Route-Based IPsec VPN to Palo Alto
Route-Based IPsec VPN to Palo Alto
Route-Based IPsec VPN с VTI (Virtual Tunnel Interface) между VyOS и Palo Alto Networks firewall для flexible routing и dynamic protocols support.
Сценарий
- Enterprise Hybrid Cloud: Yandex/VK Cloud ↔ On-premises Palo Alto
- Dynamic Routing: BGP/OSPF через VPN tunnel
- Multi-Site connectivity
VyOS Configuration
# VTI Interface
set interfaces vti vti1 address '10.255.255.1/30'
# IKE + ESP Groups
set vpn ipsec ike-group IKE-PA key-exchange 'ikev2'
set vpn ipsec ike-group IKE-PA proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-PA proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-PA proposal 1 encryption 'aes256'
# Peer
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret 'PSK'
set vpn ipsec site-to-site peer 203.0.113.1 vti bind 'vti1'