Prisma SD-WAN Administrator’s Guide
    : Configure Data Center (DC-DC) Interconnectivity
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Prisma SD-WAN Ports and Interfaces
    7. Prisma SD-WAN Standard VPN
    8. Configure Data Center (DC-DC) Interconnectivity
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    Configure Data Center (DC-DC) Interconnectivity

    Table of Contents

    Configure Data Center (DC-DC) Interconnectivity

    Prisma SD-WAN
     ION data center devices can communicate each other using standard VPN IPsec tunnels. Learn how to configure DC-DC tunnels in
    Prisma SD-WAN
    .
    Prisma SD-WAN
     supports standard VPN for connection between two Data Center ION devices. Both the DC ION devices may try to initiate a tunnel, in which case, the tunnel will not be established. To overcome this issue,
    Prisma SD-WAN
     supports the responder-only mode for the DC ION devices, so that the ION device only responds to the IKE connection and does not initiate it.
    Prisma SD-WAN
     currently supports this feature only for IPsec VPNs and not for GRE VPNs.
    Prisma SD-WAN
     supports both IKEv1 and IKEv2.
    1. Select
      Manage
      Workflows
      Devices
      Claimed Devices
      .
    2. From the ellipsis menu, select
      Configure the device
      .
    3. On the
      Configure Interface: New Standard VPN
       screen, set up the
      Main Configuration
       for the new interface.
      1. For
        Admin Up
        , select
        Yes
        .
      2. (Optional)
         Enter a
        Name
        ,
        Description
        , and
        Tags
        .
      3. Select
        IPsec
         as the
        Standard VPN Type
        .
        The
        Interface Type
         must display as
        Standard VPN
        .
      4. Select a
        Parent Interface
         to establish the GRE tunnel.
        For a data center ION device, any of the following ports can be used as a parent interface:
        • Any
          Connect to Internet
           port
        • Any
          Connect to Peer Network
           port
      5. Toggle
        Scope
         to
        Local
         or
        Global
        .
      6. Enter an
        Inner Tunnel IP Address
         or
        Mask
        .
      7. For the
        Endpoint
         name, add the name of the connected Data Center site.
        Note that although configured, the
        Endpoint
         will not be pushed to the DC ION device, since the
        Endpoint
         applies only for a branch ION device. Hence, you have to enter a
        Peer IP
         for the tunnel to be established.
      8. Enter a
        Peer IP
         of the connected DC site.
        The Peer IP is mandatory for a DC-DC tunnel.
      9. Select an
        IPsec Profile
        .
        Select a created IPsec profile.
      10. Under
        Advanced Options
        , navigate to
        Passive Mode
        .
        By default,
        Passive Mode
         is
        No
        , which means that the device can act as a responder and an initiator.
        (Optional)
        Select
        Yes
         for
        Passive Mode
        to have the ION device in the responder-only mode. Set one end of the tunnel to
        Yes
         and the other end to
        No
        .
    4. Click
      Create Standard VPN
      .
      You can view the DC-DC tunnels on the
      Overlays Connection
       page for a DC site.
      Port Translation between Data Centers
      If one of the ION devices is behind a NAT device, you need to configure an inbound DNAT rule for port translation for the receiving ION device, so that port 4500 is translated to port 4501 for a given IP address.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.