IPsec site to site tunnel: Palo Alto to Cisco

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I had the opportunity to attend last week a palo alto firewall class and i learned all about all these amazing features this device can do and one of the features I learned was an IPSec tunnel so I paid special attention to the details of how to setup the tunnel because what I wanted to do was set up a site-to-site tunnel between a Palo Alto firewall and a Cisco router so that's exactly what I did so I wanted to walk you through the quick step-by-step process on how to set up a straightforward IPSec sight sight tunnel between a Palo Alto firewall and a Cisco router and let's do it right now so couple things that you need to do number one you need to create an interface so you're gonna go under Network and under interface is on the Palo Alto box and you're gonna go to tunnel interface and that step number one is to create a new tunnel interface on Cisco you don't have to specifically define the tunnel but on the Palo Alto box you do the other cool thing is if you have two Palo Alto box you can also put IP addresses on the tunnel so you can manage the actual tunnel itself pretty cool in any event so you create a tunnel by going to tunnel interface and clicking on add so this is the tunnel I already created I called it tunnel one and I gave it a name and then I also added it to a virtual router now in cisco land that's like a vrf a virtual routing and forwarding instance and I also assigned it to a security zone and that's like on a zone based firewall a zone so this interface is a member of the zone called layer 3 trusts those are a couple requirements you have to do so once that was in place step number two was to create an IKE phase 1 and a night phase 2 policy with IPSec now if you're if you're not comfortable yet with IPSec go check out my other couple videos on IPSec site site tunnels get warmed up to the concepts and then come back Karen will apply it to this different platform so here's the IKE phase 1 we call it a crypto iso camp policy and cisco and with the Palo Alto they called 8i network an IKE crypto network profile so this ICA's LUN profile simply says what do you want to do Frank one I want to do diffie-hellman group two I want to do sha for data integrity and encryption aes-128 and my lifetime is gonna be one day now do you know how I said do you know I specified one day because that's what it is one by default on a Cisco router and and when I'm working with two different vendors doing a site-to-site tunnel I want to err on the side of caution so even though two Cisco devices may negotiate to the minimum time value for Ike phase one and everything else has to be the same it may or may not happen between two different vendors so I'm just airing on the side of caution and choosing that so that's my Ike phase one policy right there next time has specify my Ike phase two policy my IPSec this is called the transform set in a Cisco config so I created a new network profile of IPSec crypto type and this is what I put in I said I don't want to use PFS for Phase two we could have and I said I'm gonna use AES 128 for the encryption this is for the Ike Phase two tunnel and we could use virtually anything we wanted to as long as the other side supported as well your Ike phase two policies do not have to subtract phase one policies they can be completely different but I chose Shaw on AES I guess I could have mixed them up but that's why I did it for Mike phase two so once that's all done we have our Ike phase one policy or Ike phase two policy we then need to specify our peer and that's the Ike gateway information so those three elements really close together for a convenience sake so if we specify our Ike gateway and now this is when I created a few minutes ago I named it Ike to Cisco would be a Cisco router on the other side I put the egress interface that's the interface I'm going to be using that's talking to the public network that I'm building the VPN across and for the local address I didn't specify oh you know what I had a local address I'm not gonna change this so I'm not gonna I'm gonna cancel because when I select the interface it's gonna give you the choice of the IP address for addresses on that interface that's the address I have didn't ask me what kind of Pierre you're working with my router the Cisco router is a static peer at this address the pre shared key I'm using is our PSK and you'd want to make sure use the same pre shared key on both sides and then I specify just for the local ID and the peer ID that we're gonna be using for IPSec you could choose the exchange mode do you want to use main or aggressive or do you want to have them automatically negotiate it together I said main mode and then it said what Ike phase one profile do you want to use and I said I want to use my Ike profile the one I created right over here that included what I wanted in the Ike phase one policies if I'm the initiator and if I'm not the initiator I will use this that sort of policy is to build the and negotiate that case one policy so that's it for my Ike gateway now once that's done hit cancel there the next thing to do and now that we we created it interface for the tunnel we created our Ike phase one policy and our Ike phase two policy right here and then we specified who our peers gonna be the next step is right here under IPSec tunnels now under IPSec tunnels we're gonna click on add right here and I have one I just created a few minutes ago I call it - Cisco what tunnel interface do you want to use was the only one I have tunnel one which I created earlier that was our first step and I'm gonna say Auto key now what does that mean when I see Auto key I think of a microphone that fixes the tone of your voice when you sing I guess that's something else in the event what Auto key here means is that you're gonna allow AIESEC Camp to assist you in dynamically generating and the negotiating the tunnels with a crypto map you can say AIESEC em that you're gonna use versus manual and that's all this is we're saying here too we don't want a hard code and define the the ciphers and the keys and everything else we use Auto key the gateway we're gonna use Ike to Cisco that's the Gateway created right down here and now it's asking about my Ike phase two policy which is the one I created over here so I'm just using dropdowns to select those now this is the bar this is the part that took me in a few minutes to pick a key took me about an hour to figure out and get it right the proxy IDs have to be added when you're doing a Cisco at least in my experience when I connect to my Cisco router and here's what's happening for proxy IDs I have for my IPSec tunnel the Palo Alto box has a local network or local interface of five five five I've 32-bit mask and the router might the Cisco router on the far side that is four four four four as a loopback address with the slash 32 and if I don't if I didn't add that proxy ID information the Ike phase two wouldn't come up for me so that's one additional step on the Palo Alto side for the proxy IDs because the cisco site does that by default you have a separate SI for each of the remote networks in your crypto ACLs on the Cisco side so that was my failing point right there but it's all good now now once it's in place and it shows that the tunnel is up because I tested this a few minutes ago we could send traffic over the tunnel and to do that this is the command line interface for the Palo Alto box and if I just do a ping sourcing it from five five five five to host four four four four that's the network behind the Palo Alto box actually it's a directly connected interface going to the loop back on my Cisco router so we paying that you're gonna send it and continue to send it and so forth now how do you set up IPSec on the cisco router side well the good news is I've got another video that I made a year ago up on my YouTube site you just go grab it and look at it and walk through the steps step by step however there is a new GUI tool on the street called Cisco configuration professional and you don't have to love it but it is being introduced in the CCNA security new courseware that is now available on out so cisco configuration professional is the replacement for SDM it still uses a lot of the old SDM tools this is probably the fastest way to create a site-to-site tunnel is by clicking on configure going to that device site to site and clicking launch and have it do it for you you can also edit your site to site tunnel from here as well so if I'm gonna good and get rid of that so at the command line how would we verify the details of our tunnel well on our four we do a show crypto icy camp policy if I could spell so there's the crypto ice account policy that I have and you'll notice that the details here matched what I put over here in the IKE crypto policy on the Aalto that's why they matched if I want to see if I have a successful like phase one session in place we do a show crypto AIESEC Camp si I like seeing detail and they'll show me the details of the egg phase one policy and it shows that it's active which is great AES Shah pre shared key for authentication diffie-hellman group 2 which means I brought this tunnel about 13 minutes ago because the lifetime was a total of 24 hours to begin with so that's the Ike phase 1 we kill through this short version of the show crypto ISO Camp si and there we have the famous QM Idol meaning hey I'm okay Ike phase one's in plays life is good let's like phase one if we want to verify Ike phase two we could do a show crypto for the config part of it show crypto ipsec transform set this is from the Cisco side and there's our transform sets that we set es pas and the ESP sha which equates to the IPSec crypto profile that we can figure it over on the Palo Alto box the solos' fit together and the crypto map which ties all that together we do a show crypto map but my favorite my favorite commands in the whole world if I you just type it out and this is just love things who the pier is the pier is our Palo Alto box and here's our crypto a CL a CL 100 which says please encrypt everything from for for for for that 32-bit address 2 5 5 5 4 4 4 being local to the Cisco 5 5 5 5 being local to the Palo Alto invite and the on the opposite side we're doing exactly the opposite of that so there are mirror images of each other there's our pier which is the Palo Alto box here's our security Association lifetime I did the math on that I hope the tunnels up so I guess I can't complain but I think I got those exactly right as well PFS is no perfect forward secrecy is not on in my transform set I'm using as my set which is he transform set up here and the crypto map is tied to fast ethernet 1/0 and even though i slammed this in fairly quickly with Cisco configuration professional it still uses a lot of SDM terminology and the configs it puts in so it appears that cisco configuration professional still leveraging a lot of the technology that was put into STM many many years ago last but not least if we want to verify the IPSec tunnel we can do a show crypto IPSec si and that'll show us all the details now that ping is still going this is in the background still running from the Palo Alto box which should be matching our interesting traffic so if we look at the details here there's our proxy IDs you'll notice that we had to manually put over on the Palo Alto box so those are here by default based on our crypto ecl's on the Cisco router and let's see here going down sorry about that there we go so two hundred forty-four packets encapsulated and encrypted and 244 d capsulated and decrypted which is a good number hopefully we're not missing any packets along the path and then it also is showing us the SP is the security parameter indexes for these security associations so here our outbound is has the hex and then decimal after that so in hex it's seven a8f just remember 8f and if we want to see that same information over on the Palo Alto Box check this out this is pretty cool if we go to monitor and we take a look at system right here and there's a refresh button you can click on if you need to it's going to show us all the details of what's happening and here's it showing us that I forgot what that was already so 8a 8f so we should see a SPI and here it is right here an SPI with eight a nine seven seven a 8f which i think is the exact same one yeah so we have an inbound and outbound SPI we're using because we have tubes used for the IPSec essays and I wanna make sure they matched up but that's how you could view them and verify them right here you could also verify the traffic that's being sent back and forth or being allowed by policy am i going under monitor and clicking on traffic these are our pings they're going over and over and over again Alice like created a a policy called Freebird yeah I was thinking of Kevin Wallace when I wrote that I just wanted to allow the ipsec to happen but certainly we could lock down the policy of what traffic's allowed over that tunnel as well so that's it I appreciate you watching and if you have any other questions regarding IPSec or would like to see some other combinations may be various vendors working with each other please let me know leave it in a comment and I appreciate you watching have a great great rest of the day [Music] [Applause] [Music] you [Music]

Info

Channel: Keith Barker

Views: 73,614

Rating: undefined out of 5

Keywords: Cisco, IPsec, Palo, Alto, PaloAlto, Keith, Barker

Id: Kmi4DjBFgwA

Channel Id: undefined

Length: 14min 4sec (844 seconds)

Published: Tue Jul 03 2012