How to Build an IPSec Tunnel Between a Palo Alto Networks Firewall and a pfSense Firewall

Posted by Charles Buege on Sep 27, 2019 3:49:48 PM

Friday, September 27, 2019

By Charles Buege, Fuel User Group Member 

Continuing my series on how to set up IPSec tunnels on Palo Alto Networks firewalls, this blog post will cover how to connect to a pfSense firewall.   

Before starting to set up any tunnel, a couple of items need to be decided on each end first. At a minimum, the following items need to be known by both parties for the proper configuration of a tunnel:

  • For Phase 1 of the connectivity, you need to know the DH Group, Authentication and Encryption. You also need to know the key lifetime for the IKE crypto profile.
  • For Phase 2 of the connectivity, you need to know the Encryption, Authentication and DH Group number. You also need to know the lifetime for the IPSec crypto profile.
  • You will want a pre-shared key/passphrase that both sides will use for the initial authentication and connection to each other.
  • You will need to know the range (or ranges) of IP addresses on both sides that will need to be able to communicate with each other.

This article is also presuming that you’ve already gone through the process of building a pfSense system and are familiar with its navigation, usage, etc. If you aren’t familiar with PfSense, I’d recommend starting with that before jumping into this article. If you’re in the processing of learning IPSec tunnels as well as PfSense, you’ll be much better off getting familiar with just PfSense first. There are many links on YouTube and throughout the internet for setting up PfSense.   

In this example, we will be setting up a connection from a Palo Alto Networks firewall with an external IP address of 1.2.3.4 and a pfSense firewall with an external IP address of 6.7.8.9. Yes, those aren’t the real IP addresses I’m using, but other than the obfuscation of the actual source and destination IP addresses of the tunnel, everything else is accurate. Whenever possible, I try to choose the highest level of authentication and encryption that either side of the tunnel can support. Sometimes I’ve had to drop it down a couple of levels, but for the most part, using the highest level of authentication and encryption on each end, you’ll get the most secure connection possible.

“Office” Information – Palo Alto Networks firewall

  • Gateway IP Address: 1.2.3.4
  • Subnet Range: 10.241.0.0/16

“Branch” Information – PfSense firewall

  • Gateway IP Address: 6.7.8.9
  • Subnet Ranges: 10.225.0.0/16

Shared Information

  • IKE Crypto Information:
    • DH Group: 20
    • Authentication: sha512
    • Encryption: aes-256-cbc
    • Lifetime: 8 hours
  • IKE Gateway:
    • Shared Key: AbCdEfGhIj123456@!
  • IPSec Crypto Information:
    • DH Group: 20
    • Authentication: sha512
    • Encryption: aes-256-gcm
    • Lifetime: 1 hour

With this information, we can now begin the process for building the IPSec tunnel.

Palo Alto Networks Configuration

First, we start by doing the configuration on the Palo Alto Networks firewall for the “Office” side.

Zone and Interface

Go to Network -> Zones -> ‘Add’

Name: Branch_Zone

Type: Layer3

Click ‘Ok’.

PA-220-Image-01

Network -> Interfaces -> ‘Add’

Interface Name: tunnel.201

Config tab -

Virtual Router: 10.241 Virtual Router (renamed from ‘default’)

Security Zone: Branch_Zone

Click ‘Ok’.

PA-220-Image-02 

IKE Crypto

Go to Network -> Network Profiles -> IKE Crypto -> ‘Add’

Name: Branch_IKE_Crypto

DH Group: 20

Authentication: sha512

Encryption: aes-256-cbc

Key Lifetime: 8 hours

PA-220-Image-03

IKE Gateway 

Go to Network -> Network Profiles -> IKE Gateway -> ‘Add’

General tab -

Name: Branch_IKE_Gateway

Version: IKEv2 only mode

Interface: ethernet1/1 (the interface associated with the ‘outside’ IP address that will be connecting to the ‘Branch side’)

Local IP Address: 1.2.3.4 (the external IP address associated with this interface that will be connecting to the ‘Branch side’)

Peer IP Address Type: IP

Peer Address: 6.7.8.9 (the external IP address at the ‘Branch Side’ that will be connected to)

Authentication: Pre-Shared Key

Pre-shared Key: AbCdEfGhIj123456@!

Confirm Pre-shared Key: AbCdEfGhIj123456@!

Local Identification: IP Address / 1.2.3.4

Peer Identification: IP Address / 6.7.8.9

PA-220-Image-04

Advanced Options Tab -

IKEv2 -> IKE Crypto Profile: Branch_IKE_Crypto

Click ‘Ok’

PA-220-Image-05

IPSec Crypto 

Go to Network -> Network Profiles -> IPSec Crypto -> ‘Add’

Name: Branch_IPSec_Crypto

Encryption: aes-256-gcm

Authentication: sha512

DH Group: Group 20

Lifetime:  1 hour

PA-220-Image-06

IPSec Tunnel

At this point, we have all of the components that we need to build the tunnel. Remember that since the ‘IKE Crypto’ options are assigned at the ‘IKE Gateways’, those options are not necessary on this screen.

Go to Network -> IPSec Tunnels -> Add

Name: Branch_Tunnel

Tunnel Interface: tunnel.201

Type: Auto Key

Address Type: IPv4

IKE Gateway: Branch_IKE_Gateway

IPSec Crypto Profile: Branch_IPSec_Crypto

Click ‘Ok’.

PA-220-Image-07

Static Routes

The next step is to set up the necessary static routes so the traffic will traverse the proper tunnel.

Go to Network -> Virtual Routers -> 10.241 Virtual Router -> Static Routes -> Add

Name: Branch-Remote-01

Destination: 10.225.0.0/16

Interface: tunnel.201

Next Hop: None

PA-220-Image-08

Security Policy

Once the static routes are in place, you want to set the Security Policy to grant access across the tunnel for the subnets you want to be able to traverse the subnet.

Go to Policies -> Security -> Add

General tab –

Name: Office to Branch - Bidirectional

PA-220-Image-09

Source tab –

Source Zone: Internal – 10.241 and Branch_Zone

PA-220-Image-10

Destination tab –

Destination Zone: Internal – 10.241 and Branch_Zone

PA-220-Image-11

Click Ok.

One other item to do is to go to the ‘Service/URL Category’ tab and change the ‘application-default’ above the word ‘Service’ to ‘any’. If you don’t, trying to access any resources on non-standard ports (like accessing HTTPS on port 54321 for example) will be blocked.

PA-220-Image-12

At this time, perform a commit to the firewall to put all of the changes into effect.  

PfSense Configuration 

Next, we go to the PfSense configuration steps.

Go to https://[PfSenseIPAddress] and login with your credentials that you defined upon installation of the firewall. Once logged in, go to VPN -> IPsec.

pfSense-Image-01

Click ‘Add P1’ to start the tunnel creation with a phase one definition. Fill it in with the following values:

Key Exchange version – IKEv2

Remote Gateway – External IP Address of the PA-220 you are connecting to

Description – Office Tunnel

Pre-Shared Key – AbCdEfGhIj123456@!

Encryption Algorithm:

Algorithm – AES

Key length – 256 bits

Hash – SHA512

DH Group – 20

Lifetime – 28800

Click ‘Save’ when complete.

pfSense-Image-02a

 

pfSense-Image-02b

 

pfSense-Image-02c

Don’t click on ‘Apply Changes’ yet. We’re not ready yet. Next, we need to create the Phase 2 entry for this tunnel. Click on ‘+ Show Phase 2 Entries (0)’ and then click ‘+ Add P2’.

pfSense-Image-03

On the ‘Edit Phase 2’ screen, enter the following information:

Remote Network:

                        Address – 10.241.0.0/16

Description – 10.241 Network

Encryption Algorithms:

                        AES-256-GCM

                        128 bits

Hash Algorithms – SHA512

PFS key group – 20 (nist ecp384)

Lifetime – 3600

Click ‘Save’ when complete

pfSense-Image-04a

 

pfSense-Image-04b

Now we can apply the changes to the firewall. Click ‘Apply Change’ for the tunnel settings to take effect.

pfSense-Image-05

Once you see a message of ‘The changes have been applied successfully.’, the changes are in place.

Going back and looking at the Palo Alto Networks firewall’s IPSec Tunnels page, you should see the tunnel has connected successfully.

PA-220-Image-13

Image shows a successful tunnel connection where the green circles show that Phase 1 (box 2) and Phase 2 (box 7) have been completed successfully.

You should be able to ping across the tunnel at this point. If you’re unable to, I’d recommend going back and verifying that the IKE and IPsec tunnels match on both sides.

Congratulations! You now have a tunnel set up between your office and your branch using pfSense and your Palo Alto Networks firewall.   

Thank you for reading this article. If there are any “how-to” topics that are of interest — not limited to only IPSec tunnels — please reach out to the Fuel for Thought blog managing editor at editor@fuelusergroup.org and share your thoughts.

Coming Up 

The next articles I will be writing will continue in this vein with regards to connecting to other firewalls – both commercial and open source. Here is a list of the topics that I aim to cover in future articles with regards to IPSec tunnels to Palo Alto Networks firewalls:

  • AWS
  • Cisco Meraki MX
  • Microsoft Azure
  • OPNsense
  • Palo Alto Networks firewall back to itself for those users with a single Palo Alto Networks firewall
  • Palo Alto Networks firewall virtual machine
  • VyOS (open source fork of Vyatta)

Interested in learning how to build other IPSec tunnels? Check out these blog posts in the series:

 


More to Explore

Check out these Fuel blog posts for further reading:

Topics: Charles Buege, IPSec Tunnel, Adaptive Security Appliance, ASA

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all