Monday, 12 June 2017

How to Configure IPSec VPN in Palo Alto

This document describes the steps to configure IPSec VPN and assumes the Palo Alto Networks firewall has at least two interfaces operating in Layer 3 mode.

Steps

  1. Go to Network >Interface > Tunnel,  click Add to create a new tunnel interface and assign the following parameters: 
    Name: tunnel.1
    Virtual router: (select the existing virtual router)
    Security Zone: (select the layer 3 internal zone from which the traffic will originate)
    2016-08-12_ipsec1.png
    Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
  2. Go to Network > Network Profiles > IKE Crypto , click Add and define the IKE Crypto profile (IKEv1 Phase-1) parameters. Name does not matter, can be whatever you like. 
    These parameters should match on the remote firewall for the IKE Phase-1 negotiation to be successful.
    2016-08-12_10-51-08.jpg
  3. Go to Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway. There are options for the Version where you can select IKEv1 only mode, IKEv2 only mode or IKEv2 preferred mode.

    Select the IKE version that the gateway supports and must agree to use with the peer gateway. IKEv2 preferred mode causes the gateway to negotiate for IKEv2, and if the peer also supports IKEv2, that is what they will use. Otherwise, the gateway falls back to IKEv1.

    Note: The tunnel configured above will terminate in the Trust zone for traffic traversing the tunnel, although if more granular control is desired for the policy configuration in the tunnel, use a VPN or other zone. Also, note that the gateway configuration below will be configured for the Untrust interface, not to be confused with the tunnel terminating on a trusted interface.
    2016-08-12_10-54-29.jpg
  4. Under Network > Network Profiles > IPSec Crypto , click Add to create a new Profile, define the IPSec Crypto profile to specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2). These parameters should match on the remote firewall for the IKE Phase-2 negotiation to be successful.
    2016-08-12_10-57-21.jpg
  5. Under Network > IPSec Tunnels, click Add to create a new IPSec Tunnel. In the General window use the Tunnel Interface, the IKE Gateway and IPSec Crypto Profile from above to set up the parameters to establish IPSec VPN tunnels between firewalls. 
    2016-08-12_10-58-42.jpg
    Note:  If the other side of the tunnel is a third-party VPN device configured as a route-based VPN, then enter the local proxy ID and remote proxy ID to match, these will typically be the local and remote LAN subnets.

    When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information, because the Proxy-ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.                           2016-08-12_11-00-13.jpg 
  6. Under Network > Virtual Routers, click on your Virtual router profile, then click Static Routes, add a new route for the network that is behind the other VPN endpoint. Be sure to use the proper Tunnel Interface. Click OK when done.
    2016-08-12_11-01-36.jpg
  7. Commit the configuration.

Note: The Palo Alto Networks supports only tunnel mode for IPSec VPN. The transport mode is not supported for IPSec VPN.

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...