How to configure IPSec between 2 Palo Alto devices in the external and internal firewall model

1.The purpose of the article

In this article, techbast will show you how to configure the IPSec VPN Site to site between 2 Palo Alto devices when 2 Palo Alto devices are behind 2 other Palo Alto devices.

2.Diagram

Details:

Head Office:

  • At the head office site we will have an external and internal firewall model with 2 devices Palo Alto Firewal 1 is the external firewall and Palo Alto Firewall 3 is the internal firewall.
  • The internet connection is connected at ethernet1/1 of Palo Firewall 1 device with IP 172.16.31.254.
  • The LAN of the Palo Alto Firewall 1 device is configured at the ethernet1/2 port with IP 10.145.41.1/24 and configured DHCP to allocate to devices connected to it..
  • At Palo Alto Firewall 3 WAN port will be ethernet1/1 port and it will be connected to ethernet1/2 port of Palo Alto Firewall 1, ethernet1/1 port on Palo Firewall 3 is set static IP as 10.145.41.253/24.
  • Palo Alto Firewall 3’s LAN is configured at ethernet1/2 port with IP 192.168.1.1/24 and has DHCP configured.

Branch office:

  • At the branch office site we will have an external and internal firewall model with 2 devices Palo Alto Firewal 2 is the external firewall and Palo Alto Firewall 4 is the internal firewall.
  • The internet connection is connected at ethernet1/1 of Palo Firewall 2 device with IP 172.16.31.253.
  • The LAN of the Palo Alto Firewall 2 device is configured at the ethernet1/2 port with IP 192.168.10.1/24 and configured DHCP to allocate to the devices connected to it.
  • At Palo Alto Firewall 4 WAN port will be ethernet1/1 port and it will be connected to ethernet port1/2 of Palo Alto Firewall 2, ethernet port1/1 on Palo Firewall 4 is set static IP as 192.168.10.254/24.
  • Palo Alto Firewall 4’s LAN is configured at ethernet port 1/2 with IP 10.150.30.1/24 and has DHCP configured.

3.Scenario

Based on the above diagram, we will configure IPSec VPN Site to site between the Palo Alto Firewall 3 device at the Head Office site and the Palo Alto Firewall 4 device at the Branch Office site so that both LANs of the two sites can communicate with each other. together.

4.What to do

Palo Alto Firewall 1:

  • Create Service Objects for IPSec service.
  • Create Address Objects for Palo Alto Firewall 3’s WAN IP.
  • Implement NAT IP WAN of Palo Alto Firewall 3 with IPSec service to internet.
  • Create a Policy that allows NAT traffic.

Palo Alto Firewall 3:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Palo Alto Firewall 2:

  • Create Service Objects for IPSec service.
  • Create Address Objects for Palo Alto Firewall’s WAN IP 4.
  • Implement NAT IP WAN of Palo Alto Firewall 4 with IPSec service to internet.
  • Create a Policy that allows NAT traffic.

Palo Alto Firewall 4:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Result.

5.Configuration.

5.1.Palo Alto Firewall 1.

5.1.1.Create Serivce Objects for IPSec service

The IPSec VPN Site to site connection will use the ports UDP 500 and UDP 4500.

We need to create service objects for these two services.

To create, go to Objects > Services > Services > click Add.

Create service objects for UDP 500 with the following information:

  • Name: service-ipsec-vpn-500
  • Protocol: select UDP.
  • Destination Port: 500.
  • Click OK.

Similarly, create service objects for UDP 4500 with the following parameters:

  • Name: service-ipsec-vpn-4500
  • Protocol: select UDP.
  • Destination Port: 4500.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.2.Create Address Objects for Palo Alto Firewall 3’s WAN IP.

To create go to Objects > Addresses > Click Add.

Create with the following information:

  • Name: Palo Alto firewall 3.
  • Type: choose IP Netmask – enter WAN IP of Palo Alto Firewall 3 is 10.145.41.253.
  • Click OK.

5.1.3.Implement NAT IP WAN of Palo Alto Firewall 3 with IPSec service to internet.

To NAT go to Policies > NAT > Click Add.

NAT service UDP 500 with the following parameters.

General tab:

  • Name: NAT_IPSec_VPN_500
  • NAT Type: ipv4.

Original Packet tab:

  • Source Zone: click Add and select WAN zone.
  • Destination Zone: select WAN.
  • Destination Interface: choose WAN port of Palo Alto Firewall 1 is ethernet1/1.
  • Service: select service objects service-ipsec-vpn-500.
  • Destination Address: Click Add and enter the WAN IP of Palo Alto Firewall 1 as 172.16.31.254.

Translated Packet tab:

  • Translation type: select Static IP.
  • Translated Address: select address objects Palo Alto firewall 3.
  • Translated Port: type 500.

Click OK.

Similar NAT service UDP 4500 with the following parameters.

General tab:

  • Name: NAT_IPSec_VPN_4500
  • NAT Type: ipv4.

Original Packet tab:

  • Source Zone: click Add and select WAN zone.
  • Destination Zone: select WAN.
  • Destination Interface: choose WAN port of Palo Alto Firewall 1 is ethernet1/1.
  • Service: select service objects service-ipsec-vpn-4500
  • Destination Address: Click Add and enter the WAN IP of Palo Alto Firewall 1 as 172.16.31.254.

Translated Packet tab:

  • Translation type: select Static IP.
  • Translated Address: select address objects Palo Alto firewall 3.
  • Translated Port: type 4500.

Click OK.

Click Commit and OK to save the configuration changes.

5.1.4.Create a Policy that allows NAT traffic.

By default, the firewall will not allow traffic to go back and forth between zones.

So if we want the NAT rule to work, we need to create a policy that allows traffic outside the internet to go inside the LAN.

To create a policy we go to Policies > Security > click Add.

Create a policy with the following parameters.

 General tab:

  • Name: NAT_IPSec_service.
  • Rule Type: universal (default).

Source tab:

Source Zone: select WAN zone.

Destination tab:

  • Destination Zone: select LAN zone
  • Destination Address: enter Palo Alto Firewall 1’s WAN IP address as 172.16.31.254.

Service/URL Category tab:

Service: Click Add and select 2 service objects service-ipsec-vpn-500 and service_ipsec_vpn_4500.

Action tab:

  • Action: select Allow.
  • Log Setting: select Log at Session End.

Click OK.

Click Commit and OK to save the configuration changes.

5.2.Palo Alto Firewall 3

5.2.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.2.Create Address Object

We will create the Address Object for the 2 LAN subnets of the Palo Alto firewall 3 and Palo Alto firewall 4 devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall 3 LAN:

  • Name: PA3_LAN
  • Type: IP Netmask – 192.168.1.0/24
  • Click OK.

Palo Alto Firewall 4 LAN:

  • Name: PA4_LAN
  • Type: IP Netmask – 10.150.30.0/24
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.3.Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel.1
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit to save the configuration changes.

5.2.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select the ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.1 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-2
  • Destination: Enter the LAN subnet of Palo Alto firewall 4 as 10.150.30.0/24
  • Interface: tunnel.1
  • Next Hop: None
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.2.5.Create IKE Crypto

We will create IKE Crypto ie Phase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: Phase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.6.Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: Phase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.7.Create IKE Gateways

To create go to Network > IKE Gateways and click Add.

Configure according to the following parameters

General tab:

  • Name: IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall 3’s WAN port)
  • Local IP Address: 10.145.41.253/24
  • Peer Address: Enter Palo Alto Firewall 2’s WAN IP as 172.16.31.253
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password.
  • Confirm Pre-shared key: re-enter the connection password.
  • Local Identification: select IP address – enter the WAN IP of Palo Alto Firewall 3 as 10.145.41.253.
  • Peer Identification: choose IP address – enter the WAN IP of Palo Alto Firewall 4 as 192.168.10.254.

Bảng Advanced Options:

  • Exchange mode: select main.
  • IKE Crypto Profile: select Phase1.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.8.Create IPSec Tunnels

Now we will start creating a VPN connection with the Palo Alto firewall 4 device.

To create go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA3_TO_PA4
  • Tunnel Interface: tunnel.1
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE
  • IPSec Crypto Profile: Phase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 192.168.1.0/24
  • Remote: 10.150.30.0/24
  • Protocol: Any
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.9.Create Policy

We need to create a policy that allows traffic from Palo Alto Firewall 3’s LAN subnet to pass through Palo Alto Firewall 4’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the LAN subnet of Palo Alto Firewall 3 to pass through the LAN subnet of Palo Alto Firewall 4 with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select LAN.
  • Source Address: Click Add and select PA3_LAN.

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: PA4_LAN

Tab Action:

  • Action: Select Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from the LAN subnet of Palo Alto Firewall 4 to the LAN subnet of Palo Alto Firewall 3 with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: click Add and select VPN
  • Source Address: Click Add and select PA4_LAN

Tab Destination:

  • Destination Zone: LAN
  • Destination Address: PA3-LAN

Tab Action:

  • Action: select Allow.
  • Click OK.

5.3.Palo Alto Firewall 2.

5.3.1.Create Service Objects for IPSec service.

The IPSec VPN Site to site connection will use the ports UDP 500 and UDP 4500.

We need to create service objects for these two services.

To create, go to Objects > Services > Services > click Add.

Create service objects for UDP 500 with the following information:

  • Name: service-ipsec-vpn-500
  • Protocol: chọn UDP.
  • Destination Port: 500.
  • Click OK.

Similarly create service objects for UDP 4500 with the following parameters:

  • Name: service-ipsec-vpn-4500
  • Protocol: select UDP.
  • Destination Port: 4500.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.2.Create Address Objects for Palo Alto Firewall’s WAN IP 4.

To create go to Objects > Addresses > Click Add.

Create with the following information:

  • Name: Palo Alto firewall 4.
  • Type: choose IP Netmask – enter WAN IP of Palo Alto Firewall 4 is 192.168.10.254.
  • Click OK.

5.1.3.Implement NAT IP WAN of Palo Alto Firewall 4 with IPSec service to internet.

To NAT go to Policies > NAT > Click Add.

NAT service UDP 500 with the following parameters.

General tab:

  • Name: NAT_IPSec_VPN_500
  • NAT Type: ipv4.

Original Packet tab:

  • Source Zone: Click Add and select WAN zone.
  • Destination Zone: select WAN.
  • Destination Interface: choose the WAN port of Palo Alto Firewall 2 is ethernet1/1.
  • Service: select service objects service-ipsec-vpn-500.
  • Destination Address: Click Add and enter the WAN IP of Palo Alto Firewall 2 as 172.16.31.253.

Translated Packet tab:

  • Translation type: select Static IP.
  • Translated Address: select address objects Palo Alto firewall 4.
  • Translated Port: type 500.

Click OK to save.

Similar NAT service UDP 4500 with the following parameters.

General tab:

  • Name: NAT_IPSec_VPN_4500
  • NAT Type: ipv4.

Original Packet tab:

  • Source Zone: Click Add and select WAN zone.
  • Destination Zone: select WAN.
  • Destination Interface: choose the WAN port of Palo Alto Firewall 2 is ethernet1/1.
  • Service: select service objects service-ipsec-vpn-4500
  • Destination Address: Click Add and enter the WAN IP of Palo Alto Firewall 2 as 172.16.31.253.

Translated Packet tab:

  • Translation type: select Static IP.
  • Translated Address: select address objects Palo Alto firewall 4.
  • Translated Port: type 4500.
  • Nhấn OK.

Click Commit and OK to save the configuration changes.

5.1.4.Create a Policy that allows NAT traffic.

By default, the firewall will not allow traffic to go back and forth between zones.

So if we want the NAT rule to work, we need to create a policy that allows traffic outside the internet to go inside the LAN.

To create a policy we go to Policies > Security > click Add.

Create a policy with the following parameters.

 General tab:

  • Name: NAT_IPSec_service.
  • Rule Type: universal (default).

Source tab:

Source Zone: select WAN.

Destination tab:

  • Destination Zone: select LAN
  • Destination Address: enter Palo Alto Firewall 2’s WAN IP address as 172.16.31.253.

Service/URL Category tab:

Service: Click Add and select 2 service objects service-ipsec-vpn-500 and service_ipsec_vpn_4500.

Action tab:

  • Action: select Allow.
  • Log Setting: select Log at Session End.

Click OK.

Click Commit and OK to save the configuration changes.

5.4.Palo Alto Firewall 4

5.4.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.4.2.Create Address Object

We will create an Address Object for the 2 LAN layers of Palo Alto and Sophos devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall 3 LAN:

  • Name: PA3_LAN
  • Type: IP Netmask – 192.168.1.0/24
  • Click OK.

Palo Alto Firewall 4 LAN:

  • Name: PA4_LAN
  • Type: IP Netmask – 10.150.30.0/24
  • Click OK.

Click Commit and OK to save the configuration changes.

5.4.3.Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel.1
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit to save the configuration changes.

5.4.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select the ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.1 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-2
  • Destination: enter the LAN class of Palo Alto Firewall 3 as 192.168.1.0/24.
  • Interface: tunnel.1
  • Next Hop: None
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.4.5.Create IKE Crypto

We will create IKE Crypto ie Phase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: Phase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK.

Click Commit and OK to save the configuration changes.

5.4.6.Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: Phase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.4.7.Create IKE Gateways

To create go to Network > IKE Gateways and click Add.

Configure according to the following parameters.

General tab:

  • Name: IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall 4’s WAN port)
  • Local IP Address: 192.168.10.254/24.
  • Peer Address: Enter Palo Alto Firewall 1’s WAN IP as 172.16.31.254
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password (this password must be the same as the password set on the Palo Alto firewall 3)
  • Confirm Pre-shared key: re-enter the connection password.
  • Local Identification: choose IP address – enter the WAN IP of Palo Alto Firewall 4 as 192.168.10.254.
  • Peer Identification: select IP address – enter the WAN IP of Palo Alto Firewall 3 as 10.145.41.253.

Advanced Options tab:

  • Exchange mode: select main.
  • IKE Crypto Profile: select Phase1.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.4.8.Create IPSec Tunnels

Now we will start creating a VPN connection with the Palo Alto firewall 3 device.

To create go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA4_TO_PA3
  • Tunnel Interface: tunnel.1
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE
  • IPSec Crypto Profile: Phase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 10.150.30.0/24
  • Remote: 192.168.1.0/24
  • Protocol: Any
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.4.9.Create Policy

We need to create a policy that allows traffic from Palo Alto Firewall 4’s LAN subnet to pass through Palo Alto Firewall 3’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from Palo Alto Firewall 4’s LAN subnet to pass through Palo Alto Firewall 3’s LAN subnet with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select LAN.
  • Source Address: click Add and select PA4.

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: PA3-LAN

Tab Action:

  • Action: Click Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from the LAN subnet of Palo Alto Firewall 3 to the LAN subnet of Palo Alto Firewall 4 with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: click Add and select VPN
  • Source Address: click Add and select PA3_LAN.

Tab Destination:

  • Destination Zone: LAN
  • Destination Address: PA4-LAN

Tab Action:

  • Action: select Allow.
  • Click OK.

5.5.Result

After configuring IPSec VPN Site to Site on both devices, the VPN connections will show up as follows.

On Palo Alto Firewall 3, you can see that the network port icon in the Status column is green, which means the status of this IPSec tunnel has been turned on.

However, this connection has not been established to Palo Alto Firewall 4 and it is shown by 2 circular icons at Tunnel Info and IKE Info are still red.

The same on Palo Alto Firewall 4 is also shown as Palo Alto Firewall 3.

Normally the connections on the Palo Alto device will be automatically connected, but in case they are not automatically established with each other we need to do the following.

Access the command line interface of both Palo Alto Firewall 3 and Palo Alto Firewall 4 and type 2 commands as follows:

  • test vpn ike-sa
  • test vpn ipsec-sa

Execute 2 commands on Palo Alto Firewall 3.

Execute 2 commands on Palo Alto Firewall 4.

After executing the above 2 commands we will see that the IPSec VPN connection between the two devices has been established.

On Palo Alto Firewall 3 we see that the two circular icons at Tunnel Info and IKE Info have turned green.

On Palo Alto Firewall 4 the same thing happens.

After successfully establishing a connection, techbast will prepare 2 Windows 10 computers at each site to test the ability to communicate through the VPN connection.

At Head Office site Windows 10 machine has IP 192.168.1.100/24.

At Branch Office site Windows machine has IP 10.150.30.100/24

Successful ping results from Windows 10 machine IP 192.168.1.100/24 at Head Office to Windows 10 machine IP 10.150.30.100/24 at Branch Office.

Similarly, successful ping results from Windows 10 machine IP 10.150.30.100/24 at Branch Office to Windows 10 machine IP 192.168.1.100/24 at Head Office.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.