Site-to-Site VPN Overview
A VPN connection that allows you to connect two Local Area Networks (LANs) securely is called a site-to-site VPN. Route based VPN can be configuring to connect Palo Alto Networks firewalls located at two sites or to connect a Palo Alto Networks firewall with a third-party security device at another location. Palo Alto firewall can also communicate with third-party policy-based VPN devices. Palo Alto sets up route based VPN tunnel to take routing decision to choose destination and all traffic handled by VPN tunnel.
IP Security (IPSec) set of protocols is used to set up a secure tunnel for the VPN traffic, and the information in the TCP/IP packet is secured by ESP encryption. The IP packet (header and payload) is embedded into another IP payload, a new header is applied and then passed through the IPSec tunnel. Source IP address in new header is local VPN peer and destination IP address is far end peer. When packet reaches far end, header is removed and only original IP packet is left.
Diagram above depicts a VPN tunnel between two sites. When a user that is secured by VPN Peer A needs data from a server located behind VPN peer B. If the security policy permits the connection, VPN Peer A uses the IKE Crypto profile parameters (IKE phase 1) to establish a secure connection and authenticate with VPN Peer B. VPN tunnel is established by using the IPSec Crypto profile to allow the secure transfer of data between the two sites.
IPSec VPN Set Up: Palo Alto Networks
Setting Up Site-to-Site VPN
Site-to-Site VPN with Static Routing
In this scenario, VPN connection between two sites is set up by using static routes. Tunnel interfaces on VPN Peer A and VPN Peer B do not require an IP address because the firewall uses the tunnel interface as the next hop for routing traffic across the sites. Static IP address is assigned to each tunnel interface for monitoring.
Site-to-Site VPN with OSPF
In this case, each site uses OSPF for dynamic routing of traffic.
Site-to-Site VPN with Static and Dynamic Routing
In this scenario, one site uses static routes and the other site uses OSPF. When the routing protocol is different between two peers, redistribution profile must be configured on firewall to participate in both static and dynamic routing process. Without this redistribution profile routing protocol do not exchange any route information with other protocols running on the same router.
Virtual private networks (VPNs) create tunnels that allow users systems to connect securely over a public network to transfer data. To set up a VPN tunnel, both end Palo Alto Networks firewalls need to authenticate each other and encrypt the data traffic between them.