So I’m looking at this guide:
https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-site-to-site-vpn
I understand that the peer addresses are the external addresses that the two firewalls will use to communicate over the Internet. But where in there do I designated the local subnet that’s going to traverse through the tunnel? For instance, if locally I have subnet 10.1.1.0/24, and my peer partner has 10.2.1.0/24, where do those values get entered?
If you’re using unnumbered tunnels than it is just a static route that points to the tunnel as next hop instead of an ip address.
Route based VPNs are the preferred way, however, if you do policy based, then every proxy-id that is configured will count towards the tunnel count for the hardware that you are on.
For example,
Tunnel A has 10 proxy-id’s configured. That is 10 VPN tunnels that count toward the limit for the hardware that you are on.
Multiply that by 5 separate peers. That’s now 50 VPN tunnel
Depends on whether it’s policy based or route based.
Palo is route based.
Setup a static route pointed at your tunnel.
If the other side is policy based, then setup proxy id as well.
Under: Network->IPSec tunnels->YourTunnel->Proxy IDs
Even if policy based, you still need routes.
That’s for traffic leaving the network. “Where in there do I designated [sic] the local subnet that’s going to traverse through the tunnel?” You don’t specify the local subnet if it’s route based. You only specify the local subnet if it’s policy based.
Palo Alto firewalls do not support policy based VPNs. You can specify proxy IDs only to allow a tunnel to establish and work with a device configured for a policy based VPN. When it comes to routing traffic across a tunnel, you always need a route or a PBF.
You’re half way there. ProxyIDs are used to support policy based VPNs by making multiple route based VPNs. Please tell me where in the routing process a virtual router looks as the local address? It doesn’t. You don’t put the local source address in anywhere except in PBF, which wasn’t mentioned in the post, or Proxy IDs. Routing happens based on destination address. ProxyIDs require source and destination address. PBF isn’t even necessary. The only place you have to put the local address to support a policy based VPN is is as a ProxyID.
You’re missing my point, and OPs. The only thing that matters is a route to the destination. Doing anything with proxy IDs only allows for compatibility with devices that only support policy based VPNs; it has no impact on how traffic routes from the Palo side.
You’re missing my point, and OPs.
Nope.
The only thing that matters is a route to the destination. Doing anything with proxy IDs only allows for compatibility with devices that only support policy based VPNs; it has no impact on how traffic routes from the Palo side.
That’s exactly what I’ve been saying. I said the local address only matters when it comes to ProxyIDs. Re-read everything I’ve said. You brought up PBF. You brought up routes. I said it depends if it’s a policy based VPN. If the peer is policy based then it matters on the Palo side. If it’s policy based the local address matters. If it’s not then it doesn’t.