Skip to main content

How to Set Up an IPSec Tunnel On PAN-OS - Palo Alto Firewalls

Set Up an IPSec Tunnel 


The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel. 

If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID are source ip: 0.0.0.0/0, destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged with the peer, it results in a failure to set up the VPN connection. 

STEP 1 | Select Network > IPSec Tunnels and then Add a new tunnel configuration.

STEP 2 | On the General tab, enter a Name for the new tunnel.

STEP 3 | Select the Tunnel interface that will be used to set up the IPSec tunnel.

To create a new tunnel interface: 

1. Select Tunnel Interface > New Tunnel Interface. (You can also select Network > Interfaces > Tunnel and click Add.) 

2. In the Interface Name field, specify a numeric suffix, such as .2. 

3. On the Config tab, select the Security Zone drop-down to define the zone as follows: Use your trust zone as the termination point for the tunnel—Select the zone from the drop-down. Associating the tunnel interface with the same zone (and virtual router) as the external-facing interface on which the packets enter the firewall mitigates the need to create inter-zone routing.

Or:

Create a separate zone for VPN tunnel termination (Recommended)—Select New Zone, define a Name for the new zone (for example vpn-corp), and click OK. 

1. In the Virtual Router drop-down, select default. 

2. (Optional) If you want to assign an IPv4 address to the tunnel interface, select the IPv4 tab, and Add the IP address and network mask, for example 10.31.32.1/32. 

3. Click OK.

STEP 4 | Set up key exchange.

Configure one of the following types of key exchange: Set up Auto Key exchange 

1. Select the IKE Gateway. To set up an IKE gateway, see Set Up an IKE Gateway.

 2. (Optional) Select the default IPSec Crypto Profile. To create a new IPSec Profile, see Define IPSec Crypto Profiles.

Set up Manual Key exchange 

1. Specify the SPI for the local firewall. SPI is a 32-bit hexadecimal index that is added to the header for IPSec tunneling to assist in differentiating between IPSec traffic flows; it is used to create the SA required for establishing a VPN tunnel. 

2. Select the Interface that will be the tunnel endpoint, and optionally select the IP address for the local interface that is the endpoint of the tunnel. 

3. Select the protocol to be used—AH or ESP. 

4. For AH, select the Authentication method from the drop-down and enter a Key and then Confirm Key. 

5. For ESP, select the Authentication method from the drop-down and enter a Key and then Confirm Key. Then, select the Encryption method and enter a Key and then Confirm Key, if needed. 

6. Specify the SPI for the remote peer. 

7. Enter the Remote Address, the IP address of the remote peer.

STEP 5 | Protect against a replay attack.

A replay attack occurs when a packet is maliciously intercepted and retransmitted by the interceptor.

Select the Show Advanced Options check box, select Enable Replay Protection to detect and neutralize against replay attacks.

STEP 6 | Enable Tunnel Monitoring.

Note: You must assign an IP address to the tunnel interface for monitoring.

To alert the device administrator to tunnel failures and to provide automatic failover to another tunnel interface: 

1. Specify a Destination IP address on the other side of the tunnel to determine if the tunnel is working properly. 

2. Select a Profile to determine the action on tunnel failure. To create a new profile, see Define a Tunnel Monitoring Profile.

STEP 7 | Create a Proxy ID to identify the VPN peers.

This step is required only if the VPN peer uses policy-based VPN. 

1. Select Network > IPSec Tunnels and click Add. 

2. Select the Proxy IDs tab. 

3. Select the IPv4 or IPv6 tab. 

4. Click Add and enter the Proxy ID name. 

5. Enter the Local IP address or subnet for the VPN gateway. 

6. Enter the Remote address for the VPN gateway. 

7. Select the Protocol from the drop-down: 

• Number—Specify the protocol number (used for interoperability with third-party devices). 

• Any—Allows TCP and/or UDP traffic. 

• TCP—Specify the Local Port and Remote Port numbers. 

• UDP—Specify the Local Port and Remote Port numbers. 

8. Click OK.

STEP 8 | Commit your changes. Click OK and Commit.

Comments

Popular posts from this blog

Basic Rules of Checkpoint Firewall

Managing the Firewall Rule Base: Explicit and Implied Rules These are the types of rules in the Rule Base: Explicit rules - Rules that you create to configure which connections the Firewall allows Implied rules - Rules that are based on settings in the Global Properties menu Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: ·          Installing the security policy on a Security Gateway ·          Sending logs from a Security Gateway to the Security Management server ·          Connecting to third party applications, such as RADIUS and TACACS authentication servers Order of Rule Enforcement: Make sure that you understand the importance of the order of rule enforcement to maximize the security of t...

ASA TCP Connection Flags

When troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network. Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command. ASA# show conn protocol tcp 101 in use, 5589 most used TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saAUIO TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:0...