Prisma SD-WAN Administrator’s Guide
    : Configure Data Center (DC-DC) Interconnectivity
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Prisma SD-WAN Ports and Interfaces
    7. Prisma SD-WAN Standard VPN
    8. Configure Data Center (DC-DC) Interconnectivity
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    Configure Data Center (DC-DC) Interconnectivity

    Table of Contents

    Configure Data Center (DC-DC) Interconnectivity

    Prisma SD-WAN ION data center devices can communicate each other using standard VPN IPsec tunnels. Learn how to configure DC-DC tunnels in Prisma SD-WAN.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Active Prisma SD-WAN license
    Prisma SD-WAN supports standard VPN for connection between two Data Center ION devices. Both the DC ION devices may try to initiate a tunnel, in which case, the tunnel will not be established. To overcome this issue, Prisma SD-WAN supports the responder-only mode for the DC ION devices, so that the ION device only responds to the IKE connection and does not initiate it.
    Prisma SD-WAN currently supports this feature only for IPsec VPNs and not for GRE VPNs. Prisma SD-WAN supports both IKEv1 and IKEv2.
    1. Select ManageWorkflowsDevicesClaimed Devices.
    2. From the ellipsis menu, select Configure the device.
    3. On the Configure Interface: New Standard VPN screen, set up the Main Configuration for the new interface.
      1. For Admin Up, select Yes.
      2. (Optional) Enter a Name, Description, and Tags.
      3. Select IPsec as the Standard VPN Type.
        The Interface Type must display as Standard VPN.
      4. Select a Parent Interface to establish the GRE tunnel.
        For a data center ION device, any of the following ports can be used as a parent interface:
        • Any Connect to Internet port
        • Any Connect to Peer Network port
      5. Toggle Scope to Local or Global.
      6. Enter an Inner Tunnel IP Address or Mask.
      7. For the Endpoint name, add the name of the connected Data Center site.
        Note that although configured, the Endpoint will not be pushed to the DC ION device, since the Endpoint applies only for a branch ION device. Hence, you have to enter a Peer IP for the tunnel to be established.
      8. Enter a Peer IP of the connected DC site.
        The Peer IP is mandatory for a DC-DC tunnel.
      9. Select an IPsec Profile.
        Select a created IPsec profile.
      10. Under Advanced Options, navigate to Passive Mode.
        By default, Passive Mode is No, which means that the device can act as a responder and an initiator.
        (Optional) Select Yes for Passive Modeto have the ION device in the responder-only mode. Set one end of the tunnel to Yes and the other end to No.
    4. Click Create Standard VPN.
      You can view the DC-DC tunnels on the Overlays Connection page for a DC site.
      Port Translation between Data Centers
      If one of the ION devices is behind a NAT device, you need to configure an inbound DNAT rule for port translation for the receiving ION device, so that port 4500 is translated to port 4501 for a given IP address.

    © 2024 Palo Alto Networks, Inc. All rights reserved.