Configuring a Site-to-Site IPSec Tunnel to Palo Alto Firewall

The following procedure demonstrates how to configure Perimeter 81 in order to establish a Site-To-Site IPSec VPN connection between your Palo Alto FW and the Perimeter 81 network. Please follow the steps below:

Configure the tunnel in Palo Alto WebGUI

1. Open the Palo Alto WebGUI, and select the Network tab.

2. Select Interfaces and open the Tunnel tab.

1.png

3. Click Add.

2.png

4. Assign the parameters according to the following:

  • Virtual Router: Select the virtual router you would like your tunnel interface to reside in.
  • Security Zone: Configure a new zone for the tunnel interface for more granular control of traffic ingress/egressing the tunnel. If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy is required to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

    3.png

5. Open the Network tab.

6. Select Network Profiles and go to IKE Crypto.

Screen_Shot_2019-12-17_at_10.56.26.jpg

7. Click Add (at the bottom of the page) and define the IKE Crypto profile (IKEv1 Phase-1) parameters.

01.png

  • Name: Choose an indicative name of your own choice.
  • DH Group: 14
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: 8 Hours
  • IKEv2 Authentication Multiple: 0

8. Open the Network tab. Select Network Profiles and go to IKE Gateway.

9. Select Add and fill in the following information:

003.png

  • Name: Choose an indicative name of your own choice.
  • Version: IKEv1
  • Address Type: IPv4
  • Interface: The external interface connected to the internet
  • Local IP Address: Choose the external IP address
  • Peer IP Address Type: IP
  • Peer Address: Enter your Perimeter 81 gateway IP
  • Authentication: Pre-Shared Key
  • Pre-Shared Key: Enter a string of your own choice containing lower-case characters, upper-case characters, and a number. Please write down this value as you will use it to configure the tunnel and the Perimeter 81 management console as well.
  • Local Identification: None (the gateway will use the local IP as the local identification value)
  • Peer Identification: None (the gateway will use the peer IP as the peer identification value)

10. Open the Network tab. Select Network Profiles and go to IPSec Crypto.

11. Select Add and fill in the following information:

123.png

  • Name: P81-Phase2
  • IPSec Protocol: ESP
  • DH Group: 14
  • Encryption: aes-256-gcm
  • Lifetime: 1 hour
  • Authentication: sha256

12. Open the Network tab. Select IPSec Tunnels, then Add and fill in the following information:

Screen_Shot_2020-03-01_at_11.54.45.png

  • Name: Choose the name of your own choice
  • Tunnel Interface: Choose the appropriate interface
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateway: Choose the gateway that was defined earlier
  • IPSec Crypto Profile: Choose the profile that was defined earlier

13. Open the Network tab.

14. Select Virtual Routers, then select Static Routes and click Add. Fill in the following information:

002.png

  • Name: Choose an indicative name of your own choice
  • Destination: Your Perimeter 81 Subnet (if such an object does not exist yet make sure to define it)
  • Interface: Choose the appropriate interface
  • Next Hop: None
  • Metric: 10
  • Route Table: Unicast
  • BFD Profile: Disable BFD

15. Open the Policies tab and select Security.

Screen_Shot_2019-12-19_at_15.58.33.png

By default, IKE negotiation and IPSec/ESP packets are allowed.

Screen_Shot_2019-12-19_at_15.57.09.png
16. If you see somewhat differently or if you wish to have more granular traffic control, select ADD and create an appropriate rule.

Configure the Tunnel in the Perimeter 81 Platform 

1. Enter your Perimeter 81 Management Platform.

2. Under the Network tab in the left menu, select the name of the network in which you'd like to set the tunnel.

3. Locate the desired gateway, select the three-dotted menu (...).

4. Select Add Tunnel and then IPSec Site-2-Site Tunnel.
Screen_Shot_2019-08-27_at_14.06.15.png

5. Fill in the following information:

  • Name: Specify an indicative name
  • Public IP: Insert the external IP you receive from your ISP.
  • Remote ID: Insert the FW's external Interface IP. This can be found in Palo Alto WebGUI under Network/Interfaces/Ethernet.
    Screen_Shot_2019-12-19_at_16.13.07.png
    NOTE: Remote ID and Public IP will be identical if your FW is connected directed to the internet.
  • Shared Secret: Insert the same Pre-Shared Key that you inserted in Palo Alto WebGUI.
  • Perimeter 81 Gateway Proposal Subnets: The default value is 10.255.0.0/16. If you have multiple tunnels to the same gateway make sure the adjust the range accordingly in order to avoid overlap.
  • Remote Gateway Proposal Subnets: Specify the subnet that you defined as a local IP address configuring the IKE Gateway at the PA portal.

    image1.png

6. At the Advanced Settings section fill in the following information:

  • IKE Version: 1
  • IKE Lifetime: 8h
  • Tunnel Lifetime: 1h
  • Dead Peer Detection Delay: 10s
  • Dead Peer Detection Timeout: 30s
  • Encryption (Phase 1): aes256
  • Encryption (Phase 2): aes256
  • Integrity (Phase 1): sha256
  • Integrity (Phase 1): sha256
  • Diffie-Hellman Groups (Phase 1): 14
  • Diffie-Hellman Groups (Phase 2): 14  
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.