>
    Site-to-Site VPN with OSPF
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Site-to-Site VPN Configuration Examples
    4. Site-to-Site VPN with OSPF
    Download PDF
    Network Security

    Site-to-Site VPN with OSPF

    Table of Contents

    Site-to-Site VPN with OSPF

    Where Can I Use This?What Do I Need?
    • PAN-OS
    		No license required
    In this example, each site uses OSPF for dynamic routing of traffic. The tunnel IP address on each VPN peer is statically assigned and serves as the next hop for routing traffic between the two sites.
    1. Configure the Layer 3 interfaces on each firewall.
      1. Select NetworkInterfacesEthernet and then select the interface you want to configure for VPN.
      2. Select Layer3 from the Interface Type list.
      3. On the Config tab, select the Security Zone to which the interface belongs:
        • The interface must be accessible from a zone outside of your trust network. Consider creating a dedicated VPN zone for visibility and control over your VPN traffic.
        • If you haven’t yet created the zone, select New Zone from the Security Zone list, define a Name for the new zone, and then click OK.
      4. Select the Virtual Router to use.
      5. To assign an IP address to the interface, select the IPv4 tab, click Add in the IP section, and enter the IP address and network mask to assign to the interface, for example 192.168.210.26/24.
      6. To save the interface configuration, click OK.
        In this example, the configuration for VPN Peer A is:
        • Interface—ethernet1/7
        • Security Zone—untrust
        • Virtual Router—default
        • IPv4—100.1.1.1/24
        The configuration for VPN Peer B is:
        • Interface—ethernet1/11
        • Security Zone—untrust
        • Virtual Router—default
        • IPv4—200.1.1.1/24
    2. Create a tunnel interface and attach it to a virtual router and security zone.
      1. Select NetworkInterfacesTunnel and click Add.
      2. In the Interface Name field, specify a numeric suffix, such as, .11.
      3. On the Config tab, expand Security Zone to define the zone as follows:
        • To use your trust zone as the termination point for the tunnel, select the zone.
        • (Recommended) To create a separate zone for VPN tunnel termination, click New Zone. In the Zone dialog, define a Name for the new zone (for example, vpn-tun), and then click OK.
      4. Select the Virtual Router.
      5. Assign an IP address to the tunnel interface, select the IPv4 or IPv6 tab, click Add in the IP section, and enter the IP address and network mask/prefix to assign to the interface, for example, 172.19.9.2/24.
        This IP address will be used as the next hop IP address to route traffic to the tunnel and can also be used to monitor the status of the tunnel.
      6. To save the interface configuration, click OK.
        In this example, the configuration for VPN Peer A is:
        • Interface—tunnel.41
        • Security Zone—vpn_tun
        • Virtual Router—default
        • IPv4—2.1.1.141/24
        The configuration for VPN Peer B is:
        • Interface—tunnel.40
        • Security Zone—vpn_tun
        • Virtual Router—default
        • IPv4—2.1.1.140/24
    3. Set up the crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase 2).
      Complete this task on both peers and make sure to set identical values.
      1. Select NetworkNetwork ProfilesIKE Crypto. In this example, we use the default profile.
      2. Select NetworkNetwork ProfilesIPSec Crypto. In this example, we use the default profile.
    4. Set up the OSPF configuration on the virtual router and attach the OSPF areas with the appropriate interfaces on the firewall.
      For more information on the OSPF options that are available on the firewall, see Configure OSPF.
      Use Broadcast as the link type when there are more than two OSPF routers that need to exchange routing information.
      1. Select NetworkVirtual Routers, and select the default router or add a new router.
      2. Select OSPF (for IPv4) or OSPFv3 (for IPv6) and select Enable.
      3. In this example, the OSPF configuration for VPN Peer A is:
        • Router ID: 192.168.100.141
        • Area ID: 0.0.0.0 that is assigned to the tunnel.1 interface with Link type: p2p
        • Area ID: 0.0.0.10 that is assigned to the interface Ethernet1/1 and Link Type: Broadcast
        The OSPF configuration for VPN Peer B is:
        • Router ID: 192.168.100.140
        • Area ID: 0.0.0.0 that is assigned to the tunnel.1 interface with Link type: p2p
        • Area ID: 0.0.0.20 that is assigned to the interface Ethernet1/15 and Link Type: Broadcast
    5. Set up the IKE Gateway.
      This example uses static IP addresses for both VPN peers. Typically, the corporate office uses a statically configured IP address, and the branch side can be a dynamic IP address; dynamic IP addresses aren’t best suited for configuring stable services such as VPN.
      1. Select NetworkNetwork ProfilesIKE Gateway.
      2. Click Add and configure the options in the General tab.
        In this example, the configuration for VPN Peer A is:
        • Interface—ethernet1/7
        • Local IP address—100.1.1.1/24
        • Peer IP address—200.1.1.1/24
        • Preshared keys—enter a value
        The configuration for VPN Peer B is:
        • Interface—ethernet1/11
        • Local IP address—200.1.1.1/24
        • Peer IP address—100.1.1.1/24
        • Preshared keys—enter same value as on Peer A
      3. Select the IKE Crypto profile that you created earlier to use for IKE phase 1.
    6. Set up the IPSec Tunnel.
      1. Select NetworkIPSec Tunnels.
      2. Click Add and configure the options in the General tab.
        In this example, the configuration for VPN Peer A is:
        • Tunnel Interface—tunnel.41
        • Type—Auto Key
        • IKE Gateway—Select the IKE Gateway defined above.
        • IPSec Crypto Profile—Select the IKE Gateway defined above.
        The configuration for VPN Peer B is:
        • Tunnel Interface—tunnel.40
        • Type—Auto Key
        • IKE Gateway—Select the IKE Gateway defined above.
        • IPSec Crypto Profile—Select the IKE Gateway defined above.
      3. Select Show Advanced Options, select Tunnel Monitor, and specify a Destination IP address to ping for verifying connectivity.
      4. To define the action on failure to establish connectivity, see Define a Tunnel Monitoring Profile.
    7. Create policy rules to allow traffic between the sites (subnets).
      1. Select PoliciesSecurity.
      2. Create rules to allow traffic between the untrust and the vpn-tun zone and the vpn-tun and the untrust zone for traffic originating from specified source and destination IP addresses.
    8. Verify OSPF adjacencies and routes from the CLI.
      Verify that both the firewalls can see each other as neighbors with full status. Also confirm that the IP address of the VPN peer’s tunnel interface and the OSPF Router ID. Use the following CLI commands on each VPN peer.
      • show routing protocol ospf neighbor
      • show routing route type ospf
    9. Troubleshoot Your IPSec VPN Tunnel Connection.
      See Set Up Tunnel Monitoring and View the Status of the Tunnels.

    © 2024 Palo Alto Networks, Inc. All rights reserved.