Palo Alto Lesson: 10.10 Lab Site-to-Site VPN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and thank you for watching my video my name is astrid krasnichi i am cisco ccna ccnp and palo alto certified instructor in this video we are covering pcnsa 210 and this is our chapter 10 side to side vpn section now this is the 10th video of chapter 10 which is 10.10 lab side to side vpn now everything that we learned in chapter 10 on site the site vpn section we're going to put it in the lab we're going to put in practice so what we're going to do in this lab we're going to create and configure a tunnel interface to use it in the side-to-side vpn connection we're going to need a logical layer 3 tunnel interface for our vpn configuration we're going to configure an ik gateway an ik crypto profile that's for phase one of the tunnel of vpn tunnel and then we're going to configure an ipsec crypto profile and ipsec tunnel and then we're going to test the connectivity this is the lab topology that we'll be using to demonstrate for you side to side vpn and i have i do have two firewalls i have firewall a which is connected to their own site inside zone ip address 192.168.1.0 and firewall b which is connected to site b for example and i inside zone ip address is 10.1.1.0 forward slash 24. i'm managing firewall a and firewall b from my management station and this is the ip address that i'm managing the firewall a and this is the ip address that i'm managing firewall b now these are the public address for firewall a and firewall b at least other interfaces and i'm going to create a tunnel because we do need a tunnel for vpn configuration but we don't really need to give an ip address but i am going to give an ip address because i want to monitor these tunnels so if you do want to monitor the tones you do need to give an ip address as well okay perfect so i'm going to show you my firewalls now so if i go to if i switch to my firewalls so this is my firewall let's go to firewall a first and you can see that's firewall a and i'm managing it from 192.168.1.254. so if you look at the lab 254 firewall a and if i go to firewall b this is my firewall b and i'm managing from 253 the management interface so if you look that's the ap address i'm managing it okay so we're going to actually do the configuration on both firewalls so you're going to see it twice ever pretty much every configuration you're going to see it twice i have removed from the previous lesson everything that we did with ipsec tunnels so everything is clean ready to go okay so when we configure uh ipsec vpn tunnels first thing that we need to do we need to create this virtual interface tunnel interface so to do that well all the configuration that we need to do is going to be under the network so we need to go to the interfaces to configure the tunnel then we need to configure the i key cryptography then ikey gateways ipsec crypto and then the ipsec tunnel so four things after the tunnel so everything under the network so to configure this virtual interface versus tunnel interface for our vpn configuration we need to go to network interfaces tunnel and then click add now tunnel interfaces are read-only we can't change the name but we give an identification like for example i'm going to use 55. i'm just pick that number it can be any number you want to and this number doesn't have to match on both of the firewalls in the comments i'm not going to write anything but obviously in the production you write your own comments the tunnel interface it does require to be part of the virtual router and a security zone so that's those are two are requirements you don't need to give an ip address unless you're monitoring or you're using dynamic routine protocols on the virtual router i'm going to put it as a part of the vr labvr and the security zone i'm going to create a new security zone called vpn so i'll just type vpn here and that's it this section then i need to go to the ipv4 configuration and i give an ip address so if you look at my lab you see the ip address i'm going to use for this tunnel it's one seven two sixteen twelve one so add 172 16 12.1424 that's my tunnel configured on firewall a on firewall b i'm going to do the same thing just different ip address so go to network then interfaces and then tunnel and then click add and in there i'm going to put interface name obviously i can't change it the number i'm gonna put 55 but like i said it can be any number you want virtual router well is its own virtual router uh even though the name are the same but actually is a different it's its own virtual router for firewall b and it needs to know needs to have it like for example a static route or dynamic route how to get to the public address of firewall a security zone well again in this one i'm going to create a new zone and that zone is going to be called vpn and click ok and for this virtual for this tunnel interface so if i look at the lab this is ip address 17216 12.2 so i'll go to ipv4 and give an address so 172 16.12.2 forward slash 24 okay this is done so the tunnel interface the first step is done on the both firewalls so firewall b has got 12.2 firewall a has got 12.1 next thing i need to configure if i scroll down in firewall a i need to configure ike crypto so internet key exchange cryptography now already i have some default ones but i'm gonna make my my own one so click add and this is the five parameters that actually they have to match for it to create this tunnel so the name i'm gonna put it as a firewall a and they're going to be diffie-hellman group group is going to be 2 shot 2 aes2 sorry shot 256 i should say 256 and aes 256. this is the parameters i'm going to put and so here tiffy helmet group 2 authentication is going to be sha 256 and then for encryption that's integrity and that's confidentiality encryption aes256 and that's it and i'm going to do the same configuration on the other side let me just copy this name so i don't need to write it again so this is my firewall a configured now we'll go to firewall b and do the same configuration so i'll go further down i key crypto click add and then this is the b1 and same group different helmet group is going to be two authentication that's for integrity 256 sha and confidentiality aes256 and the timers if you saw the timers is eight hours and we can go down to three minutes if you want to but the key lifetime if you want to re make the rig and negotiate phase one then it's going to be there every eight hours okay so here is configuration for of b or fireball b and this is configuration five five volati so it's exactly the same really there's no difference the next thing we're gonna configure so in firewall a ike internet key exchange gateways so here i'm going to create a brand new one so i'm going to say give it a name so firewall a ike gateway and now if you can see the version we can have version one or version two or version two only preferred mode now i'm going to use version one only on both sides and address type is going to be ipv4 the interface this is the local interface so you can look at the the lab the local interface is ethernet one one and that's the ip address so i'll go ethernet one one and the ip address is 203011320 and then the neighbor i can identify the name by the ip address fully qualified domain name or dynamic i'm going to use ip address so if you look the ip address is two or three this is the public yeah 113 that's 40. so 203 to 0.113 that's 40. that's the neighbor's ip address and i can authenticate these two by either certificates so these two peers by either certificates or pre-shared key and i'm going to use a pre-shared key so palo alto i'll put as a password and local identification peer identification again i can do it with a fully qualified the name domain name ip address key id i'm not going to use so just none and then under the advanced options i have enable passive mode if i select that this firewall is not going to initiate any ipsec tunnel in negotiation or ike negotiation enable nat traversal this is for example if you don't want the nat to do the well what it does network address translation okay so exchange mode we have two we have well we have auto main and aggressive main is going to go through proposals and agreements while aggressive is just going to send everything in one go i'm going to leave it to auto and the crypto profile ik crypto profile i'll put the one that i just created this wa fwa gr2 shot 256 aes256 that's it that's my ik gateway done so the phase one complete i'll do the firewall b same thing go to ik gateways click a new one so add and under name i'll just put it as a firewall b um then i'll put ike gateway and same thing the interface is going to be 1 1. so if you look at the lab topology 1 uh 40 is the ip address so there's going to be 40. and the neighbor is going to be 203.0.113.20. so i'm identifying the neighbors with ip address so that the neighbor for this firewall is going to be this and we share palo alto the key so that's going to be the authentication with the key pre-shared key and then under advanced options again the ik crypto profile i'll put the one that we created fireball b group two shot two five six aes256 done so the phase one is done on both sides so if you click on both sides we have it and now we need to do ipsec cryptography so again the five parameters they have to match they go through the haggle bit so i click add i'm gonna put a new one and this is going to be your firewall a this is ipsec crypto crypto sorry and we're going to use esp encapsulation security payload rather than ah um well yeah you need to watch the videos if you want to know a bit more about them the encryption and authentication so that's confidentiality is gonna be as256 and integrity is going to be sha256 and uh different helm in group two we're gonna leave it to default and lifetime is every one hour we're gonna do phase two change um well mega should renegotiate that's it and i'm going to do the same configuration for firewall b so if i go to ipsec crypto and add a new one here this is going to be firewall b and it's going to be ipsec crypto and again esp and 256 everything so aes256 and sha256 and click ok so now it's done we have the phase one and phase two so we just need to put everything back together so to do to put everything together we need to go under the ipsec tunnels and create a tunnel there so i'll click add and well we're going to say firewall a ipsec tunnel tunnel and the tunnel interface no tumble let me spell that correctly tunnel and the tunnel interface is going to be well tunnel 55 that we put there and the ik gateway is the one that we created fwa and the profile the one that we just created to see to be able this monitor to be able to monitor this tunnel we need to press show advanced options and then we put terminal monitor and then we put the destination ip address of the tunnel so the destination ip address is going to be 172 16 12.2 this is the neighbor the tunnel and then the proxy id is to identify what network is the neighbor going to be sending so we're going to put here it just put i'll put a net id local id so the local network you can see it's 192.168.1.0 and the neighbors is 10.1.1.0 so let's go the local is 192. 168.1.0 forward slash 24 and the neighbor is 10.1.1.0. 4.21 here can be the most mistakes could happen here the proxy id if you not identifying the correct neighbors addresses and so on i click ok and i'm done and fireball a is done so at the moment i have not committed but you can see the interface status is down the phase one is down phase two is down so go to fireball b and i'll do the same configuration so go to ipsec tunnels click add and i'm going to call this fireball b ipsec tunnel and tunnel interface again same what we created the gateway is what we just created and the crypto profile or ipsec crypto profile is the one that we just created and again here we're going to show advanced options so we can see the tunnel monitor and for this one you can see the tunnel ip address of the neighbor is this so i need to put the neighbor's ip address 1972 16.12.1 and the proxy id i'm going to put like for example netid net id a local address so local inside zone address and then remote zone address so i'm gonna be sending anything from the network 10.1.1.0 forward slash 24 while the remote is 192.168.1.0.4.94 that's it we have configured the ipsec tunneling everything correctly now we're just going to commit on both sides and this should go green so commit here and i will go in firewall a and i'll commit in firewall a as well okay on firewall a commit has completed successfully so that is good and i can see all greens which is good i'll look at the firewall b the commit has completed successfully i got some warning here no val no threat license and so on but everything about the tunnel is success so again here's green as well which means this interface is up the phase one is up phase two is up so if i click on the tunnel information okay as you can see the name local ip address so you can zoom this one or expand this so we can see it nicely the local ip address the prip address monitors and so on so you can see that it's actually working as well as we can go we can look at the layer phase one this is a configuration for phase one it's when we create it when it does expire and so on and we can look at the monitor and logs and then we look at the system logs so this is going to show us about the vpn we can even filter just to see the vpns so if i click on the vpn here that will filter only the vpn and apply this filter and you can see everything that happened through the vpn so when up to here because this was previously when we were doing the troubleshooting uh video this was uh now you can see that it has worked and then you can see the vpn has been set up okay so we can actually go to the open putty and i'm already logged in to the party and we can look at some of the vpn commands for example like show vpn ikea essay hyphen sa this will show us a bit more information about the what ikea essay we have um i need to i just need to make these uh letters a bit smaller so we can actually see bit better things uh so appearances and i'll change the font to something small so eight for example okay well that's too small okay so let me change the font back to 10 maybe okay so let me repeat that command again you can see the tunnel the gateway role initiator responder role algorithm and you can see that pretty much the configuration that is actually working if you need to troubleshoot the best place to go to is actually here under the system and look at the vpns if we have a problem they're going to appear here okay let's let's make a problem let's make one problem very quickly and then we wrap it up so if i go to ipsec tunnels and it's all working fine now and if i change maybe the peer id so i'll put the peer id as something else something wrong so proxy id and remote instead of 10 for example let's put 20. i made a mistake here right and i'll click this and i'll commit it now the commit has completed successfully we can look at if i close this you can see the interface is still up the phase one is still okay but phase two now there's a problem if that's why it's red so if i go to firewall b it's going to be the same thing just refresh this and you will see this one is going to go red the reason is we know the reason because we change the proxy id but to see the problem if you don't know the problem you have to go to monitor and then under logs you have to go to system and then under the system you can either like just filter to the vpn or if i just look anything it will be here it says look it says ik phase 2 negotiation failed when processing proxy id cannot find find matching phase 2 tunnel for receiving proxy id so it's already telling us that there is phase 2 is not working and phase 1 it was fine it's all green phase 2 is not working and there's a problem with the proxy id so because it's a proxy id problem then you have to go and fix that proxy id so once we go and fix it very very quickly and then we can wrap it up so proxy id change this to what is supposed to be instead of 20 i'll put 10 and i'll commit it quickly and then this should go green again okay excellent now the commit has completed successfully close this and you can see that's gone green and it should be on the firewall b as well so if i go to networks and ipsec tunnels this should go green there we go excellent thank you for watching lesson 10.10 this was lab side to side vpns this is of chapter 10 side to side vpn please have a look at my other videos and don't forget to subscribe this has been asure krasnichi bye
Info
Channel: Astrit Krasniqi
Views: 5,205
Rating: undefined out of 5
Keywords: Internet Key Exchange, IKEv1, IKEv2, IKE Phase 1, VPN, Aggressive, Main, Auto, Proxy IDs, Site-to-Site VPN, IKE Crypto, IKE Gateways, IPSec Crypto, Tunnel Tab, IPSec Tunnel, VPN Error Messages, P1 - Timeout, P2 - Timeout, PFS group mismatch, No suitable proposal (P2)
Id: wpV7Q03WQkY
Channel Id: undefined
Length: 21min 14sec (1274 seconds)
Published: Wed Sep 16 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.