Hub and Spoke IPSec VPN

Configuring route based Hub and spoke IPSec VPN

using OSPF
September 2010

Palo Alto Networks

232 E. Java Dr.
Sunnyvale, CA 94089
408.738.7700
www.paloaltonetworks.com
Table of Contents
Overview ............................................................................................................................................ 3
Design Consideration ......................................................................................................................... 3
Topology ............................................................................................................................................. 3
VPN configuration .............................................................................................................................. 4
Configuration for site-A ............................................................................................................... 4
Configuration for site-B ............................................................................................................... 5
OSPF configuration ........................................................................................................................ 6
VPN configuration-Site A.................................................................................................................... 7
OSPF configuration ........................................................................................................................ 8
VPN configuration Site B ................................................................................................................ 9
IKE configuration ......................................................................................................................... 9
IPSec configuration ..................................................................................................................... 9
OSPF configuration ........................................................................................................................ 9
Verification ........................................................................................................................................ 10
HUB site ........................................................................................................................................ 10
Spoke sites ................................................................................................................................... 12
Additional references........................................................................................................................ 13

2010 Palo Alto Networks Page 2

Overview
This document explains the configuration steps required to setup hub and spoke VPN using
PAN-OS. In this example OSPF is used to route traffic between the VPN sites and one of the
spoke site is configured to be a dynamic end point

Design Consideration
The scenario is tested using PAN OS 3.1.3. PAN OS does not support the use of a single tunnel
interface to route traffic to multiple VPN end points. The hub site requires a separate tunnel
interface to connect to each one of the spoke site. Each of the tunnel interfaces is configured as
point-to-point interface. As far as OSPF is concerned adjacencies are always formed over a point-
to-point interface. With point-to-point interfaces each one of segment will belong to a different
subnet.

Topology

In this example, the site B is dynamic end point. Two tunnel interfaces are configured on the HUB
to connect to the spoke sites. Each one of the tunnel interfaces pairs must be in its own subnet.
The table below summarizes the interface and OSPF configuration on each one of the sites

2010 Palo Alto Networks Page 3

Hub
Interface zone IP address Description OSPF area
ethernet 1/1 trust 172.16.101.1/24 0.0.0.141
ethernet 1/2 untrust 1.1.1.141/24 N/A
tunnel.1 VPN 2.1.1.1/30 Tunnel to 0.0.0.0
Site B
tunnel.2 VPN 2.1.1.5/30 Tunnel to 0.0.0.0
Site A

Site A

Interface zone IP address Description OSPF area

ethernet 1/13 trust 192.168.2.1/24 0.0.0.122

ethernet 1/14 untrust 1.1.1.122/24 N/A

tunnel.122 VPN 2.1.1.6/30 Tunnel to 0.0.0.0

HUB

Site B

Interface zone IP address Description OSPF area

ethernet 1/15 trust 192.168.1.1/24 0.0.0.140
ethernet 1/16 untrust Dynamic IP N/A
tunnel.140 VPN 2.1.1.2/30 Tunnel to 0.0.0.0
HUB

VPN configuration
Configuration for site-A
IKE gateway configuration

Network>network profiles> IKE gateways

2010 Palo Alto Networks Page 4

IPSec configuration

Network>IPSec tunnels

Configuration for site-B

IKE gateway configuration

2010 Palo Alto Networks Page 5

IPSec configuration

OSPF configuration

The tunnel interfaces are assigned to the backbone area 0.0.0.0 with link type of point-to-point.
OSPF adjacencies are always formed on p2p interfaces. The ethernet interface connecting to the

local network is the area 0.0.0.141. figure below shows the snap shot of OSPF configuration for the
area 0.0.0.0

2010 Palo Alto Networks Page 6

VPN configuration-Site A

IKE gateway

IPSec VPN

2010 Palo Alto Networks Page 7

OSPF configuration
The tunnel interfaces are assigned to the backbone area 0.0.0.0 with link type of point-to-point.
OSPF adjacencies are always formed on p2p interfaces. The ethernet interface connecting to the
local network is the area 0.0.0.140. figure below shows the snap shot of OSPF configuration for the
area 0.0.0.0

2010 Palo Alto Networks Page 8

VPN configuration Site B

IKE configuration

IPSec configuration

OSPF configuration
The tunnel interfaces are assigned to the backbone area 0.0.0.0 with link type of point-to-point.
OSPF adjacencies are always formed on p2p interfaces. The ethernet interface connecting to the
local network is the area 0.0.0.122. figure below shows the snap shot of OSPF configuration for the
area 0.0.0.0

2010 Palo Alto Networks Page 9

Verification

HUB site
On the Hub site you will see two active tunnels- one for each spoke

admin@FW-A> show vpn flow

-------------------------------------------------------------------------------
total tunnels configured: 2
filter - type IPSec, state any

total IPSec tunnel configured: 2

total IPSec tunnel shown: 2

name id state local-ip peer-ip tunnel-i/f

-------------------------------------------------------------------------------
vpn-to-siteA 7 active 1.1.1.141 1.1.1.140 tunnel.1
vpn-to-siteB 6 active 1.1.1.141 1.1.1.122 tunnel.2

2010 Palo Alto Networks Page 10

OSPF will form adjacencies with both the spoke sites as shown below

admin@FW-A> show routing protocol ospf neighbor

Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits,

EA:Ext-Attr LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability,
T:TOS capability
==========
virtual router: vr1
neighbor address: 2.1.1.2
local address binding: 0.0.0.0
type: dynamic
status: full
neighbor router ID: 192.168.100.140
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 31
messages pending: 0
LSA request pending: 0
options: 0x42: O E
hello suppressed: no
==========
virtual router: vr1
neighbor address: 2.1.1.6
local address binding: 0.0.0.0
type: dynamic
status: full
neighbor router ID: 192.168.100.122
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 30
messages pending: 0
LSA request pending: 0
options: 0x42: O E
hello suppressed: no

The routes to LAN behind the spoke, 192.168.1.0/24 and 192.168.2.0/24 will be learned via OSPF
with the corresponding tunnel interface as the next hop.

2010 Palo Alto Networks Page 11

Spoke sites
The spoke site will have one active tunnel to the hub. VPN traffic to other spokes will be routed via
the HUB. You will see that the routes to hub 172.16.101.0/24 and site B- 192.168.1.0/24 are
learned via OSPF with tunnel interface as the next hop interface

admin@siteA(active)> show vpn flow

-------------------------------------------------------------------------------
total tunnels configured: 1
filter - type IPSec, state any

total IPSec tunnel configured: 1

total IPSec tunnel shown: 1

name id state local-ip peer-ip tunnel-i/f

-------------------------------------------------------------------------------
IPSec-to-Hub 5 active 1.1.1.122 1.1.1.141 tunnel.122
-------------------------------------------------------------------------------

2010 Palo Alto Networks Page 12

Similarly on site B, routes to the other sites will be learned via OSPF

Additional references
How to Configure and Troubleshoot IPSec VPNs
https://live.paloaltonetworks.com/docs/DOC-1163

Configuring route based IPSec with overlapping networks

https://live.paloaltonetworks.com/docs/DOC-1594

Configuring route based IPSec using OSPF

https://live.paloaltonetworks.com/docs/DOC-1586

Configuring IPSec VPN- Layer 2.pdf

https://live.paloaltonetworks.com/docs/DOC-1575

2010 Palo Alto Networks Page 13