Configure the Linux Instances as Routers

1. Configure the Router 1 instance in VPC 1 located in mainland China.

   You can also configure Router 1 as a VM-series next-generation firewall; these steps show a configuration using two Linux instances as routers.

   1. Open a secure CLI session with the router 1 instance by entering the ssh -i key-file root@ instance-ip, where key-file is the file location where you saved the key and instance-ip is the IP address of the router 1 instance.
   2. Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:

      net.ipv4.ip_forward = 1
   3. Enter sysctl -p to load the new configuration.
   4. Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name iptables-rule.sh and adding the following lines to the file, substituting router-1-private-ip-address with the private IP address of Router 1 and router-2-private-ip-address with the private IP address of Router 2.

      #!/bin/sh

      iptables -t filter -A FORWARD -i eth0 -j ACCEPT

      iptables -t filter -A FORWARD -o eth0 -j ACCEPT

      iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination router-2-private-ip-address

      iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination router-2-private-ip-address

      iptables -t nat -A POSTROUTING -d router-2-private-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source router-1-private-ip-address

      iptables -t nat -A POSTROUTING -d router-2-private-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source router-1-private-ip-address
   5. Save and close the file.
   6. Enter the chmod +x iptables-rule-sh command to make the file executable.
   7. Enter the ./iptables-rule.sh shell script to execute the iptables rule.
   8. Enter the iptables-save command to verify that the rules have been added.
2. Configure the Router 2 instance in VPC 2 located outside of mainland China.

   1. Open a secure CLI session with the router 2 instance by entering the ssh -i key-file root@ instance-ip, where key-file is the file location where you saved the key and instance-ip is the IP address of the router 1 instance.
   2. Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:

      net.ipv4.ip_forward = 1
   3. Enter sysctl -p to load the new configuration.
   4. Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name iptables-rule.sh and adding the following lines to the file, substituting remote-network-service-ip-address with the Service IP Address of the Prisma Access remote network (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksService IP Address) and router-2-private-ip-address with the private IP address of Router 2.

      #!/bin/sh

      iptables -t filter -A FORWARD -i eth0 -j ACCEPT

      iptables -t filter -A FORWARD -o eth0 -j ACCEPT

      iptables -t nat -A PREROUTING -s router-2-private-ip-address/32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination remote-network-service-ip-address

      iptables -t nat -A PREROUTING -s router-2-private-ip-address/32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination remote-network-service-ip-address

      iptables -t nat -A POSTROUTING -d remote-network-service-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source router-2-private-ip-address

      iptables -t nat -A POSTROUTING -d remote-network-service-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source router-2-private-ip-address
   5. Save and close the file.
   6. Enter the chmod +x iptables-rule-sh command to make the file executable.
   7. Enter the ./iptables-rule.sh shell script to execute the iptables rule.
   8. Enter the iptables-save command to verify that the rules have been added.