Focus

Advanced LSVPN Configuration with Dynamic Routing

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with iBGP

Advanced LSVPN Configuration with Dynamic Routing

In larger LSVPN deployments with multiple gateways and many satellites, investing a little more time in the initial configuration to set up dynamic routing will simplify the maintenance of gateway configurations because access routes will update dynamically. The following example configuration shows how to extend the basic LSVPN configuration to configure OSPF as the dynamic routing protocol.

Setting up an LSVPN to use OSPF for dynamic routing requires the following additional steps on the gateways and the satellites:

Manual assignment of IP addresses to tunnel interfaces on all gateways and satellites.
Configuration of OSPF point-to-multipoint (P2MP) on the virtual router on all gateways and satellites. In addition, as part of the OSPF configuration on each gateway, you must manually define the tunnel IP address of each satellite as an OSPF neighbor. Similarly, on each satellite, you must manually define the tunnel IP address of each gateway as an OSPF neighbor.

Although dynamic routing requires additional setup during the initial configuration of the LSVPN, it reduces the maintenance tasks associated with keeping routes up to date as topology changes occur on your network.

The following figure shows an LSVPN dynamic routing configuration. This example shows how to configure OSPF as the dynamic routing protocol for the VPN.

For a basic setup of a LSVPN, follow the steps in Basic LSVPN Configuration with Static Routing. You can then complete the steps in the following workflow to extend the configuration to use dynamic routing rather than static routing.

Add an IP address to the tunnel interface configuration on each gateway and each satellite.
Complete the following steps on each gateway and each satellite:
1. Select NetworkInterfacesTunnel and select the tunnel configuration you created for the LSVPN to open the Tunnel Interface dialog.
  If you have not yet created the tunnel interface, see Step 2 in Create Interfaces and Zones for the LSVPN.
2. On the IPv4 tab, click Add and then enter an IP address and subnet mask. For example, to add an IP address for the gateway tunnel interface you would enter 2.2.2.100/24.
3. Click OK to save the configuration.
Configure the dynamic routing protocol on the gateway.
To configure OSPF on the gateway:
1. Select NetworkVirtual Routers and select the virtual router associated with your VPN interfaces.
2. On the Areas tab, click Add to create the backbone area, or, if it is already configured, click on the area ID to edit it.
3. If you are creating a new area, enter an Area ID on the Type tab.
4. On the Interface tab, click Add and select the tunnel Interface you created for the LSVPN.
5. Select p2mp as the Link Type.
6. Click Add in the Neighbors section and enter the IP address of the tunnel interface of each satellite, for example 2.2.2.111.
7. Click OK twice to save the virtual router configuration and then Commit the changes on the gateway.
8. Repeat this step each time you add a new satellite to the LSVPN.
Configure the dynamic routing protocol on the satellite.
To configure OSPF on the satellite:
1. Select NetworkVirtual Routers and select the virtual router associated with your VPN interfaces.
2. On the Areas tab, click Add to create the backbone area, or, if it is already configured, click on the area ID to edit it.
3. If you are creating a new area, enter an Area ID on the Type tab.
4. On the Interface tab, click Add and select the tunnel Interface you created for the LSVPN.
5. Select p2mp as the Link Type.
6. Click Add in the Neighbors section and enter the IP address of the tunnel interface of each GlobalProtect gateway, for example 2.2.2.100.
7. Click OK twice to save the virtual router configuration and then Commit the changes on the gateway.
8. Repeat this step each time you add a new gateway.
Verify that the gateways and satellites are able to form router adjacencies.
- On each satellite and each gateway, confirm that peer adjacencies have formed and that routing table entries have been created for the peers (that is, the satellites have routes to the gateways and the gateways have routes to the satellites). Select NetworkVirtual Router and click the More Runtime Stats link for the virtual router you are using for the LSVPN. On the Routing tab, verify that the LSVPN peer has a route.
- On the OSPFInterface tab, verify that the Type is p2mp.
- On the OSPFNeighbor tab, verify that the firewalls hosting your gateways have established router adjacencies with the firewalls hosting your satellites and vice versa. Also verify that the Status is Full, indicating that full adjacencies have been established.

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with iBGP

Next-Generation Firewall Docs

Advanced LSVPN Configuration with Dynamic Routing

Next-Generation Firewall Docs

Advanced LSVPN Configuration with Dynamic Routing

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner