Site-to-Site VPN with Static and Dynamic Routing
Focus
Focus
Network Security

Site-to-Site VPN with Static and Dynamic Routing

Table of Contents

Site-to-Site VPN with Static and Dynamic Routing

Where Can I Use This?
What Do I Need?
  • PAN-OS
No license required
In this example, one site uses static routes and the other site uses OSPF. When the routing protocol isn’t the same between the locations, the tunnel interface on each firewall must be configured with a static IP address. Then, to allow the exchange of routing information, the firewall that participates in both the static and dynamic routing process must be configured with a Redistribution profile. Configuring the redistribution profile enables the virtual router to redistribute and filter routes between protocols—static routes, connected routes, and hosts— from the static autonomous system to the OSPF autonomous system. Without this redistribution profile, each protocol functions on its own and doesn’t exchange any route information with other protocols running on the same virtual router.
In this example, the satellite office has static routes and all traffic destined to the 192.168.x.x network is routed to tunnel.41. The virtual router on VPN Peer B participates in both the static and the dynamic routing process and is configured with a redistribution profile in order to propagate (export) the static routes to the OSPF autonomous system.
  1. Configure the Layer 3 interfaces on each firewall.
    1. Select
      Network
      Interfaces
      Ethernet
      and then select the interface you want to configure for VPN.
    2. Select
      Layer3
      from the
      Interface Type
      .
    3. On the
      Config
      tab, select the
      Security Zone
      to which the interface belongs:
      • The interface must be accessible from a zone outside of your trust network. Consider creating a dedicated VPN zone for visibility and control over your VPN traffic.
      • If you haven’t yet created the zone, select
        New Zone
        from the
        Security Zone
        , define a
        Name
        for the new zone, and then click
        OK
        .
    4. Select the
      Virtual Router
      to use.
    5. To assign an IP address to the interface, select the
      IPv4
      tab, click
      Add
      in the IP section, and enter the IP address and network mask to assign to the interface, for example 192.168.210.26/24.
    6. To save the interface configuration, click
      OK
      .
      In this example, the configuration for VPN Peer A is:
      • Interface
        —ethernet1/7
      • Security Zone
        —untrust
      • Virtual Router
        —default
      • IPv4
        —100.1.1.1/24
      The configuration for VPN Peer B is:
      • Interface
        —ethernet1/11
      • Security Zone
        —untrust
      • Virtual Router
        —default
      • IPv4
        —200.1.1.1/24
  2. Set up the crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase 2).
    Complete this task on both peers and make sure to set identical values.
    1. Select
      Network
      Network Profiles
      IKE Crypto
      . In this example, we use the default profile.
    2. Select
      Network
      Network Profiles
      IPSec Crypto
      . In this example, we use the default profile.
  3. Set up the IKE Gateway.
    With pre-shared keys, to add authentication scrutiny when setting up the IKE phase-1 tunnel, you can set up Local and Peer Identification attributes and a corresponding value that is matched in the IKE negotiation process.
    1. Select
      Network
      Network Profiles
      IKE Gateway
      .
    2. Click
      Add
      and configure the options in the
      General
      tab.
      In this example, the configuration for VPN Peer A is:
      • Interface
        —ethernet1/7
      • Local IP address
        —100.1.1.1/24
      • Peer IP type
        —dynamic
      • Preshared keys
        —enter a value
      • Local identification
        —select
        FQDN(hostname)
        and enter the value for VPN Peer A.
      • Peer identification
        —select
        FQDN(hostname)
        and enter the value for VPN Peer B
      The configuration for VPN Peer B is:
      • Interface
        —ethernet1/11
      • Local IP address
        —200.1.1.1/24
      • Peer IP address
        —dynamic
      • Preshared keys
        —enter same value as on Peer A
      • Local identification
        —select
        FQDN(hostname)
        and enter the value for VPN Peer B
      • Peer identification
        —select
        FQDN(hostname)
        and enter the value for VPN Peer A
    3. Select the IKE Crypto profile that you created earlier to use for IKE phase 1.
  4. Create a tunnel interface and attach it to a virtual router and security zone.
    1. Select
      Network
      Interfaces
      Tunnel
      and click
      Add
      .
    2. In the
      Interface Name
      field, specify a numeric suffix, say,
      .41
      .
    3. On the
      Config
      tab, expand the
      Security Zone
      to define the zone as follows:
      • To use your trust zone as the termination point for the tunnel, select the zone.
      • (
        Recommended
        ) To create a separate zone for VPN tunnel termination, click
        New Zone
        . In the Zone dialog, define a
        Name
        for the new zone (for example vpn-tun), and then click
        OK
        .
    4. Select the
      Virtual Router
      .
    5. Assign an IP address to the tunnel interface, select the
      IPv4
      or
      IPv6
      tab, click
      Add
      in the IP section, and enter the IP address and network mask/prefix to assign to the interface, for example, 172.19.9.2/24.
      This IP address will be used to route traffic to the tunnel and to monitor the status of the tunnel.
    6. To save the interface configuration, click
      OK
      .
      In this example, the configuration for VPN Peer A is:
      • Interface
        —tunnel.41
      • Security Zone
        —vpn_tun
      • Virtual Router
        —default
      • IPv4
        —2.1.1.141/24
      The configuration for VPN Peer B is:
      • Interface
        —tunnel.42
      • Security Zone
        —vpn_tun
      • Virtual Router
        —default
      • IPv4
        —2.1.1.140/24
  5. Specify the interface to route traffic to a destination on the 192.168.x.x network.
    1. On VPN Peer A, select the virtual router.
    2. Select
      Static Routes
      , and
      Add
      tunnel.41 as the
      Interface
      for routing traffic with a
      Destination
      in the 192.168.x.x network.
  6. Set up the static route and the OSPF configuration on the virtual router and attach the OSPF areas with the appropriate interfaces on the firewall.
    1. On VPN Peer B, select
      Network
      Virtual Routers
      , and select the default router or add a new router.
    2. Select
      Static Routes
      and
      Add
      the tunnel IP address as the next hop for traffic in the 172.168.x.x. network.
      Assign the desired route metric; using a lower the value makes higher priority for route selection in the forwarding table.
    3. Select
      OSPF
      (for IPv4) or
      OSPFv3
      (for IPv6) and select
      Enable
      .
    4. In this example, the OSPF configuration for VPN Peer B is:
      • Router ID: 192.168.100.140
      • Area ID: 0.0.0.0 is assigned to the interface Ethernet 1/12 Link type: Broadcast
      • Area ID: 0.0.0.10 that is assigned to the interface Ethernet1/1 and Link Type: Broadcast
      • Area ID: 0.0.0.20 is assigned to the interface Ethernet1/15 and Link Type: Broadcast
  7. Create a redistribution profile to inject the static routes into the OSPF autonomous system.
    1. Create a redistribution profile on VPN Peer B.
      1. Select
        Network
        Virtual Routers
        , and select the router you used above.
      2. Select
        Redistribution Profiles
        , and click
        Add
        .
      3. Enter a Name for the profile and select
        Redist
        and assign a
        Priority
        value. If you have configured multiple profiles, the profile with the lowest priority value is matched first.
      4. Set
        Source Type
        as
        static
        , and click
        OK
        . The static route you defined in step 6 will be used for the redistribution.
    2. Inject the static routes into the OSPF system.
      1. Select
        OSPF
        Export Rules
        (for IPv4) or
        OSPFv3
        Export Rules
        (for IPv6).
      2. Click
        Add
        , and select the redistribution profile that you created.
      3. Select how the external routes are brought into the OSPF system. The default option,
        Ext2
        calculates the total cost of the route using only the external metrics. To use both internal and external OSPF metrics, use
        Ext1
        .
      4. Assign a
        Metric
        (cost value) for the routes injected into the OSPF system. This option allows you to change the metric for the injected route as it comes into the OSPF system.
      5. Click
        OK
        .
  8. Set up the IPSec Tunnel.
    1. Select
      Network
      IPSec Tunnels
      .
    2. Click
      Add
      and configure the options in the
      General
      tab.
      In this example, the configuration for VPN Peer A is:
      • Tunnel Interface
        —tunnel.41
      • Type
        —Auto Key
      • IKE Gateway
        —Select the IKE Gateway defined above.
      • IPSec Crypto Profile
        —Select the IKE Gateway defined above.
      The configuration for VPN Peer B is:
      • Tunnel Interface
        —tunnel.40
      • Type
        —Auto Key
      • IKE Gateway
        —Select the IKE Gateway defined above.
      • IPSec Crypto Profile
        —Select the IKE Gateway defined above.
    3. Select
      Show Advanced Options
      , select
      Tunnel Monitor
      , and specify a Destination IP address to ping for verifying connectivity.
    4. To define the action on failure to establish connectivity, see Define a Tunnel Monitoring Profile.
  9. Create policy rules to allow traffic between the sites (subnets).
    1. Select
      Policies
      Security
      .
    2. Create rules to allow traffic between the untrust and the vpn-tun zone and the vpn-tun and the untrust zone for traffic originating from specified source and destination IP addresses.
  10. Verify OSPF adjacencies and routes from the CLI.
    Verify that both the firewalls can see each other as neighbors with full status. Also confirm that the IP address of the VPN peer’s tunnel interface and the OSPF Router ID. Use the following CLI commands on each VPN peer.
    • show routing protocol ospf neighbor
    • show routing route
    The following is an example of the output on each VPN peer.

Recommended For You