Learn how to configure a site-to-site IPSec VPN tunnel.
Where Can I Use This?
What Do I Need?
No license required
To set up site-to-site VPN:
Make sure that your Ethernet interfaces, virtual routers, and zones are
configured properly. For more information, see
Configure Interfaces and
Create your tunnel interfaces. Ideally, put the tunnel interfaces in a separate
zone, so that tunneled traffic can use different policy rules.
Set up static routes or assign routing protocols to redirect traffic to the VPN
tunnels. To support dynamic routing (OSPF, BGP, RIP are supported), you must
assign an IP address to the tunnel interface.
Define IKE gateways for establishing communication between the peers across each
end of the VPN tunnel; also define the cryptographic profile that specifies the
protocols and algorithms for identification, authentication, and encryption to
be used for setting up VPN tunnels in IKEv1 Phase 1. See Set
Up an IKE Gateway and
Define IKE Crypto
Define Security policies to filter and inspect the traffic.
If there’s a deny rule at the end of the security rulebase, intrazone traffic
is blocked unless otherwise allowed. Rules to allow IKE and IPSec
applications must be explicitly included above the deny rule.
If your VPN traffic is passing through (not originating or terminating on) a
PA-7000 Series or PA-5200 Series firewall, configure a bidirectional
Security policy rule to allow the ESP or AH traffic in both directions.
When these tasks are complete, the tunnel is ready for use. Traffic destined for the
zones/addresses defined in a policy rule is automatically routed properly based on the
destination route in the routing table, and handled as VPN traffic. For a few examples
on site-to-site VPN, see Site-to-Site VPN