configuring hub and spoke route based vpn.pdf

Hub and Spoke IPSec VPN Configuring route based Hub and spoke IPSec VPN using OSPF September 2010 Palo Alto Networks 232 E. Java Dr. Sunnyvale, CA 94089 408.738.7700 www.paloaltonetworks.com

http://www.paloaltonetworks.com/�

© 2010 Palo Alto Networks

Table of Contents

Overview ............................................................................................................................................ 3 Design Consideration ......................................................................................................................... 3 Topology ............................................................................................................................................. 3 VPN configuration .............................................................................................................................. 4

Configuration for site-A ............................................................................................................... 4 Configuration for site-B ............................................................................................................... 5

OSPF configuration ........................................................................................................................ 6 VPN configuration-Site A.................................................................................................................... 7

OSPF configuration ........................................................................................................................ 8 VPN configuration Site B ................................................................................................................ 9

IKE configuration ......................................................................................................................... 9 IPSec configuration ..................................................................................................................... 9

OSPF configuration ........................................................................................................................ 9 Verification ........................................................................................................................................ 10

HUB site ........................................................................................................................................ 10 Spoke sites ................................................................................................................................... 12

Additional references ........................................................................................................................ 13


Overview

This document explains the configuration steps required to setup hub and spoke VPN using PAN-OS. In this example OSPF is used to route traffic between the VPN sites and one of the spoke site is configured to be a dynamic end point

Design Consideration

The scenario is tested using PAN OS 3.1.3. PAN OS does not support the use of a single tunnel interface to route traffic to multiple VPN end points. The hub site requires a separate tunnel interface to connect to each one of the spoke site. Each of the tunnel interfaces is configured as point-to-point interface. As far as OSPF is concerned adjacencies are always formed over a point-to-point interface. With point-to-point interfaces each one of segment will belong to a different subnet.

Topology

In this example, the site B is dynamic end point. Two tunnel interfaces are configured on the HUB to connect to the spoke sites. Each one of the tunnel interfaces pairs must be in its own subnet. The table below summarizes the interface and OSPF configuration on each one of the sites


Hub Interface zone IP address Description OSPF area

ethernet 1/1 trust 172.16.101.1/24 0.0.0.141

ethernet 1/2 untrust 1.1.1.141/24 N/A

tunnel.1 VPN 2.1.1.1/30 Tunnel to Site B

0.0.0.0

tunnel.2 VPN 2.1.1.5/30 Tunnel to Site A

0.0.0.0

Site A Interface zone IP address Description OSPF area

ethernet 1/13 trust 192.168.2.1/24 0.0.0.122

ethernet 1/14 untrust 1.1.1.122/24 N/A

tunnel.122 VPN 2.1.1.6/30 Tunnel to HUB

0.0.0.0

Site B Interface zone IP address Description OSPF area

ethernet 1/15 trust 192.168.1.1/24 0.0.0.140

ethernet 1/16 untrust Dynamic IP N/A

tunnel.140 VPN 2.1.1.2/30 Tunnel to HUB

0.0.0.0

VPN configuration

Configuration for site-A

IKE gateway configuration Network>network profiles> IKE gateways


IPSec configuration Network>IPSec tunnels

Configuration for site-B

IKE gateway configuration


IPSec configuration

OSPF configuration

The tunnel interfaces are assigned to the backbone area 0.0.0.0 with link type of point-to-point. OSPF adjacencies are always formed on p2p interfaces. The ethernet interface connecting to the local network is the area 0.0.0.141. figure below shows the snap shot of OSPF configuration for the area 0.0.0.0


VPN configuration-Site A

IKE gateway

IPSec VPN


OSPF configuration



VPN configuration Site B

IKE configuration

IPSec configuration

OSPF configuration



Verification

HUB site

On the Hub site you will see two active tunnels- one for each spoke admin@FW-A> show vpn flow ------------------------------------------------------------------------------- total tunnels configured: 2 filter - type IPSec, state any total IPSec tunnel configured: 2 total IPSec tunnel shown: 2 name id state local-ip peer-ip tunnel-i/f ------------------------------------------------------------------------------- vpn-to-siteA 7 active 1.1.1.141 1.1.1.140 tunnel.1 vpn-to-siteB 6 active 1.1.1.141 1.1.1.122 tunnel.2


OSPF will form adjacencies with both the spoke sites as shown below admin@FW-A> show routing protocol ospf neighbor Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability, N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability ========== virtual router: vr1 neighbor address: 2.1.1.2 local address binding: 0.0.0.0 type: dynamic status: full neighbor router ID: 192.168.100.140 area id: 0.0.0.0 neighbor priority: 1 lifetime remain: 31 messages pending: 0 LSA request pending: 0 options: 0x42: O E hello suppressed: no ========== virtual router: vr1 neighbor address: 2.1.1.6 local address binding: 0.0.0.0 type: dynamic status: full neighbor router ID: 192.168.100.122 area id: 0.0.0.0 neighbor priority: 1 lifetime remain: 30 messages pending: 0 LSA request pending: 0 options: 0x42: O E hello suppressed: no The routes to LAN behind the spoke, 192.168.1.0/24 and 192.168.2.0/24 will be learned via OSPF with the corresponding tunnel interface as the next hop.


Spoke sites

The spoke site will have one active tunnel to the hub. VPN traffic to other spokes will be routed via the HUB. You will see that the routes to hub 172.16.101.0/24 and site B- 192.168.1.0/24 are learned via OSPF with tunnel interface as the next hop interface admin@siteA(active)> show vpn flow ------------------------------------------------------------------------------- total tunnels configured: 1 filter - type IPSec, state any total IPSec tunnel configured: 1 total IPSec tunnel shown: 1 name id state local-ip peer-ip tunnel-i/f ------------------------------------------------------------------------------- IPSec-to-Hub 5 active 1.1.1.122 1.1.1.141 tunnel.122 -------------------------------------------------------------------------------


Similarly on site B, routes to the other sites will be learned via OSPF

Additional references

How to Configure and Troubleshoot IPSec VPNs https://live.paloaltonetworks.com/docs/DOC-1163 Configuring route based IPSec with overlapping networks https://live.paloaltonetworks.com/docs/DOC-1594 Configuring route based IPSec using OSPF https://live.paloaltonetworks.com/docs/DOC-1586 Configuring IPSec VPN- Layer 2.pdf https://live.paloaltonetworks.com/docs/DOC-1575

https://live.paloaltonetworks.com/docs/DOC-1163�




configuring hub and spoke route based vpn.pdf

Documents