Wednesday, 24 May 2017

IPSec VPN Tunnel with Peer Having Dynamic IP Address in Palo Alto

Topology


PA-Firewall A (10.129.70.38)  -----  Router (DHCP server) -------  (DHCP IP) PA-Firewall B


Configuration on PA-Firewall B


Interface on Firewall B gets the IP address dynamically from the DHCP server (interface on Router configured as DHCP server).

Inter-Dyn.png

IKE Gateway



IKE-Dyn-1.png

Note: In this example, Local ID is mentioned as FQDN (email address). However, we can use any of the available qualifiers, making sure it is the same on the peer end as well. It could be anything as long as it is same on the other end. This is an important configuration since it is the only way for the peer to identify the dynamic gateway.


IKE-Dyn-2.png

Note: Since Firewall B has the dynamic IP address, it needs to be the initiator for the VPN tunnel each time. Hence, do not select "Enable Passive Mode."


IPSec Configuration


IPSEC-Dyn-1.png
IPSEC_Dyn-2.png


Configuration on PA-Firewall A


IKE gateway


Ike-Static-1.png

Note: Peer Identification on the static peer needs to be the same as Local Identification configured on the dynamic peer. Also, "Peer IP Type" is dynamic here since we are not sure of the IP on the other end.


IKE-static-2.png

Note: Since this is the static peer and does not know the IP address of the dynamic end, it would not be able to initiate the VPN. Hence, we selected the option  "Enable Passive Mode."


IPSec Configuration


IPSEC-static-1.png
IPSEC_static-2.png

Initially, when the tunnel is down, we see an ipsec-esp session with destination as 0.0.0.0, since we are not sure of the peer IP.

admin@PA-Firewall-A> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1 ipsec-esp ACTIVE TUNN 10.129.72.38[0]/L3-Trust/50 (10.129.72.38[0])
vsys1 0.0.0.0[0]/L3-Untrust (0.0.0.0[0])


Note: L3-Trust is the zone of the tunnel interface and L3-Untrust is the external interface.

As soon as the tunnel comes up, this is replaced with the actual IP address of the dynamic peer:

admin@PA-Firewall-A> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
11 ipsec-esp ACTIVE TUNN 10.129.72.38[53613]/L3-Trust/50 (10.129.72.38[61655])
vsys1 1.1.1.5[12024]/L3-Untrust (1.1.1.5[43745])

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...