Configure Site-to-site IPSEC VPN Tunnel in Palo Alto Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone this is koshal and in this video i will show you how to uh configure ipsec vpn side to side tunnel between two palo alto firewalls okay so uh this is how my current setup is in my lab so i have this palo alto pa1 and there is a loopback interface created for the lan and this is parallel to firewall 2 and it has two loopback interfaces connected to it and the both the firewalls are in the lab connected via ethernet one slash two interface they are directly connected but still i'll create a vpn tunnel between them and the goal is to allow the traffic from loopback interfaces on firewall 1 to reach the loopback interfaces on firewall 2. okay so this is how the setup is so let me minimize this setup and put it here at the bottom okay now this is my firewall uh one and uh i'll just show you the interfaces it is uh ethernet one slash two which is connected to the other firewall and it has one loopback interface so this this firewall is running version 9.1 and this is my firewall 2 which is running the latest 10.0 version and it has the this ethernet one slash two interface which is connected to the other firewall and it has two loopback interfaces okay so in parallel to firewall we have only the concept of route based vpns the there is no concept of policy based vpn so in route-based vpn you need to create a tunnel interface for re for each each tunnel so let me start with that on firewall one so you just go to network interfaces tunnel and create a new tunnel interface this is a logical interface i will give it a name tunnel.2 select a virtual router give it default only and security zone let me create a separate zone for my ipsec clipping tunnel traffic let me give it a name ipsec vpn okay and just click on okay so new zone is created and has been assigned to this interface uh you know you don't need to give ip addresses to this tunnel if you do if you don't want dynamic routing protocol or netting for the tunnel traffic okay so that's it i'll create one okay so my tunnel interface is created now let's go to my vpn gateway so let's uh before that i will create the algorithms okay so phase one cryptos and phase two cryptos so this is the phase one crypto you can choose the default one also but for the demonstration i'll create a new one and i'll just name it i crypto i will select defilement group 2 authentication as sha2 and encryption as es256 okay you can choose whatever your requirement is uh the only thing is it should match on both the sides and the lifetime i'll keep it as default this phase one crypto and this will be phase two crypto here ipsec crypto so here also you can use the default one or create a new one crypto encryption i will use ces 256 uh authentication i will use shar2 now divi element either you can keep the pfas as disabled if you don't want to enable pfspfs is perfect forward secrecy what this will do is if you if you enable the pfs it will create a new symmetric keys to encrypt the data after vpn tunnel is formed okay and if you don't select this which means if you put no pfs then it will use the same symmetric keys which were generated during the phase one to encrypt the data as well okay so doing the pfs is more secure since it creates a new sets of keys so i will select that so these are the cryptos now let's create the vpn configuration so you go to network sorry network network profiles and i gateways and create a new one so this is your phase one gateway and what i'll do is i'll name it with the public ip of pure firewall in my case it is private but usually i name it with the ip itself so this is my peer i p in the lab setup uh version i will keep it as ip1 the interface this is your outgoing interface which is connected to the internet uh through which you want to form the tunnel in my case it is it is one slash two and this is the ip of one slash two now peer type either you could mention ip address or you can mention an fqtn or you can put it as dynamic uh which which will require the use of peer id this this is when you create dynamic is when the prip is fluctuating ip which is not static ip right okay so in my case it's static so i'll just paste it here authentication either you can authenticate the peers through a to appreciate key or or you can use certificate based authentication so right now i'll stick with the preset key let's go to advanced option like mode i'll choose main mode because that is more secure and the crypto which is the phase one crypto which we selected okay uh you need to enable a net traversal when there is a netting device in between these two gateways okay right now i don't need to select that so this is your phase one so now let's go to phase two which is here ipsec tunnels okay let me give it a name say ipsec dash now here you need to select the tunnel interface which you created at the starting and also the phase one gateway and the phase two cryptos which you created let's see advanced option if you want to monitor this tunnel which is required where you have redundant tunnels like multiple tunnels for the same destination then you can select the tunnel monitor and these are the proxy ids proxies are required when you form a vpn tunnel between palo alto and a non-palo alto device which doesn't support route based vpn for example cisco asa which which does a policy based vpn right so in that case you would need to enter a proxy ids but in my case since the vpn tunnel is between two parallel to firewalls only i don't need proxy ids but still for demonstration purpose i will create it there is no harm in it so basically uh you need to put your local lan subnet in the local which is sorry it's not 30.1 it is 1.1 okay and also the remote subnets which is 2.1 in my case [Music] okay and you need to repeat it for all the interesting traffic which is going which will be going through the tunnel okay so i just want to reach these two subnets on the remote and so i'll just put two proxy ids so on the other end the proxy ids will be just a reverse of this okay so my phase 2 is created the next step would be to create routes so you go to virtual routers select the virtual router and go to static routes okay let's create new routes for the tunnel traffic so here you need to mention the destination actually uh which you want to reach on the remote and so in my case it is 2.1 the interface would be tunnel interface which you created and the next stop would be none so from this route we are instructing the firewall that if the traffic for this destination comes you need to send it to the to this vpn tunnel and not to the normal data interfaces i need to create one more so i'll just clone that one okay so these are the routes so the routing is done uh the next step would be the to creating security policies to allow that traffic so let me create a new security policy and name it like ipsec vpn allow the source zone would be your landside zone which is the trust zone and the ips will be your lan subnets in my case it is this destination zone will be the zone of the tunnel interface okay so keep that in mind uh for the vpn traffic the destination zone will be will be the zone which is assigned to your tunnel interface and destination address will be the remote lan subnets okay application and service i'll keep it as any and action will be allowed and the logging will be enabled so this rule will allow traffic from my lan to initiate the the traffic to the peer end okay now i need one more vpn rule in case the other end will initiate the traffic and will be received on my end okay so i'll need to create a similar policy in the reverse direction uh okay so it will just to be exact reverse so source zone will be ipsec soon and source will be the remote subnets destination will be the trust zone and the destination subnet will be the local subnets okay so these are the two rules and make sure that you move the vpn rules on the top so that they don't get shadowed by generic rules so i've put these rules on the top so so we are almost done on this firewall so let me commit it and while it's committing let's go to second firewall and do a similar set of configurations here here as well so you need to create a tunnel interface first so i can create a tunnel dot one here since i don't have any created already security zone let me create a new zone for this vpn so the next would be high cryptos now the cryptos should match the on both the sites okay otherwise the tunnel will not come up next is the phase 2 crypto so next is the phase one so this is the ip of the uh pier on for this firewall interface would be the outgoing interface peer i p same pressure key which you entered on the other firewall let's look at the advanced option main mode the crypto profile and that's it let's go to phase 2 now select the tunnel interface select the ike gateway and the face to crypto let's see the advanced option here okay nothing here and the proxy ids okay so since i've entered proxy ide on the other firewall i have to add it on this firewall as well okay so okay looks good so let me click on okay so ipsec tunnel is also done now let us create the static routes okay we create a new one select the tunnel dot one interface and next stop will be none okay so only this subnet i need to reach on the other end so in my case there is only one static route for the tunnel interface okay so the routing is done next step would be policies security policies um and one in the reverse direction okay and let me move it to the top so these are on the top policies are done so let me commit it okay the comment is done so let me go to the ipsec tunnels and let's see yeah this has turned to green so this means the tunnel has come up okay and let's go to this firewall also and check go to episode tunnels and yep these are also up so the tunnels are up on both the side if you don't see the uh tunnels as up yet then you need to pass some traffic through the tunnel to let the firewalls initiate the vpn negotiations because without the traffic the negotiations won't initiate sometimes so yeah so let's go to the cli and let's see if if i can uh ping the other side okay so this is my firewall one okay ping from the local look back to the remote loopback which is 2.1 yeah it's been given let us try to ping the other interface on the other end yeah this is also bringable okay let's verify the same thing on the second firewall finger with the local loopback ip to the remote loopback ip yep it's been given let's check from the other interface as well yeah this is also being given so let's verify this thing in the morning in the logs also okay so i've already selected the okay let me clear this and let us see traffic from my trust side to filter i'll just click on this so that it gets filtered and to the destination zone which is the ipsec zone so this is the front zone this is the two zone and this is our traffic okay the ping traffic which we sent and it is it is going through the rule which we created right it is being allowed yeah so if you want to see the same thing in the reverse direction just change this to destination and change this to source and then we would see the pings from the other side right so these are the things from the other side and it is taking the correct rule as well so so the logs are also verified so uh that's it guys uh this is the basic vpn configurations you know due to to set up the uh tunnel and uh in the the following video uh what i'll do is i will uh enable ospf between these two peers and i will advertise the tunnel route through ospf instead of configuring the static routes so if you want if you are interested you can see my next video just after that with the same setup i will be using ospf between these two firewalls so that the i don't need to create any static routes so i hope it was useful thank you for watching [Music] you

Info

Channel: Sec-U-rity

Views: 13,103

Rating: undefined out of 5

Keywords: site-to-site, ipsec, vpn, tunnel, palo alto, firewall, configuration, setup

Id: dut4f5GG7o8

Channel Id: undefined

Length: 22min 32sec (1352 seconds)

Published: Wed Sep 16 2020