How to configure IPSec VPN Site to Site using Digital Certificate between 2 Palo Alto devices with WAN IP as static IP

1.The purpose of the article

In this article, techbast will guide how to configure IPSec VPN Site to Site using Digital Certificate between two Palo Alto devices with WAN IP on both devices being static IP.

2.Diagram

Details:

Head Office:

  • Internet connection configured at ethernet port1/1 with static IP of 172.16.31.254.
  • The LAN is configured at the ethernet1/2 port with IP 10.145.41.1/24 and has been configured with DHCP to allocate IPs to the devices connected to it.

Branch Office:

  • Internet connection configured at ethernet port1/1 with static IP of 172.16.31.253.
  • The LAN is configured at the ethernet1/2 port with IP 192.168.10.1/24 and has been configured with DHCP to allocate IPs to the devices connected to it.

3.Scenario

We will configure IPSec VPN Site-to-Site using Digital Certificate between two Palo Alto Firewall 1 and Palo Alto Firewall 2 devices so that the LAN subnet of both sites is 10,145.41.0/24 and 192.168.10.0/24 can be connected to each other.

4.What to do

Palo Alto Firewall 1:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Create Certificate VPN.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Palo Alto Firewall 2:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Import and create Certificate VPN.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Result

5.Configuration

5.1. Palo Alto Firewall 1

5.1.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.2.Create Address Object

Chúng ta sẽ tạo Address Object cho 2 lớp mạng LAN của thiết bị Palo Alto Firewall 1 và Palo Alto Firewall 2.

Để tạo vào Object > Addresses.

Nhấn Add và tạo theo các thông số như sau.

Palo Alto Firewall 1 LAN:

  • Name: PA1_LAN
  • Type: IP Netmask – 10.145.41.0/24
  • Nhấn OK để lưu.

Palo Alto Firewall 2 LAN:

  • Name: PA2_LAN
  • Type: IP Netmask – 192.168.10.0/24
  • Nhấn OK để lưu

Nhấn Commit và OK để lưu các thay đổi cấu hình.

5.1.3.Tạo Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel.1
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.1 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-2
  • Destination: select address objects PA2_LAN
  • Interface: tunnel.1
  • Next Hop: None
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.1.5.Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: Phrase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK

Click Commit and OK to save the configuration changes.

5.1.6.Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: Phrase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.7.Create Certificate VPN

To create a certificate go to Device > Certificate Management > Certificates.

Click Generate and generate with the following information:

  • Certificate Name: VPN_Cert.
  • Common Name: VPN_Cert.
  • Tích chọn Certificate Authority.
  • Click Generate.

After successfully creating, left-click on the newly created VPN_Cert and click Export.

The Export Certificate – VPN_Cert table appears, they need to fill in the following information to export this certificate to the computer:

  • File Format: select Base64 Encoded Certificate (PEM)
  • Tích chọn Export private key.
  • Passphrase: enter your password.
  • Confirm Passphrase: re-enter password.
  • Click OK to save this certificate to your computer.

Next, we click Generate to generate an additional certificate with the following parameters:

  • Certificate Name: PA1_VPN.
  • Common Name: PA1_VPN.
  • Signed by: select VPN_Cert from drop-down list.
  • Click Generate.

Click Commit and OK to save the configuration changes.

5.1.8.Create IKE Gateways

To create go to Network > IKE Gateways and click Add.

Cấu hình theo các thông số sau

Tab General:

  • Name: IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall’s WAN port 1)
  • Local IP Address: 172.16.31.254/24
  • Peer Address: Enter Palo Alto Firewall 2’s WAN IP as 172.16.31.253
  • Authentication: Certificate
  • Local Certificate: select PA1_VPN.
  • Local Identification: select Distinguished Name (Subject) – select CN=PA1_VPN.
  • Peer Identification: select Distinguished Name (Subject) – enter CN=PA2_VPN (PA2_VPN is the certificate that will be generated at Palo Alto Firewall 2 in the next section).
  • Peer ID Check: select Exact.
  • Select Permit peer identification and certificate payload identification mismatch.
  • Certification profile: at the drop-down list click New Certificate Profile to create with the following information.
  • Name: PA1_Profile.
  • CA Certificates: Click Add and select VPN_Cert.
  • Click OK to save the Certificate Profile table.

Tab Advanced Options:

  • Exchange mode: select main.
  • IKE Crypto Profile: select Phrase1.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.9.Create IPSec Tunnels

Now we will start creating a VPN connection with the Palo Alto Firewall 2 device.

To create go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA1_TO_PA2
  • Tunnel Interface: tunnel.1
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE
  • IPSec Crypto Profile: Phrase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 10.145.41.0/24
  • Remote: 192.168.10.0/24
  • Protocol: Any
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.10.Tạo Policy

We need to create a policy that allows traffic from Palo Alto Firewall 1’s LAN subnet to pass through Palo Alto Firewall 2’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the LAN subnet of Palo Alto Firewall 1 to pass through the LAN subnet of Palo Alto Firewall 2 with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select LAN zone
  • Source Address: Click Add and select PA1_LAN (PA1_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: PA2_LAN (this is the Address Object created at first)

Tab Action:

  • Action: select Allow.
  • Click OK.

Next, we will click Add and create a policy that allows traffic to go from the LAN subnet of Palo Alto Firewall 2 to the LAN subnet of Palo Alto Firewall 1 with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: press Add and select VPN
  • Source Address: Click Add and select PA2_LAN (PA2_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: LAN
  • Destination Address: PA1-LAN (this is the Address Object created at first)

Tab Action:

  • Action: Select.
  • Click OK.

5.2. Palo Alto Firewall 2

5.2.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.2.Create Address Object

We will create the Address Object for the 2 LAN subnets of Palo Alto Firewall 1 and Palo Alto Firewall 2 devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall 1 LAN:

  • Name: PA1_LAN
  • Type: IP Netmask – 10.145.41.0/24
  • Click OK.

Palo Alto Firewall 2 LAN:

  • Name: PA2_LAN
  • Type: IP Netmask – 192.168.10.0/24
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.3.Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel.1
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.1 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-2
  • Destination: select address objects PA1_LAN
  • Interface: tunnel.1
  • Next Hop: None
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.5.Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: Phrase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK

Click Commit and OK to save the configuration changes.

5.2.6.Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: Phrase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.7.Import and create Certificate VPN.

The first step is to import the VPN_Cert certificate we just exported from Palo Alto Firewall 1 into Palo Alto Firewall 2.

To import go to Device > Certificate Management > Certificates.

Click Import and configure with the following information:

  • Certificate Type: Select Local.
  • Certificate Name: VPN_Cert.
  • Certificate File: Click Browse… and select VPN_Cert certificate downloaded from Palo Alto Firewall 1.
  • Select Import private key.
  • Passphrase: enter the same password as entered when creating VPN_Cert at Palo Alto Firewall 1.
  • Confirm Passphrase: re-enter the above password.
  • Click OK.

Next click Generate to the certificate with the following information:

  • Certificate Name: PA2_VPN.
  • Common Name: PA2_VPN.
  • Signed By: select VPN_Cert from drop-down list.
  • Click Generate.

Click Commit and OK to save the configuration changes.

5.2.8.Create IKE Gateways

To create go to Network > IKE Gateways and click Add.

Configure according to the following parameters

Tab General:

  • Name: IKE
  • Version: IKEv1 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto Firewall 2’s WAN port)
  • Local IP Address: 172.16.31.253/24
  • Peer Address: Enter Palo Alto Firewall 1’s WAN IP as 172.16.31.254
  • Authentication: Certificate
  • Local Certificate: select PA2_VPN.
  • Local Identification: select Distinguished Name (Subject) – select CN=PA2_VPN.
  • Peer Identification: select Distinguished Name (Subject) – type CN=PA1_VPN (PA1_VPN is the certificate generated at Palo Alto Firewall 1).
  • Peer ID Check: select Exact.
  • Select Permit peer identification and certificate payload identification mismatch.
  • Certification profile: at the drop-down list click New Certificate Profile to create with the following information.
  • Name: PA2_Profile.
  • CA Certificates: Click Add and select VPN_Cert.
  • Click OK to save Certificate Profile table.

Tab Advanced Options:

  • Exchange mode: select main.
  • IKE Crypto Profile: select Phrase1.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.9.Create IPSec Tunnels

Now we will start creating a VPN connection with the Palo Alto Firewall 1 device.

To create go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA2_TO_PA1
  • Tunnel Interface: tunnel.1
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE
  • IPSec Crypto Profile: Phrase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 192.168.10.0/24
  • Remote: 10.145.41.0/24
  • Protocol: Any
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.10.Create Policy

We need to create a policy that allows traffic from Palo Alto Firewall 1’s LAN subnet to pass through Palo Alto Firewall 2’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the LAN subnet of Palo Alto Firewall 1 to pass through the LAN subnet of Palo Alto Firewall 2 with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: press Add and select LAN zone
  • Source Address: Click Add and select PA2_LAN (PA2_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: PA1-LAN (this is the Address Object created at first)

Tab Action:

  • Action: select Allow.
  • Click OK.

Next, we will click Add and create a policy that allows traffic to go from the LAN subnet of Palo Alto Firewall 1 to the LAN subnet of Palo Alto Firewall 2 with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select VPN zone
  • Source Address: Click Add and select PA1_LAN (PA1_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: LAN
  • Destination Address: PA2-LAN (this is the Address Object created at the beginning)

Tab Action:

  • Action: select Allow.
  • Click OK.

5.3.Result

After configuring IPSec VPN Site to Site on both devices, the VPN connections should show up as follows.

On Palo Alto Firewall 1, you can see that the network port icon in the Status column is green, which means the status of this IPSec tunnel has been turned on.

However, this connection has not been established to Palo Alto Firewall 2 and it is shown by 2 circular icons at Tunnel Info and IKE Info is still red.

Similar on Palo Alto Firewall 2 is also shown as Palo Alto Firewall 1.

Normally the connections on the Palo Alto device will be automatically connected, but in case they do not automatically set up with each other we need to do the following.

Access the command line interface of both Palo Alto Firewall 1 and Palo Alto Firewall 2 and type 2 commands as follows:

  • test vpn ike-sa
  • test vpn ipsec-sa

Execute 2 commands on Palo Alto Firewall 1.

Execute 2 commands on Palo Alto Firewall 2.

After executing the above 2 commands we will see that the IPSec VPN connection between the two devices has been established.

On Palo Alto Firewall 1 we see that the two circular icons at Tunnel Info and IKE Info have turned green.

On Palo Alto Firewall 2 the same thing happens.

After successfully establishing a connection, techbast will prepare 2 Windows 10 computers at each site to test the ability to communicate through the VPN connection.

At Head Office site Windows 10 machine has IP 10,145.41.100/24.

At Branch Office site Windows machine has IP 192.168.10.100/24

The successful ping results from Windows 10 machine IP 10.145.41.100/24 at Head Office to Windows 10 machine IP 192.168.10.100/24 at Branch Office.

Similarly, successful ping results from Windows 10 machine IP 192.168.10.100/24 at Branch Office to Windows 10 machine IP 10145.41.100/24 at Head Office.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.