Tunnel
Interface
To set up a VPN tunnel, the Layer 3 interface at each
end must have a logical
tunnel interface for the firewall
to connect to and establish a VPN tunnel. A tunnel interface is
a logical (virtual) interface that is used to deliver traffic between
two endpoints. If you configure any proxy IDs, the proxy ID is counted
toward any IPSec tunnel capacity.
The tunnel interface must belong to a security zone to apply
policy and it must be assigned to a virtual router in order to use
the existing routing infrastructure. Ensure that the tunnel interface
and the physical interface are assigned to the same virtual router
so that the firewall can perform a route lookup and determine the
appropriate tunnel to use.
Typically, the Layer 3 interface that the tunnel interface is
attached to belongs to an external zone, for example the untrust
zone. While the tunnel interface can be in the same security zone
as the physical interface, for added security and better visibility, you
can create a separate zone for the tunnel interface. If you create
a separate zone for the tunnel interface, say a VPN zone, you will
need to create security policies to enable traffic to flow between
the VPN zone and the trust zone.
To route traffic between the sites, a tunnel interface does not
require an IP address. An IP address is only required if you want
to enable tunnel monitoring or if you are using a dynamic routing
protocol to route traffic across the tunnel. With dynamic routing,
the tunnel IP address serves as the next hop IP address for routing
traffic to the VPN tunnel.
If you are configuring the Palo Alto Networks firewall with a
VPN peer that performs policy-based VPN, you must configure a local
and remote Proxy ID when setting up the IPSec tunnel. Each peer
compares the Proxy-IDs configured on it with what is actually received
in the packet in order to allow a successful IKE phase 2 negotiation. If
multiple tunnels are required, configure unique Proxy IDs for each
tunnel interface; a tunnel interface can have a maximum of 250 Proxy
IDs. Each Proxy ID counts towards the IPSec VPN tunnel capacity
of the firewall, and the tunnel capacity varies by the firewall
model.