{"id":131,"date":"2022-04-25T07:33:20","date_gmt":"2022-04-25T11:33:20","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=131"},"modified":"2026-02-18T16:08:22","modified_gmt":"2026-02-18T21:08:22","slug":"site-to-site-vpn","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/site-to-site-vpn\/","title":{"raw":"3.3 Site-to-Site VPN","rendered":"3.3 Site-to-Site VPN"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Configure site-to-site VPN<\/li>\r\n \t
  • Configure static routing<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    \r\n\r\nPrerequisites<\/strong>:\r\n
      \r\n \t
    • Create Zones on both firewalls<\/li>\r\n \t
    • Create a tunnel interface on both firewalls<\/li>\r\n \t
    • Create a policy to allow VPN to Inside on both firewalls<\/li>\r\n \t
    • Create a policy to allow Inside to VPN on both firewalls<\/li>\r\n \t
    • Interface configuration<\/li>\r\n \t
    • Knowledge of previous labs<\/li>\r\n<\/ul>\r\n<\/div>\r\n
      \r\n\r\nScenario<\/strong>: This one is a bit tricky since you will be managing both devices. A site-to-site VPN is what your company would set up if you had offices in other locations without being directly connected to each other. But in this lab, we'll just take it easy and assume that they have a direct connection to each other. So, we are going to configure site-to-site VPN between two Palo Alto firewalls. Then, you should be able to ping from client-1 to client-2.\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_307\" align=\"aligncenter\" width=\"600\"]\"Main Figure 3.54: Main scenario[\/caption]\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.8: Addressing Table<\/caption>\r\n
      Device<\/th>\r\nConfiguration<\/th>\r\n<\/tr>\r\n
      Site-1<\/td>\r\nmanagement: 192.168.0.1\/24\r\nEthernet1\/1: 10.0.0.1\/24\r\nEthernet1\/2: 1.1.1.1\/24<\/td>\r\n<\/tr>\r\n
      Site-2<\/td>\r\nmanagement: 192.168.0.2\/24\r\nEthernet1\/1: 172.16.10.1\/24\r\nEthernet1\/2: 1.1.1.2\/24<\/td>\r\n<\/tr>\r\n
      Site1-Client<\/td>\r\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\r\n<\/tr>\r\n
      Site2-Client<\/td>\r\neth0: 172.16.10.2\/24 GW: 172.16.10.1<\/td>\r\n<\/tr>\r\n
      Management1<\/td>\r\neth0: 192.168.0.3\/24<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\r\n\r\n\r\n\r\n
      Table 3.9: Zone Configuration for Site1<\/caption>\r\n
      Zone<\/th>\r\nInterface<\/th>\r\n<\/tr>\r\n
      Inside<\/td>\r\nEthernet1\/1<\/td>\r\n<\/tr>\r\n
      VPN<\/td>\r\nEthernet1\/2, tunnel.1<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\r\n\r\n\r\n\r\n
      Table 3.10: Zone Configuration for Site2<\/caption>\r\n
      Zone<\/th>\r\nInterface<\/th>\r\n<\/tr>\r\n
      Inside<\/td>\r\nEthernet1\/1<\/td>\r\n<\/tr>\r\n
      VPN<\/td>\r\nEthernet1\/2, tunnel.1<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

      Create an IKE Gateway<\/h2>\r\nUnder Network > Network Profiles > IKE Gateways<\/strong>, click Add<\/b>.\r\n\r\n[caption id=\"attachment_447\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.55: Add an IKE Gateway[\/caption]\r\n\r\nOn the Site1 firewall, configure these settings:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.11: Site1 IKE Gateway Configuration<\/caption>\r\n
      Parameter<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Interface<\/td>\r\nEthernet1\/2<\/td>\r\n<\/tr>\r\n
      Local IP Address<\/td>\r\n1.1.1.1\/24<\/td>\r\n<\/tr>\r\n
      Peer IP Address Type<\/td>\r\nIP<\/td>\r\n<\/tr>\r\n
      Peer Address<\/td>\r\n1.1.1.2<\/td>\r\n<\/tr>\r\n
      Pre-shared Key<\/td>\r\nPassword Here<\/em><\/td>\r\n<\/tr>\r\n
      Confirm Pre-shared key<\/td>\r\nConfirm Password Here<\/em><\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_448\" align=\"aligncenter\" width=\"1026\"]\"Site1 Figure 3.56: Site1 Firewall: IKE Gateway Configuration[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n\r\nOn the Site2 firewall, configure these settings:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.12: Site2 IKE Gateway Configuration<\/caption>\r\n
      Parameters<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Interface<\/td>\r\nEthernet1\/2<\/td>\r\n<\/tr>\r\n
      Local IP Address<\/td>\r\n1.1.1.2\/24<\/td>\r\n<\/tr>\r\n
      Peer IP Address Type<\/td>\r\nIP<\/td>\r\n<\/tr>\r\n
      Peer Address<\/td>\r\n1.1.1.1<\/td>\r\n<\/tr>\r\n
      Pre-shared Key<\/td>\r\nSame Password as before here<\/em><\/td>\r\n<\/tr>\r\n
      Confirm Pre-shared key<\/td>\r\nConfirm same password as before here<\/em><\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_449\" align=\"aligncenter\" width=\"1026\"]\"Site2 Figure 3.57: Site2 Firewall: IKE Gateway Configuration[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n

      Create an IPsec Tunnel<\/h2>\r\nUnder Network > IPsec Tunnel<\/strong>, click Add<\/b>.\r\n\r\n[caption id=\"attachment_450\" align=\"aligncenter\" width=\"1026\"]\"Site1 Figure 3.58: Site1 Firewall: Add an IPsec Tunnel[\/caption]\r\n\r\nOn both firewalls, configure these settings:\r\n\r\n\r\n\r\n\r\n
      Table 3.13: IPsec Tunnel Configuration<\/caption>\r\n
      Parameters<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Tunnel Interface<\/td>\r\ntunnel.1<\/td>\r\n<\/tr>\r\n
      IKE Gateway<\/td>\r\nThe one you created on the respective firewall<\/em><\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_451\" align=\"aligncenter\" width=\"1026\"]\"Site1 Figure 3.59: Site1 and Site2 Firewall: IPsec Tunnel Configuration[\/caption]\r\n

      Create Static Routes<\/h2>\r\nUnder Network > Virtual Routers<\/strong>, click default.\r\n\r\n[caption id=\"attachment_452\" align=\"aligncenter\" width=\"1026\"]\"Virtual Figure 3.60: Virtual Routers Configuration[\/caption]\r\n\r\nUnder the static routes tab, click Add<\/b>.\r\n\r\n[caption id=\"attachment_453\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.61: Add a Static Route in the Site1[\/caption]\r\n\r\nOn the Site1 firewall, configure these settings:\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.14: Site1 Static Route Configuration<\/caption>\r\n
      Parameters<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Destination<\/td>\r\n172.16.10.0\/24<\/td>\r\n<\/tr>\r\n
      Interface<\/td>\r\ntunnel.1<\/td>\r\n<\/tr>\r\n
      Next Hop<\/td>\r\nNone<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_454\" align=\"aligncenter\" width=\"1026\"]\"Static Figure 3.62: Static Route Configuration in the Site1[\/caption]\r\n\r\nOn the Site2 firewall, configure these settings:\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.15: Site2 Static Route Configuration<\/caption>\r\n
      Parameters<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Destination<\/td>\r\n10.0.0.0\/24<\/td>\r\n<\/tr>\r\n
      Interface<\/td>\r\ntunnel.1<\/td>\r\n<\/tr>\r\n
      Next Hop<\/td>\r\nNone<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_316\" align=\"aligncenter\" width=\"1026\"]\"Static Figure 3.63: Static Route Configuration in the Site 2[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n

      Test the Site-to-Site<\/h2>\r\nOn any client device, try and ping the other client on the other site.\r\n\r\n[caption id=\"attachment_317\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 3.64: Verify your configuration[\/caption]\r\n\r\nIf you can ping the other client in the other site, everything worked! If you go to Network > IPSec<\/strong> Tunnels<\/strong>, the Tunnel status should be green<\/span>.","rendered":"
      \n
      \n

      Learning Objectives<\/p>\n<\/header>\n

      \n
        \n
      • Configure site-to-site VPN<\/li>\n
      • Configure static routing<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
        \n

        Prerequisites<\/strong>:<\/p>\n

          \n
        • Create Zones on both firewalls<\/li>\n
        • Create a tunnel interface on both firewalls<\/li>\n
        • Create a policy to allow VPN to Inside on both firewalls<\/li>\n
        • Create a policy to allow Inside to VPN on both firewalls<\/li>\n
        • Interface configuration<\/li>\n
        • Knowledge of previous labs<\/li>\n<\/ul>\n<\/div>\n
          \n

          Scenario<\/strong>: This one is a bit tricky since you will be managing both devices. A site-to-site VPN is what your company would set up if you had offices in other locations without being directly connected to each other. But in this lab, we’ll just take it easy and assume that they have a direct connection to each other. So, we are going to configure site-to-site VPN between two Palo Alto firewalls. Then, you should be able to ping from client-1 to client-2.<\/p>\n<\/div>\n

          \"Main
          Figure 3.54: Main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n\n\n
          Table 3.8: Addressing Table<\/caption>\n
          Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
          Site-1<\/td>\nmanagement: 192.168.0.1\/24
          \nEthernet1\/1: 10.0.0.1\/24
          \nEthernet1\/2: 1.1.1.1\/24<\/td>\n<\/tr>\n
          Site-2<\/td>\nmanagement: 192.168.0.2\/24
          \nEthernet1\/1: 172.16.10.1\/24
          \nEthernet1\/2: 1.1.1.2\/24<\/td>\n<\/tr>\n
          Site1-Client<\/td>\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\n<\/tr>\n
          Site2-Client<\/td>\neth0: 172.16.10.2\/24 GW: 172.16.10.1<\/td>\n<\/tr>\n
          Management1<\/td>\neth0: 192.168.0.3\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
          Table 3.9: Zone Configuration for Site1<\/caption>\n
          Zone<\/th>\nInterface<\/th>\n<\/tr>\n
          Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
          VPN<\/td>\nEthernet1\/2, tunnel.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
          Table 3.10: Zone Configuration for Site2<\/caption>\n
          Zone<\/th>\nInterface<\/th>\n<\/tr>\n
          Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
          VPN<\/td>\nEthernet1\/2, tunnel.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

          Create an IKE Gateway<\/h2>\n

          Under Network > Network Profiles > IKE Gateways<\/strong>, click Add<\/b>.<\/p>\n

          \"Add
          Figure 3.55: Add an IKE Gateway<\/figcaption><\/figure>\n

          On the Site1 firewall, configure these settings:<\/p>\n\n\n\n\n\n\n\n\n\n
          Table 3.11: Site1 IKE Gateway Configuration<\/caption>\n
          Parameter<\/th>\nValue<\/th>\n<\/tr>\n
          Interface<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n
          Local IP Address<\/td>\n1.1.1.1\/24<\/td>\n<\/tr>\n
          Peer IP Address Type<\/td>\nIP<\/td>\n<\/tr>\n
          Peer Address<\/td>\n1.1.1.2<\/td>\n<\/tr>\n
          Pre-shared Key<\/td>\nPassword Here<\/em><\/td>\n<\/tr>\n
          Confirm Pre-shared key<\/td>\nConfirm Password Here<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Site1
          Figure 3.56: Site1 Firewall: IKE Gateway Configuration<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          On the Site2 firewall, configure these settings:<\/p>\n\n\n\n\n\n\n\n\n\n
          Table 3.12: Site2 IKE Gateway Configuration<\/caption>\n
          Parameters<\/th>\nValue<\/th>\n<\/tr>\n
          Interface<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n
          Local IP Address<\/td>\n1.1.1.2\/24<\/td>\n<\/tr>\n
          Peer IP Address Type<\/td>\nIP<\/td>\n<\/tr>\n
          Peer Address<\/td>\n1.1.1.1<\/td>\n<\/tr>\n
          Pre-shared Key<\/td>\nSame Password as before here<\/em><\/td>\n<\/tr>\n
          Confirm Pre-shared key<\/td>\nConfirm same password as before here<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Site2
          Figure 3.57: Site2 Firewall: IKE Gateway Configuration<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Create an IPsec Tunnel<\/h2>\n

          Under Network > IPsec Tunnel<\/strong>, click Add<\/b>.<\/p>\n

          \"Site1
          Figure 3.58: Site1 Firewall: Add an IPsec Tunnel<\/figcaption><\/figure>\n

          On both firewalls, configure these settings:<\/p>\n\n\n\n\n\n
          Table 3.13: IPsec Tunnel Configuration<\/caption>\n
          Parameters<\/th>\nValue<\/th>\n<\/tr>\n
          Tunnel Interface<\/td>\ntunnel.1<\/td>\n<\/tr>\n
          IKE Gateway<\/td>\nThe one you created on the respective firewall<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Site1
          Figure 3.59: Site1 and Site2 Firewall: IPsec Tunnel Configuration<\/figcaption><\/figure>\n

          Create Static Routes<\/h2>\n

          Under Network > Virtual Routers<\/strong>, click default.<\/p>\n

          \"Virtual
          Figure 3.60: Virtual Routers Configuration<\/figcaption><\/figure>\n

          Under the static routes tab, click Add<\/b>.<\/p>\n

          \"Add
          Figure 3.61: Add a Static Route in the Site1<\/figcaption><\/figure>\n

          On the Site1 firewall, configure these settings:<\/p>\n\n\n\n\n\n\n
          Table 3.14: Site1 Static Route Configuration<\/caption>\n
          Parameters<\/th>\nValue<\/th>\n<\/tr>\n
          Destination<\/td>\n172.16.10.0\/24<\/td>\n<\/tr>\n
          Interface<\/td>\ntunnel.1<\/td>\n<\/tr>\n
          Next Hop<\/td>\nNone<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Static
          Figure 3.62: Static Route Configuration in the Site1<\/figcaption><\/figure>\n

          On the Site2 firewall, configure these settings:<\/p>\n\n\n\n\n\n\n
          Table 3.15: Site2 Static Route Configuration<\/caption>\n
          Parameters<\/th>\nValue<\/th>\n<\/tr>\n
          Destination<\/td>\n10.0.0.0\/24<\/td>\n<\/tr>\n
          Interface<\/td>\ntunnel.1<\/td>\n<\/tr>\n
          Next Hop<\/td>\nNone<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Static
          Figure 3.63: Static Route Configuration in the Site 2<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Test the Site-to-Site<\/h2>\n

          On any client device, try and ping the other client on the other site.<\/p>\n

          \"Verify
          Figure 3.64: Verify your configuration<\/figcaption><\/figure>\n

          If you can ping the other client in the other site, everything worked! If you go to Network > IPSec<\/strong> Tunnels<\/strong>, the Tunnel status should be green<\/span>.<\/p>\n","protected":false},"author":1572,"menu_order":3,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-131","chapter","type-chapter","status-publish","hentry"],"part":123,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1572"}],"version-history":[{"count":25,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/131\/revisions"}],"predecessor-version":[{"id":1334,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/131\/revisions\/1334"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/123"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/131\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=131"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=131"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=131"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}