How to configure IPSec VPN Site to Site between 2 Palo Alto devices with WAN IP as static IP

1.The purpose of the article

In this article techbast will guide how to configure IPSec VPN Site to Site between two Palo Alto devices with WAN IP on both devices as static IP.

2.Diagram

Details:

Head Office:

  • Internet connection configured at ethernet port1/1 with static IP of 172.16.31.254.
  • The LAN is configured at the ethernet1/2 port with IP 10.145.41.1/24 and has been configured with DHCP to allocate IPs to the devices connected to it.

Branch Office:

  • Internet connection configured at ethernet port1/1 with static IP of 172.16.31.253.
  • The LAN is configured at the ethernet1/2 port with IP 192.168.10.1/24 and has been configured with DHCP to allocate IPs to the devices connected to it.

3.Scenario

We will configure IPSec VPN Site-to-Site between two Palo Alto Firewall 1 and Palo Alto Firewall 2 devices so that the LAN subnet of both sites 10,145.41.0/24 and 192.168.10.0/24 can connect be together.

4.What to do

Palo Alto Firewall 1:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Palo Alto Firewall 2:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Result

5.Configuration

5.1. Palo Alto Firewall 1

5.1.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.2.Create Address Object

Chúng ta sẽ tạo Address Object cho 2 lớp mạng LAN của thiết bị Palo Alto Firewall 1 và Palo Alto Firewall 2.

Để tạo vào Object > Addresses.

Nhấn Add và tạo theo các thông số như sau.

Palo Alto Firewall 1 LAN:

  • Name: PA1_LAN
  • Type: IP Netmask – 10.145.41.0/24
  • Nhấn OK để lưu.

Palo Alto Firewall 2 LAN:

  • Name: PA2_LAN
  • Type: IP Netmask – 192.168.10.0/24
  • Nhấn OK để lưu

Nhấn Commit và OK để lưu các thay đổi cấu hình.

5.1.3.Tạo Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel.1
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.1 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-2
  • Destination: select address objects PA2_LAN
  • Interface: tunnel.1
  • Next Hop: None
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.1.5.Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: Phrase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK

Click Commit and OK to save the configuration changes.

5.1.6.Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: Phrase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.7.Create IKE Gateways

To create go to Network > IKE Gateways and click Add.

Cấu hình theo các thông số sau

Tab General:

  • Name: IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall’s WAN port 1)
  • Local IP Address: 172.16.31.254/24
  • Peer Address: Enter Palo Alto Firewall 2’s WAN IP as 172.16.31.253
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password (this password must be the same as the password set on Palo Alto Firewall 2)
  • Confirm Pre-shared key: re-enter the connection password.

Tab Advanced Options:

  • Exchange mode: select main.
  • IKE Crypto Profile: select Phrase1.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.8.Create IPSec Tunnels

Now we will start creating a VPN connection with the Palo Alto Firewall 2 device.

To create go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA1_TO_PA2
  • Tunnel Interface: tunnel.1
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE
  • IPSec Crypto Profile: Phrase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 10.145.41.0/24
  • Remote: 192.168.10.0/24
  • Protocol: Any
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.9.Tạo Policy

We need to create a policy that allows traffic from Palo Alto Firewall 1’s LAN subnet to pass through Palo Alto Firewall 2’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the LAN subnet of Palo Alto Firewall 1 to pass through the LAN subnet of Palo Alto Firewall 2 with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select LAN zone
  • Source Address: Click Add and select PA1_LAN (PA1_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: PA2_LAN (this is the Address Object created at first)

Tab Action:

  • Action: select Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from the LAN subnet of Palo Alto Firewall 2 to the LAN subnet of Palo Alto Firewall 1 with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: press Add and select VPN
  • Source Address: Click Add and select PA2_LAN (PA2_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: LAN
  • Destination Address: PA1-LAN (this is the Address Object created at first)

Tab Action:

  • Action: Select.
  • Click OK.

5.2. Palo Alto Firewall 2

5.2.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.2.Create Address Object

We will create the Address Object for the 2 LAN subnets of Palo Alto Firewall 1 and Palo Alto Firewall 2 devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall 1 LAN:

  • Name: PA1_LAN
  • Type: IP Netmask – 10.145.41.0/24
  • Click OK.

Palo Alto Firewall 2 LAN:

  • Name: PA2_LAN
  • Type: IP Netmask – 192.168.10.0/24
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.3.Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel.1
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.1 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-2
  • Destination: select address objects PA1_LAN
  • Interface: tunnel.1
  • Next Hop: None
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.5.Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: Phrase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.6.Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: Phrase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.7.Create IKE Gateways

To create go to Network > IKE Gateways and click Add.

Configure according to the following parameters

Tab General:

  • Name: IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall 2’s WAN port)
  • Local IP Address: 172.16.31.253/24
  • Peer Address: Enter Palo Alto Firewall 1’s WAN IP as 172.16.31.254
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password (this password must be the same as the password set on Palo Alto Firewall 1)
  • Confirm Pre-shared key: re-enter the connection password

Tab Advanced Options:

  • Exchange mode: select main.
  • IKE Crypto Profile: select Phrase1.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.8.Create IPSec Tunnels

Now we will start creating a VPN connection with the Palo Alto Firewall 1 device.

To create go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA2_TO_PA1
  • Tunnel Interface: tunnel.1
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE
  • IPSec Crypto Profile: Phrase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 192.168.10.0/24
  • Remote: 10.145.41.0/24
  • Protocol: Any
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.9.Create Policy

We need to create a policy that allows traffic from Palo Alto Firewall 1’s LAN subnet to pass through Palo Alto Firewall 2’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the LAN subnet of Palo Alto Firewall 1 to pass through the LAN subnet of Palo Alto Firewall 2 with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: press Add and select LAN zone
  • Source Address: Click Add and select PA2_LAN (PA2_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: PA1-LAN (this is the Address Object created at first)

Tab Action:

  • Action: select Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from the LAN subnet of Palo Alto Firewall 1 to the LAN subnet of Palo Alto Firewall 2 with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select VPN zone
  • Source Address: Click Add and select PA1_LAN (PA1_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: LAN
  • Destination Address: PA2-LAN (this is the Address Object created at the beginning)

Tab Action:

  • Action: select Allow.
  • Click OK.

5.3.Result

After configuring IPSec VPN Site to Site on both devices, the VPN connections should show up as follows.

On Palo Alto Firewall 1, you can see that the network port icon in the Status column is green, which means the status of this IPSec tunnel has been turned on.

However, this connection has not been established to Palo Alto Firewall 2 and it is shown by 2 circular icons at Tunnel Info and IKE Info is still red.

Similar on Palo Alto Firewall 2 is also shown as Palo Alto Firewall 1.

Normally the connections on the Palo Alto device will be automatically connected, but in case they do not automatically set up with each other we need to do the following.

Access the command line interface of both Palo Alto Firewall 1 and Palo Alto Firewall 2 and type 2 commands as follows:

  • test vpn ike-sa
  • test vpn ipsec-sa

Execute 2 commands on Palo Alto Firewall 1.

Execute 2 commands on Palo Alto Firewall 2.

After executing the above 2 commands we will see that the IPSec VPN connection between the two devices has been established.

On Palo Alto Firewall 1 we see that the two circular icons at Tunnel Info and IKE Info have turned green.

On Palo Alto Firewall 2 the same thing happens.

After successfully establishing a connection, techbast will prepare 2 Windows 10 computers at each site to test the ability to communicate through the VPN connection.

At Head Office site Windows 10 machine has IP 10,145.41.100/24.

At Branch Office site Windows machine has IP 192.168.10.100/24

Successful ping results from Windows 10 machine IP 10.145.41.100/24 at Head Office to Windows 10 machine IP 192.168.10.100/24 at Branch Office.

Similarly, successful ping results from Windows 10 machine IP 192.168.10.100/24 at Branch Office to Windows 10 machine IP 10145.41.100/24 at Head Office.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.