Hey all, me again! I recently posted about what firewall to use for a multiple s2s VPN project I have coming up. I’ve received approval and funding, so will soon be ready to replace some aging Cisco Meraki VPN appliances with new PA-440’s at the remote sites.
I have 15 remote sites that all have a mix of Cable and Fiber ISP’s. Each site will terminate to my primary PA-850 in the datacenter at the hub. Most, if not all, sites will forward all traffic over to the hub in order to utilize the filtering and policies we have in place at the main site (as opposed to buying a subscription for add-ons to each remote firewall. I am hoping it works that way.)
I need to start the design phase for this project and I see there’s two ways I can approach setting up the tunnels. Looks like I could do a standard VPN tunnel to each site, or deploy using LSVPN.
Is there a best practice on which way to use? Benefits of one over the other? From my research it looks like LSVPN is the way to go, but wanted some feedback on how other’s are accomplishing this.
Thanks!
Personally, I’d forget LSVPN. Just build IKE gateways/IPSEC tunnels for each of your 15 sites, and terminate them directly to your “hub” firewall. If you only have a few routes at each site, you could use static routes. Otherwise, for such a small number of sites, you could put IP addresses on your tunnel interfaces, and use OSPF on them to advertise your connected routes at each site. You can use Policy Based Forwarding to force all your traffic from your internal zones down the IPSEC tunnel to the hub instead of egressing the firewall at the spoke sites.
have you looked into deploying global protect satellite?
AIUI that is the prime use case for this.
Do you not have a redundant hub?
I agree with others, just standard IPSEC route based tunnels, don’t use proxyID. OSPF is easy to implement, IMO, and makes it very easy with dual hubs. With a single hub you could use statics but I hate static routes personally so…
This is the way I do it. Other than the initial administrative burden of setting up the tunnels it’s no trouble at all. I’ve got a PA at the hub and various models of Cisco routers with normal VTI based IPSEC tunnels and OSPF. Don’t mess around with proxy IDs.
Isn’t that LSVPN? GlobalProtect Satellite is part of the configuration with LSVPN.
Agreed. Forget proxy IDs. Only use them as a last resort. For Palo-to-Palo, just do route-based VPNs.
Must be. Never seen it referred to as that but my dealings have been limited
I gotcha. Other than ease of deployment, what would you say are the benefits of this over individual VPN tunnels to each site?
My understanding is like GP client vpns, you don’t need to define one per site, just one for all sites
One satellite configured VS an Ike gateway and ipsec tunnel and tunnel interface for each