Tutorial: IPSec VPN Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi everyone my name is Jason and I'm from the global enablement team here at Palo Alto Networks today I want to show you how to configure an IPSec based site-to-site VPN between two of our firewalls now I want to begin with this diagram here which outlines the components that we need to configure in order to set up our site-to-site VPN now configuring a VPN between two Palo Alto Networks firewalls is essentially three steps and we start with our layer 3 interface that brings us to step number one and step number one means we're going to configure our phase one objects now this includes a crypto profile and the IKE gateway as well as authentication settings now I'm referring to these objects is belonging to phase one because an IPSec VPN tunnel is established through two phases I'll show you where these actual objects live in the firewall and how to configure them in a moment that brings us to step number two next you'll configure the phase two objects which is the second part of an IPSec VPN and this includes another crypto profile and the tunnel itself step number three you'll need to configure a route that references the tunnel because Palo Alto Networks uses a route based approach with the VPN so now you have a summary of the components required to build a VPN on our firewalls let me show you where in the firewall to do this in this scenario I have two sites site 1 site 2 now I've already configured the site 1 firewall I'm on the site 2 firewall and I want to complete my configuration as you can see here I have a couple of interfaces 1 1 and Ethernet 1 to either at 1 1 is going to be my external facing interface now I know that the IP address here is one of those private IP addresses but just pretend with me that's a public IP address I'm going to attach to this layer 3 interface my tunnel interface so we're going to come back to this tunnel tab here in a little bit and I'm going to configure a tunnel interface now the other thing I've done is I've pre-configured a VPN zone so that I can also attach that to the interface and then use that in my security rules now to complete my configuration I need to create the phase one phase two objects so down here well let's begin with our phase one and that includes the I crypto down here and I Kate way under I crypto this is where I can define my encryption authentication and my key exchange protocols and I can use the built in once as you can see here there are a few already created for me or I can use this Add button down here and create my own custom I could crypto profile that I can then use my I Kate way for the sake of this tutorial I'm just going to use the defaults now let's go to the IQ gateway to create my gateway I'm going to choose add I'm going to give it a name now I need to go through and define a handful of important settings for the internet key exchange or phase one portion of my IPSec VPN tunnel now the decisions I make here and the changes I make here need to be compatible with the other side there are a lot of choices or decisions to be made like for instance which I can or internet key exchange version protocol is am I going to use what interface am i going to use the I Kate Way on so in this case my external interface is Ethernet one one let me grab my IP address right there and then who am I talking to on the other side that's my peer IP type here so I can either use dynamic and I can reference that endpoint by name I'm just going to use static and type in that IP address manually right there and then the authentication settings so I have two choices pre shared key or certificate if I choose certificate there are several other decisions I have to make I need to ensure that I have an installed trusted certificate I can define validation settings here how I want that certificate to be verified by the firewall in my case I'm going to choose pre shared key as this matches the configuration on the other firewall so I'm just going to put in the appropriate password here now I can click on Advanced Options when I click on Advanced Options this is where I connect the I key way and the I crypto profile so if I had a specific profile that I wanted to use a custom profile or one of these three built-in profiles I want to select that here now depending on what actual Ike protocol I'm using well if I had I could be to and I could be one listed I could well let me show you if I go to general and choose I could be to preferred mode that actually changes the Advanced Options tab where I can define a crypto profile for each respective protocol now I also have a couple of other options here like for instance if I want this particular part of my VPN tunnel to be more responsive I can turn on passive mode so it's not initiating the session and then I can also turn on NAT traversal if there's a NAT device between this VPN firewall and the other side so I get a couple of other settings here that might be of interest to you I'm going to go ahead and click OK to this so that's my phase one object configuration the next thing I need to do is my face - now the configure face - there's a couple of places I need to go so I need to actually configure my tunnel under interfaces I need to configure an IPSec crypto profile this might be important and then finally I'm going to configure the IPSec tunnel itself let's begin here again under the crypto profile in this case I've pre-configured a custom IPSec crypto profile so I'm going to click on this and just show you how you can actually add additional protocols whether they be encryption authentication or key exchange protocols I'm going to choose add here let's grab Advanced Encryption standard 128 here just like so and click OK now that i've configured my IPSec crypto profile the next thing I want to do is I want to make sure I configure my tunnels so we're going to go to interfaces and I'm going to configure a tunnel on my layer 3 interface here so I'm going to come in here we're going to give it a number so this is an identifier in this case I'm just going to call it 2 and then I'm going to assign it a virtual router and the security zone that I pre-configured earlier if I needed to create a security zone just for my VPN I could do that I could choose zone right here I could use an existing that I have but I want to be able to control traffic in my security rules for this particular tunnel so having its own security zone is recommended I'm gonna click OK to that all right now that I have my tunnel interface and I've configured my IPSec crypto profile let's go to IPSec tunnels and this is really where I'm going to pull it all together I'm going to click Add give it a name identify the tunnel interface select the I Kate way select the IPSec crypto profile if I want to include some additional settings like for instance if I want to configure a tunnel monitor I can do that under Advanced Options and then if I'm connecting to a firewall or device that supports proxy IDs that needs to know local and destination networks for the VPN tunnel I can configure proxy IDs when connecting to Palo Alto Network firewalls these are not necessary because we're going to use our route entry instead so this is all I need really for my basic VPN site-to-site configuration I'm gonna click ok to this now the final step is step 3 and that's to configure my virtual router so that traffic is directed over this VPN tunnel I'm going to select virtual routers now select a virtual router click on static route and I'm going to add a route for the site 1 internal network so that my site 2 people can connect over the VPN tunnel through this firewall and over that VPN connection so I'm going to give it a name type in the destination address this address is the remote network that I'm going to reach through the VPN tunnel the interface which is going to be my tunnel interface and then I'm going to choose no next hop and click ok to this and ok the final thing here is to make sure that the security rules are set up and in place and I've already defined those for the sake of time now I'm going to choose commit save my changes while that finishes committing let's go back to the IPSec tunnel page and what I'm going to do then is I'm going to initiate a ping in the background and refresh this screen and once the VPN tunnel has been established we should see these turn from red to green and there you have it we just configured a site-to-site VPN between two Palo Alto Networks firewalls we configured the phase 1 objects the phase 2 objects and configured the route we needed to establish the VPN tunnel I hope you found this tutorial helpful see you next time
Info
Channel: Palo Alto Networks LIVEcommunity
Views: 65,631
Rating: undefined out of 5
Keywords: IPSec, VPN, Site to site, IKE Gateway, Tunnel
Id: 5xgYhXlnGUw
Channel Id: undefined
Length: 9min 47sec (587 seconds)
Published: Mon Mar 27 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.