How to configure IPSec VPN Site-to-Site between Palo Alto and Draytek Vigor2925 with WAN IP as static IP

1. The Purpose of the article

The article will show you how to configure IPSec VPN Site-to-Site between two firewall devices Palo Alto and Draytek Vigor2925.

2. Diagram

Details.

Site A:

  • We have an internet connection on port 1 of the Palo Alto PA-220 device with a static WAN IP of 113.161.93.x using a media converter.
  • Next is the LAN layer 10.146.41.0/24 configured on port 2 of the Palo Alto PA-220 device.

Site B:

  • We have the internet connected at WAN port 1 of the Draytek Vigor2925 router with a static WAN IP of 113.190.242.x using a media converter.
  • Next is the LAN layer 192.168.4.0/24 configured on port 1 of the Draytek device.

3. Scenario

We will perform IPSec VPN Site-to-Site configuration between two Palo Alto PA-220 and Draytek Vigor2925 devices so that the LAN layer of both sites 10.146.41.0/24 and 192.168.4.0/24 can be connected. together.

4. What to do

Draytek Vigor2925:

  • Configure Common Settings
  • Configure Dial-In Settings
  • Configure TCP/IP Network Settings

Palo Alto PA-220:

  • Create Zone
  • Create Address Object
  • Create Interface Tunnel
  • Create Virtual Routers
  • Create IKE Crypto
  • Create IPSec Crypto
  • Create IKE Gateways
  • Create IPSec Tunnels
  • Create Policy

Kiểm tra Kết quả

5. Configuration

5.1 Draytek Vigor2925

To create a VPN connection on Draytek we need to log in to the admin page, then go to VPN and Remote Access > LAN to LAN.

Click on any Index you want to create, here I click on Index 2.

The Profile Index table appears, we will configure the Common Settings, Dial-In Settings, TCP/IP Network Settings sections.

5.1.1. Configure Common Settings

In this section we will configure the following parameters:

  • Profile Name: VPN_DR_PA
  • Check box Enable this profile
  • Call Direction : Select Dial-Out (Draytek device will wait for another device to make incoming VPN connection)
  • Tunnel Mode: select Always on
  • VPN Dial-Out Through: Select WAN1 First and select the IP address of the WAN1 port as 113.190.242.x.
  • Netbios Naming Packet: select Pass
  • Multicast via VPN: Block

5.1.2. Configure Dial-Out Settings

In this section we will configure the following parameters:

  • Type of  Server I am calling: select IPSec Tunnel IKEv1
  • Server IP/Host Name for VPN: Enter Palo Alto’s WAN IP address 113.161.93.x.
  • IKE Authetication Method: Select Pre-Shared Key and enter the password in the box next to it. (Note to remember this password to enter the same for Palo Alto side)
  • IPSec Security Method: check box High(ESP) and select 3DES with authentication.
  • Then click Advanced, the IKE Advanced settings panel appears, we will configure with the following parameters.
  • IKE phrase 1 mode (IKEv1): select Main mode
  • IKE phrase 1 proposal: select 3DES_MD5_G2
  • IKE phrase 2 proposal: select 3DES_MD5
  • IKE phrase 1 key lifetime: 28800
  • IKE phrase 2 key lifetime: 3600
  • Perfect Forward Secret: select Disable.
  • Click OK to save.

5.1.3. Configure TCP/IP Network Settings

In this section we will configure the following parameters:

  • Remote Network IP: type Palo Alto’s LAN IP is 10.146.41.1
  • Remote Network Mask: select 255.255.240.0/20
  • Local Network IP: enter Draytek’s LAN IP as 192.168.4.1
  • Local Network Mask: select 255.255.255.0/24
  • Click OK.

Go back to the LAN-to-LAN Profiles panel and select Enable for the newly created index profile and click OK to enable this profile.

5.2 Palo Alto PA-220

5.2.1. Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create according to the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.2. Create Address Object

We will create the Address Object for the 2 LAN layers of Palo Alto and Draytek devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto LAN:

  • Name: PA_LAN
  • Type: IP Netmask – 10.146.41.0/24
  • Click OK.

      Draytek_LAN:

  • Name: Draytek_LAN
  • Type: IP Netmask – 192.168.4.0/24
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.3. Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel – 2
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.4. Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used for VPN connection).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: VPN_PA_2_Draytek
  • Destination: Draytek_LAN
  • Interface: tunnel.2
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.2.5. Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: VPN_PA_2_Draytek_Phrase1
  • DH Group: group2
  • Encryption: 3des
  • Authentication: md5
  • Key Lifetime: Seconds – 28800
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.6. Configure IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: VPN_PA_2_Draytek_Phrase2
  • IPSec Protocol: ESP
  • Encryption: 3des
  • Authentication: md5
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.7. Create IKE Gateways

To create it go to Network > IKE Gateways and click Add.

Configure according to the following parameters

General:

  • Name: VPN_PA_2_Draytek_IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto’s WAN port)
  • Local IP Address: None
  • Peer Address: 113.190.242.x
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password (this password must be the same as the password set on Draytek)
  • Confirm Pre-shared key: re-enter the connection password.

Advanced Options:

  • Exchange Mode: select main
  • IKE Crypto Profile: VPN_PA_2_Draytek_Phrase1
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.8. Create IPSec Tunnels

Now we will start creating a VPN connection with the Draytek device.

To create, go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA_2_Draytek
  • Tunnel Interface: tunnel.2
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: VPN_PA_2_Draytek_IKE
  • IPSec Crypto Profile: VPN_PA_2_Draytek_Phrase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 10.146.41.0/24
  • Remote: 192.168.4.0/24
  • Protocol: Any
  • Click OK 2 times.

After creating IPSec Tunnels, we click on the newly created tunnel and click Enable to enable this tunnel.

Click Commit and OK to save the configuration changes.

5.2.9. Create Policy

We need to create a policy that allows traffic from Palo Alto’s LAN layer to pass through Draytek’s LAN layer and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from Palo Alto’s LAN layer to pass through Draytek’s LAN layer with the following information:

Tab General:

  • Name: VPN_PA_Draytek
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select Trust-Layer3 (This is the zone of the LAN layer)
  • Source Address: Click Add and select PA_LAN (PA_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: Draytek-LAN (this is the Address Object created at the beginning)

Tab Action:

  • Action: Select Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from Draytek’s LAN layer to Palo Alto’s LAN layer with the following information:

Tab General:

  • Name: VPN_Draytek_2_PA
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: press Add and select VPN
  • Source Address: Click Add and select Draytek_LAN (Draytek_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: Trust-Layer3 (Zone of the LAN layer)
  • Destination Address: PA-LAN (this is the Address Object created at the beginnin)

Tab Action:

  • Action: Select Allow.
  • Click OK.

5.3. Result

To check the results on the Palo Alto device, go to Network > IPSec Tunnels.

We will see 2 status dots in the tunnel and green IKE Gateways, which means that the VPN connection has been successfully established.

Switch to Draytek device, you can check whether the VPN connection is successful or not by going to VPN and Remote Access > Connection Management.

You will see the VPN connection has been set up, the status of the connection, the time it was connected, etc.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.