How to configure IPSec VPN between Palo Alto and Sophos devices when the Palo Alto device is behind another Palo Alto device

1.The purpose of the article

In this article, techbast will show you how to configure IPSec VPN Site to site between Palo Alto and Sophos devices with Palo Alto device behind another Palo Alto device.

2.Diagram

Details:

Head Office:

  • At the head office site we will have an external and internal firewall model with 2 devices Palo Alto Firewal 1 is the external firewall and Palo Alto Firewall 2 is the internal firewall.
  • The internet connection is connected at ethernet1/1 of Palo Firewall 1 device with IP 10,150.30.119.
  • The LAN of the Palo Alto Firewall 1 device is configured at the ethernet1/2 port with IP 10.145.41.1/24 and configured DHCP to allocate to devices connected to it.
  • At Palo Alto Firewall 2 WAN port will be ethernet1/1 port and it will be connected to ethernet1/2 port of Palo Alto Firewall 1, ethernet1/1 port on Palo Firewall 2 is set static IP as 10,145.41.50/24.
  • Palo Alto Firewall 2’s LAN is configured at ethernet1/2 port with IP 10.0.0.1/24 and has DHCP configured.

Branch office:

  • The internet connection is connected at Port2 of Sophos Firewall 1 device with IP 10,150.30.106.
  • The LAN is configured at Port1 with IP 172.16.16.16/24 and has DHCP configured to allocate IPs to devices connected to it.

3.Scenario

Based on the above diagram, we will configure IPSec VPN Site to site between Palo Alto Firewall 2 device at Head Office site and Sophos Firewall 1 device at Branch Office site so that both LANs of 2 sites can communicate with each other.

4.What to do

Palo Alto Firewall 1:

  • Create Service Objects for IPSec service.
  • Create Address Objects for Palo Alto Firewall 2’s WAN IP.
  • Implement NAT IP WAN of Palo Alto Firewall 2 with IPSec service to the internet.
  • Create Policy to allow NAT traffic.

Palo Alto Firewall 2:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Sophos Firewall 1:

  • Create profile for Local and Remote subnet.
  • Create IPSec policy.
  • Create IPSec connection.
  • Create policy to allow traffic between 2 zones LAN and VPN.
  • Enable PING and HTTPS services on VPN zone.

Result.

5.Configuration.

5.1.Palo Alto Firewall 1.

5.1.1.Create Serivce Objects for IPSec service

The IPSec VPN Site to site connection will use the UDP 500 and UDP 4500 ports.

We need to create service objects for these two services.

To create, go to Objects > Services > Services > click Add.

Create service objects for UDP 500 with the following information:

  • Name: service-ipsec-vpn-500
  • Protocol: select UDP.
  • Destination Port: 500.
  • Click OK.

Similarly, create service objects for UDP 4500 with the following parameters:

  • Name: service-ipsec-vpn-4500
  • Protocol: select UDP.
  • Destination Port: 4500.
  • Select OK.

Click Commit and OK to save the configuration changes.

5.1.2.Create Address Objects for Palo Alto Firewall 2’s WAN IP.

To create go to Objects > Addresses > Click Add.

Create with the following information:

  • Name: Palo Alto firewall 2.
  • Type: choose IP Netmask – enter Palo Alto Firewall 2’s WAN IP 10,145.41.5.
  • Click OK.

5.1.3.Implement NAT IP WAN of Palo Alto Firewall 2 with IPSec service to the internet.

To NAT go to Policies > NAT > Click Add.

NAT service UDP 500 with the following parameters.

General table:

  • Name: NAT_IPSec_VPN_500
  • NAT Type: ipv4.

Original Packet table:

  • Source Zone: Click Add and select the WAN zone as Untrust.
  • Destination Zone: select Untrust.
  • Destination Interface: choose the WAN port of Palo Alto Firewall 1 is ethernet1/1.
  • Service: select service objects service-ipsec-vpn-500.
  • Destination Address: Click Add and enter the WAN IP of Palo Alto Firewall 1 as 10.150.30.119.

Translated Packet table:

  • Translation type: select Static IP.
  • Translated Address: select address objects Palo Alto firewall 2.
  • Translated Port: enter 500.

Click OK.

Similar NAT service UDP 4500 with the following parameters.

General table:

  • Name: NAT_IPSec_VPN_4500
  • NAT Type: ipv4.

Original Packet table:

  • Source Zone: Click Add and select the WAN zone as Untrust.
  • Destination Zone: select Untrust.
  • Destination Interface: choose the WAN port of Palo Alto Firewall 1 is ethernet1/1.
  • Service: select service objects service-ipsec-vpn-4500
  • Destination Address: Click Add and enter the WAN IP of Palo Alto Firewall 1 as 10.150.30.119.

Bảng Translated Packet:

  • Translation type: select Static IP.
  • Translated Address: select address objects Palo Alto firewall 2.
  • Translated Port: enter 4500.

Click OK.

Click Commit and OK to save the configuration changes.

5.1.4.Create policy to allows NAT traffic.

By default, the firewall will not allow traffic to go back and forth between zones.

So if we want the NAT rule to work, we need to create a policy that allows traffic outside the internet to go inside the LAN.

To create a policy we go to Policies > Security > click Add.

Create a policy with the following parameters.

 General table:

  • Name: NAT_IPSec_service.
  • Rule Type: universal (default).

Source table:

Source Zone: Select Untrust zone (this is the WAN zone).

Destination table:

  • Destination Zone: Select Trust-Player3 (this is the LAN zone)
  • Destination Address: enter Palo Alto Firewall 1’s WAN IP address as 10.150.30.119.

Service/URL Category table:

Service: click Add and select 2 service objects service-ipsec-vpn-500 and service_ipsec_vpn_4500.

Action table:

  • Action: select Allow.
  • Log Setting: select Log at Session End.

Click OK.

Click Commit and OK to save the configuration changes.

5.2.Palo Alto Firewall 2

5.2.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create according to the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.2. Create Address Object

We will create the Address Object for the 2 LAN subnet of Palo Alto and Sophos devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall 2 LAN:

  • Name: PA2_LAN
  • Type: IP Netmask – 10.0.0.0/24
  • Click OK.

Sophos Firewall 1 LAN:

  • Name: SOPHOS_LAN
  • Type: IP Netmask – 172.16.16.0/24
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.3.Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel.3
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit to save the configuration changes.

5.2.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select the ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.3 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-1
  • Destination: select address objects SOPHOS_LAN
  • Interface: tunnel.3
  • Next Hop: None
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.2.5. Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: Phrase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.6.Tạo IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: Phrase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.7.Create IKE Gateways

To create it go to Network > IKE Gateways and click Add.

Configure according to the following parameters

General tab:

  • Name: IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall 2’s WAN port)
  • Local IP Address: None
  • Peer Address: Enter Sophos Firewall 1’s WAN IP as 10.150.30.106
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password (this password must be the same as the one set on Sophos)
  • Confirm Pre-shared key: re-enter the connection password.
  • Local Identification: select IP address – Enter Palo Alto Firewall 2’s WAN IP as 10,145.41.5.
  • Peer Identification: select IP address – Enter Sophos Firewall 1’s WAN IP as 10.150.30.106.

Advanced Options tab:

  • Exchange mode: select main.
  • IKE Crypto Profile: select Phrase1.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.8.Create IPSec Tunnels

Now we will start creating a VPN connection with the Sophos Firewall device.

To create it go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA_TO_SOPHOS
  • Tunnel Interface: tunnel.3
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE
  • IPSec Crypto Profile: Phrase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 10.0.0.0/24
  • Remote: 172.16.16.0/24
  • Protocol: Any
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.2.9.Tạo Policy

We need to create a policy that allows traffic from the LAN subnet of Palo Alto Firewall 2 to pass through the LAN subnet of Sophos Firewall 1 and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the LAN subnet of Palo Alto Firewall 2 to pass through the LAN subnet of Sophos Firewall 1 with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select Trust-Layer3 (This is the zone of the LAN subnet)
  • Source Address: Click Add and select PA2_LAN (PA2_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: SOPHOS-LAN (this is the Address Object created at first)

Tab Action:

  • Action: select Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from the LAN subnet of Sophos Firewall 1 to the LAN subnet of Palo Alto Firewall 2 with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: press Add and select VPN
  • Source Address: Click Add and select SOPHOS_LAN (SOPHOS_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: Trust-Layer3 (Zone of the LAN subnet)
  • Destination Address: PA2-LAN (this is the Address Object created at the beginning)

Tab Action:

  • Action: select Allow.
  • Click OK to save.

5.3.Sophos Firewall 1

5.3.1.Create profile for Local and Remote subnet

We will create profiles for Local and Remote subnet.

To create, go to SYSTEM > Hosts and Services > IP Host > click Add.

Create a profile for the Local subnet with the following parameters:

  • Name*: SOPHOS_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 172.16.16.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

  • Name*: PA2_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 10.0.0.0 Subnet /24[255.255.255.0]
  • Click Save

5.3.2.Create IPSec policy

Because this is an IPSec VPN connection between two different devices, we need to create a common IPSec policy for both devices.

To create IPSec policies go to CONFIGURE > VPN > IPSec policies > Click Add.

Create an IPSec policy with the following parameters.

General settings:

  • Name: VPN_S2S_PA.
  • Key exchange: IKEv1.
  • Authentication mode: Main mode
  • Select Re-key connection.

Phrase 1:

  • Key life: 5400.
  • Re-key margin: 360.
  • Randomize re-keying margin by: 50.
  • DH group (key group): 2 (DH1024).
  • Encryption: AES256.
  • Authentication: SHA2 256.

Phrase 2:

  • PFS group (DH group): None.
  • Key life: 3600.
  • Encryption: AES128.
  • Authentication: SHA2 256.

Dead Peer Detection:

  • Dead Peer Detection: select.
  • Check peer after every: 30.
  • Wait for response up to: 120.
  • When peer unreachable: Re-initiate.

Click Save.

5.3.3.Create IPSec connection

To create us go to CONFIGURE > VPN > IPSec connections > click Add.

In General we configure with the following parameters:

  • Name: VPN_SOPHOS_TO_PA.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Initiate the connection.
  • Active on save: uncheck.
  • Create firewall rule: uncheck.

In Encryption we configure with the following parameters:

  • Policy: select VPN_S2S_PA.
  • Authentication type: select Preshared key.
  • Preshared key: Enter the connection password.
  • Repeat preshared key: re-enter the connection password.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 10.150.30.106.
  • Local ID type: select IP address.
  • Local ID: enter 10.150.30.106.
  • Local subnet: select profile SOPHOS_LAN.

Remote Gateway:

  • Gateway address: Enter Palo Alto Firewall 1’s WAN IP as 10.150.30.119.
  • Remote ID type: select IP address.
  • Remote ID: Enter Palo Alto Firewall 2’s WAN IP as 10,145.41.50.
  • Remote subnet: select profile PA2_LAN.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

5.3.4.Create a policy to allow traffic between 2 zones LAN and VPN.

By default, the firewall will block all traffic between zones.

So we need to create a policy to allow traffic to go back and forth between the LAN and VPN zones.

To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.

Click Save.

5.3.5.Enable PING and HTTPS services on the VPN zone.

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping / Ping6 services in the VPN zone row and click Apply to save.

5.4.Result.

On the Palo Alto device, after creating the IPSec tunnels connection, the connection will be listed as shown below.

We pay attention to the Status column, we see that the network port icon is green, meaning this IPSec connection has been Enabled.

To establish an IPSec connection between the two devices, go to Sophos Firewall > CONFIGURE > VPN > IPSec connections.

We pay attention to the circular icon in the Active column of the IPSec VPN connection we created earlier, which is red, meaning the connection has not been enabled.

To activate, left-click the circle icon in the Active column and click Yes.

Because we configure Sophos Firewall 1 as an active device to establish a connection with Palo Alto Firewall 2, when we turn on the IPSec VPN connection on Sophos Firewall 1, the device will automatically establish a VPN connection to Palo Alto Firewall 2 and if successful, both circle icons in 2 columns Active and Connection will turn green.

On the Palo Alto firewall device, we will also see 2 circular icons in the 2 Status columns, both of which turn green.

To test the communication between the two LAN layers of each site with each other, techbast will use 1 computer at each site to ping each other to check the results.

At the Head Office site techbast has prepared a Windows 10 computer with IP 10.0.0.51/24 and at the Branch Office site has prepared a Windows 10 machine with IP 172.16.16.51/24.

Ping results from Windows 10 machine IP 10.0.0.51/24 to Windows 10 machine IP 172.16.16.51/24.

Successful ping result.

Standing on a Windows 10 machine at the Head Office can also access the admin page of Sophos Firewall 1 using LAN IP 172.16.16.16 through a VPN connection.

Ping result from Windows 10 machine IP 172.16.16.51 to Windows 10 machine with IP 10.0.0.51.

Successful ping result.

Standing on a Windows machine at Branch Office can also access the administration page of Palo Alto Firewall 2 using LAN IP 10.0.0.1 through a VPN connection.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.