Palo Alto VPN - Site to Site step by step configuration [2024]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video I'm gonna show you how to configure side to side VPN using the Palo Alto file [Music] so in my lab only have Palo Alto files but if you need to to learn how to connect a 40 gate or a Cisco ASO or something else to the Palo Alto I'm sure you can you can find some information on the internet but I'm basing this video only on Palo Alto and also a little bit Theory regarding ipsec connections and VPN that you can use also for other devices so in the beginning of this video now I'm going to be explaining some Theory what's the difference between policy based and route-based ipsec connections so you can have two types of VPN configurations you can have policy based VPN or route based VPN policybase VPN you need to configure what's called an interesting traffic or the encryption domain this relates to the traffic that's supposed to go inside the VPN tunnel to be encrypted on the Palo Alto this interesting traffic is called proxy IDs so you define this proxy IDs on the Palo Alto by listing your local networks on the left side and your remote networks on the right side for example you can configure on your local network 192.168-2024 and your remote Network 10020-24 it means that all the communication that goes through the firewall from the network 192168 to 0 to the 10020 is going to be encrypted and it's going to be sent through the VPN tunnel everything else is just gonna be forward without being encrypted without being forward to the VPN tunnel with route-based VPN you configure on each side or when in on each Gateway a tunnel interface and the external interface the other endpoints from the VPN configuration so the VPN configurations goes from one tunnel interface to the other one on the other side so the configuration is rather simple than the policy based VPN because you don't you don't need to configure these interesting traffic because everything that hit the tunnel interface gets sent through the VPN tunnel and you can control the traffic using your routing protocol in my opinion one big advantage of route-based VPN compared to policy based VPN it supports Dynamic routing so it means that you can have more than one tunnel maybe true maybe three connected and you can use your routing program call to control where the traffic is going to go to so for example if you have one tunnel that goes offline the routing protocol should send all the traffic through the other tunnel that's still established and you can use it as a backup mechanism which on the policy base you cannot really do in this way another disadvantage from policy based VPN is that whenever you change your interesting traffic either you add some networks or you remove some networks depending on the manufacturer I've noticed before some Network disturbances so usually I used to do this outside of the normal time which with route-based VPN you just change your routing and the normal traffic just goes through there is no disturbance in the network one disadvantage of route-based VPN is that not all devices support it I'm gonna concentrate my this video on route based VPN but let me know in the comments below if you would like me to make a video also about policy based VPN how to configure on the file [Music] so ipsec is a suit of protocols and algorithms used to provide security services for IP Communications ipsec is the industry's standard for configuring side to side VPN so internet key exchange or ICA is a protocol used by apsec to secure the communications it's responsible for negotiating and exchanging the cryptographic keys and other security parameters there are two versions of ICA ICA version 1 and Ico version 2. the second version is more modern and secure and this is the one that you should be using so here's a high level explanation of the phases involved in ICA version 2. this understanding will be able to help you in the future by troubleshooting side to side VPN connections the first message exchanged between the initiator and the responder is called Ike sa init it includes proposed security parameters such as encryption algorithm authentication methods and different element values the message Ikea off is encrypted using the key material derived from the parameters that were exchanged in the first phase ICA sa init in these messages the security parameters for the for the production traffic are going to be negotiated the gateways also authenticate themselves either using pre-shared key or certificate whenever this phase is completed both gauges have established the child security Association or child sa that's going to be used for the ipsec communication in order for you to be able to exchange the information with your client or with your partner I prepared for you a connection sheet it's just an Excel table used exactly for this kind of information you can download it through CS dot netsums.com CS from connection sheet you can also find this link below in the video description okay enough Theory now let's get to work now but before we get to the Palo Alto I would ask you if you enjoyed the video so far just give me a thumbs up don't forget to subscribe to the channel if you want and let's get to work so I have in my lab now two Palo Alto files connected through a router simulating the internet the outside and the inside interfaces they already configured and what just need to be configured now are the tunnel interfaces and the VPN connections as I mentioned before I'm using route-based VPN and for that we need the tunnel interfaces so guys I'm going to be configuring my file with the using panorama but you can you might as well configure yours using directly on the firewall the file that I'm gonna be configuring with you guys is going to be the pavm and I'm going to start go into network interfaces I'm going to create a new tunnel interface this is the first configuration I'm going to do so I go to add choose a number for the interface my case number one Virtual Router I'm going to select the one that I have default security zone I'm gonna make a new Zone for the VPN tunnel and I'm gonna call this VPN side choose site click ok I'm gonna add an IP address as you can see on the graph I need to give this one the 192 16802 slash 30 and under Advanced I'm gonna choose my management profile ping so that if I want to configure a tunnel monitoring that this interface is can be pinked from the other side so it means that the other side is going to try to Ping this interface and the interface is going to answer like this this is going to be the way that the file is going to monitor the tunnel to see if the tunnel is is working if you want to configure tunnel monitoring okay so press ok there's my tunnel now we can start configuring the ipsec stuff so the first thing we can we need to do is go to I like a crypto so we're going to click on ADD and I'm going to make a new crypto profile I'm gonna call this just net sums crypto profile you can go whatever you want Tiffy helmet group diffie-hellman group is the currently the the suggested one is to use group 20 if you're using um encryption encryption with a key size until 256 sorry 128 if you use 256 or above the recommendation is to use group 21. I've tried this before but I one of my fires don't um support group 21 so I'm going to be using group 20 for all of them Authentication I'm going to choose non-authentication I'm going to show you why because if I'm using GCM gcn has already on authentication in inside the protocol let's say like this so we already the protocol the encryption protocol already does some Authentication so eight hours is fine for my Ico click ok next one is the ipsec crypto I'm going to choose add net sums IP stack crypto profile the protocol I'm Gonna Leave ESP the encryption is going to be the same 256 GCM authentication again none diffie-hellman group again 20. I'm gonna leave one hour for the key exchange and I'm not going to enable the life size I'm going to leave like this so click on OK the next one is the ICA Gateway so I click on ADD I'm gonna call this one net sums I could Gateway I'm gonna choose V2 only the interface I'm gonna use is the ethernet one two and my IP address oops I chose the wrong one that's it my IP address is the 201 the PIP address is going to be 101.001 authentication is going to be pre-shared key not the certificate the pre-shared key I'm just gonna call to S2s s [Music] the local authentication identification sorry if you don't choose anything it's going to be using it's going to use the IP address of the of by of both gateways I'm just gonna leave with none but you can choose the other options that you can choose fqdn IP address and some other stuff you can choose the IP address in enter the IP address here it's the same as if you choose none this is the default um option comment uh net sums okay Gateway whatever okay there it is the next is the ipsec tunnel so let's go to the ipsec terms I'm going to click on it and then I'm going to add a new one that's sums ipsec tunnel tunnel interface is going to be the one that we chose to another one the ICA Gateway is the one that we created type is a quick crypto profile sorry it's the one that we created with net sums some comment I paste the net sums IP stack I don't know here show Advanced options you should always enable this replay protection the anti-replay window you can choose the highest one is more secure the recommendation well Palo Alto the default now with this version that I have is 1024 I'm just gonna leave it like this it's already enabled by default turn your monitor if you want to monitor your tunnel you can configure here for this example I'm not going to monitor and here on top the proxy IDs if I was configuring policy based VPN I would have to configure the networks here I'm just going to click on that but I'm not going to go through it I enter a local network and then I enter a remote network if I have more networks more than one Network pair I need to enter them in the second time but this is like I said the topic for a new video Just Gonna concentrate on the route-based VPN so for route based VPN we don't need to enter anything here on the proxy IDs I'm just gonna click on OK there's one thing that I think it's missing the ike Gateway let me just click on it yeah I forgot you on the advanced options there is also this netsums crypto profile I have to choose this one here and if you're using somewhere on your in the internet in your connection between the Gateway sorry some net so you need to enable this net transversal this is the place where you enable this I'm not using any net so I'm just gonna leave it disabled the enable passive mode would mean that you that this file that you're checking this in my case the PA VM would never start a VPN connection it would wait until the partner starts the connection but in my case I want this route this this Gateway also to actively start connection so whenever it sees a interesting traffic so I'm just gonna leave it unchecked this is my the correct option from my configuration and I'm gonna click on OK so we have the VPN stuff configured now let's go to the routing configuration virtual routers and I click on my default and then I have to enter a static route I'm going to enter a static route for the network 192.16840 which is the network that I want to reach on the other side so R from router Route 192 16840 slash 24 the name they don't support slash so I use the the hyphen 192 16840 24. now the interface you choose the tunnel interface that you created and as next hop you choose none here there's another option also to choose path monitoring in case you're using some Dynamic protocol and I only have one tunnel and I'm not using any Dynamic protocol so I'm just going to leave it unchecked so the next step will be to create the policy so that you allow so that we allow the connection between the gateways but before that I'm gonna go to objects and I'm going to create um the new objects for the external gateways I'm going to show you later it's going to be easier whenever you have another new gateway to connect you just need to I'm going to show you how you do for my firewall the pavm I already have here pavm outside I already have the IP address 101001 configured for the other one I already have here so now I'm going to create a group here these are the two IP addresses they're gonna be speaking with each other through my internet simulation so I'm going to go to address groups and then I'm going to click add and I'm going to create a group here called grp local uh side to side gateways and here I'm gonna enter only my pavm outside interface and I'm going to create another group group remote side to side gateways and here I'm gonna enter only my PA this is pH is p a S2s I think I call this yes that's it okay so now I'm going to create the rule and when I if whenever you have newer gateways to connect to your local Gateway so you just need to enter the new gauge right here in this group and the and you don't need to change any more policies here on the policies currently I only have one ping rule one rule which is to allow pink I'm gonna add now a new one gonna call this um S2s local remote so in One Direction allow connections from local side to side K3 to remote gateways like this source my source Zone would be my outside Source address I'm going to call this group local side to side gateways my destination is also outside and my destination will be a group remote gateways application now the application that you need to to to configure is called ipsec ipsec very complicated ipsec it's in ipsec they are this ipsec ESP UDP ah which we don't need we need this one but inside ipsec there's also IQ the icon is already inside the ipsec let's say group or container leave like this action allow log okay now we're going to do the other way around so I'm going to just clone this one and I'm going to call this remote local allow connections from remote side to side gateways to remote to local Gateway there source outside was okay but now I want the remote and here in destination I want logo and that's it okay looks good ipsec and now we can commit our configuration so now I'm at my firewall I configured my other firewall I haven't I haven't taken a look yet to see if it's working but I'm gonna try to Ping him in the computer with the IP address for 119 and I'm gonna try to Ping the Linux on the other side yeah my tunnel is working and I can check here on the network if I go to ipsec tons I can see that it's green so looks good everything as far as I know this kind of configure or this kind of information tunnel info ik ik info you can only see if you're in the file so if you're a user of panorama as far as I know like I said you need to make a connection to the file to take a look at this kind of information also the the route that you can see the the router I'm going to click on it show routes and you can click on the forwarding table and you see what the the file is actually forwarding and here you can see these three information so this is the inform the the network that I configured as a static and these two they are the network the tunnel Network and this is the IP address from the interface tunnel too if you come to monitor traffic let's take a look at everything that goes through one seven two sixteen zero zero twenty four we should see my pink okay we see some stuff so let's put address destination yeah this is my pink and like I said I was coming from the network 419 and I don't have here should have I don't have here but I think I have it panorama it shows the interface that it's sending the information through egress interface this is the no Ingress has to be the Ingress Ingress interface tanochu so it's coming through the town of this interview this the the pink it's working we did good one more thing guys before I forget um under monitor if you go to system if you need to do some debugging there are some possibility should be debugging using the CLI but the first I would recommend you to start your debugging here under system logs and system and then if you click on VPN you have the whole information regarding um VPN debugging and everything it's usually the the message the description from the from the log entry usually tells you more or less where to look for if there is something that's not matching most of the times you can find the information here otherwise there are some other ways to do a debugging images you over the the CLI there you can see more information but it's of course it's a lot more complicated so my suggestion would be always to start your debugging your troubleshooting using the systems the system logs so guys you manage to the end of the video I know it's a little bit of dry information dry Topic in the beginning a lot of theory and but I hope you got some value from the video anyway if you liked it just give me a thumbs up don't forget to subscribe to the channel if you want and if you have some questions or if you would like me to make a video about a police based VPN just leave me a comment in the in the comment section below and I'll see you in the next video bye

Info

Channel: NETSums

Views: 6,243

Rating: undefined out of 5

Keywords:

Id: GPANrMczTz4

Channel Id: undefined

Length: 22min 25sec (1345 seconds)

Published: Tue Jul 25 2023