal identification
—None; this meansthat the local IP address will be used as the local identificationvalue.The configuration for VPN Peer B is:
Interface
—ethernet1/11Local IP address
—192.168.210.120/24Peer IP type/address
—static/192.168.210.26Preshared keys
—enter same value ason Peer ALocal identification
—None
Select
Advanced Phase 1 Options
andselect the IKE Crypto profile you created earlier to use for IKEphase 1.
Set up the IPSec Tunnel.
Select
.Network
IPSec Tunnels
Click
Add
and configure theoptions in theGeneral
tab.In this example, the configuration for VPN Peer A is:
Tunnel Interface
—tunnel.10Type
—Auto KeyIKE Gateway
—Select the IKE Gatewaydefined above.IPSec Crypto Profile
—Select the IPSec Crypto profile defined in step 4.
Theconfiguration for VPN Peer B is:
TunnelInterface
—tunnel.11Type
—Auto KeyIKE Gateway
—Select the IKE Gatewaydefined above.IPSec Crypto Profile
—Select the IPSec crypto defined in step 4.
(
Optional
) Select
Show AdvancedOptions
, selectTunnel Monitor
,and specify a Destination IP address to ping for verifying connectivity.Typically, the tunnel interface IP address for the VPN Peer is used.(
Optional
) To define the action on failureto establish connectivity, see Definea Tunnel Monitoring Profile.
Create policy rules to allow traffic between the sites (subnets).
Select
.Policies
Security
Create rules to allow traffic between the untrust and the vpn-tun zone and the vpn-tun and the untrust zone for traffic originating from specified source and destination IP addresses.
Commit any pending configuration changes.
Click
Commit
.Troubleshoot Your IPSec VPN Tunnel Connection.
See also Viewthe Status of the Tunnels.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}