>
    Strata Copilot
    Tunnel Interface
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Get Started with IPSec VPN (Site-to-Site)
    4. Site-to-Site VPN Overview
    5. Tunnel Interface
    Download PDF
    Network Security

    Tunnel Interface

    Table of Contents

    Tunnel Interface

    Where Can I Use This?What Do I Need?
    • Prisma Access
    • PAN-OS
    		No license required
    To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel interface for the firewall to connect to and establish a VPN tunnel. A tunnel interface is a logical (virtual) interface that is used to deliver traffic between the two endpoints. If you configure any proxy IDs, the proxy ID is counted toward any IPSec tunnel capacity.
    The tunnel interface must belong to a security zone to apply a policy rule and it must be assigned to a virtual router in order to use the existing routing infrastructure. Ensure that the tunnel interface and the physical interface are assigned to the same virtual router so that the firewall can perform a route lookup and determine the appropriate tunnel to use.
    Typically, the Layer 3 interface that the tunnel interface is attached to belongs to an external zone, for example the untrust zone. While the tunnel interface can be in the same security zone as the physical interface, for added security and better visibility, you can create a separate zone for the tunnel interface. If you create a separate zone for the tunnel interface, say a VPN zone, you’ll need to create security policies to enable traffic to flow between the VPN zone and the trust zone.
    To route traffic between the sites, a tunnel interface doesn’t require an IP address. An IP address is only required if you want to enable tunnel monitoring or if you’re using a dynamic routing protocol to route traffic across the tunnel. With dynamic routing, the tunnel IP address serves as the next hop IP address for routing traffic to the VPN tunnel.
    If you’re configuring the Palo Alto Networks firewall with a VPN peer that performs policy-based VPN, you must configure a local and remote proxy ID when setting up the IPSec tunnel. Each peer compares the proxy IDs configured on it with what is received in the packet to allow a successful IKE phase 2 negotiation. If multiple tunnels are required, configure unique proxy IDs for each tunnel interface; a tunnel interface can have a maximum of 250 proxy IDs. Each proxy ID counts toward the IPSec VPN tunnel capacity of the firewall, and the tunnel capacity varies by the firewall model.
    See Set Up an IPSec Tunnel for configuration details.

    © 2025 Palo Alto Networks, Inc. All rights reserved.