Friday, September 27, 2019
By Charles Buege, Fuel User Group Member
Continuing my series on how to set up IPSec tunnels on Palo Alto Networks firewalls, this blog post will cover how to connect to a pfSense firewall.
Before starting to set up any tunnel, a couple of items need to be decided on each end first. At a minimum, the following items need to be known by both parties for the proper configuration of a tunnel:
- For Phase 1 of the connectivity, you need to know the DH Group, Authentication and Encryption. You also need to know the key lifetime for the IKE crypto profile.
- For Phase 2 of the connectivity, you need to know the Encryption, Authentication and DH Group number. You also need to know the lifetime for the IPSec crypto profile.
- You will want a pre-shared key/passphrase that both sides will use for the initial authentication and connection to each other.
- You will need to know the range (or ranges) of IP addresses on both sides that will need to be able to communicate with each other.
This article is also presuming that you’ve already gone through the process of building a pfSense system and are familiar with its navigation, usage, etc. If you aren’t familiar with PfSense, I’d recommend starting with that before jumping into this article. If you’re in the processing of learning IPSec tunnels as well as PfSense, you’ll be much better off getting familiar with just PfSense first. There are many links on YouTube and throughout the internet for setting up PfSense.
In this example, we will be setting up a connection from a Palo Alto Networks firewall with an external IP address of 184.108.40.206 and a pfSense firewall with an external IP address of 220.127.116.11. Yes, those aren’t the real IP addresses I’m using, but other than the obfuscation of the actual source and destination IP addresses of the tunnel, everything else is accurate. Whenever possible, I try to choose the highest level of authentication and encryption that either side of the tunnel can support. Sometimes I’ve had to drop it down a couple of levels, but for the most part, using the highest level of authentication and encryption on each end, you’ll get the most secure connection possible.
“Office” Information – Palo Alto Networks firewall
- Gateway IP Address: 18.104.22.168
- Subnet Range: 10.241.0.0/16
“Branch” Information – PfSense firewall
- Gateway IP Address: 22.214.171.124
- Subnet Ranges: 10.225.0.0/16
- IKE Crypto Information:
- DH Group: 20
- Authentication: sha512
- Encryption: aes-256-cbc
- Lifetime: 8 hours
- IKE Gateway:
- Shared Key: AbCdEfGhIj123456@!
- IPSec Crypto Information:
- DH Group: 20
- Authentication: sha512
- Encryption: aes-256-gcm
- Lifetime: 1 hour
With this information, we can now begin the process for building the IPSec tunnel.
Palo Alto Networks Configuration
First, we start by doing the configuration on the Palo Alto Networks firewall for the “Office” side.
Zone and Interface
Go to Network -> Zones -> ‘Add’
Network -> Interfaces -> ‘Add’
Interface Name: tunnel.201
Config tab -
Virtual Router: 10.241 Virtual Router (renamed from ‘default’)
Security Zone: Branch_Zone
Go to Network -> Network Profiles -> IKE Crypto -> ‘Add’
DH Group: 20
Key Lifetime: 8 hours
Go to Network -> Network Profiles -> IKE Gateway -> ‘Add’
General tab -
Version: IKEv2 only mode
Interface: ethernet1/1 (the interface associated with the ‘outside’ IP address that will be connecting to the ‘Branch side’)
Local IP Address: 126.96.36.199 (the external IP address associated with this interface that will be connecting to the ‘Branch side’)
Peer IP Address Type: IP
Peer Address: 188.8.131.52 (the external IP address at the ‘Branch Side’ that will be connected to)
Authentication: Pre-Shared Key
Pre-shared Key: AbCdEfGhIj123456@!
Confirm Pre-shared Key: AbCdEfGhIj123456@!
Local Identification: IP Address / 184.108.40.206
Peer Identification: IP Address / 220.127.116.11
Advanced Options Tab -
IKEv2 -> IKE Crypto Profile: Branch_IKE_Crypto
Go to Network -> Network Profiles -> IPSec Crypto -> ‘Add’
DH Group: Group 20
Lifetime: 1 hour
At this point, we have all of the components that we need to build the tunnel. Remember that since the ‘IKE Crypto’ options are assigned at the ‘IKE Gateways’, those options are not necessary on this screen.
Go to Network -> IPSec Tunnels -> Add
Tunnel Interface: tunnel.201
Type: Auto Key
Address Type: IPv4
IKE Gateway: Branch_IKE_Gateway
IPSec Crypto Profile: Branch_IPSec_Crypto
The next step is to set up the necessary static routes so the traffic will traverse the proper tunnel.
Go to Network -> Virtual Routers -> 10.241 Virtual Router -> Static Routes -> Add
Next Hop: None
Once the static routes are in place, you want to set the Security Policy to grant access across the tunnel for the subnets you want to be able to traverse the subnet.
Go to Policies -> Security -> Add
General tab –
Name: Office to Branch - Bidirectional
Source tab –
Source Zone: Internal – 10.241 and Branch_Zone
Destination tab –
Destination Zone: Internal – 10.241 and Branch_Zone
One other item to do is to go to the ‘Service/URL Category’ tab and change the ‘application-default’ above the word ‘Service’ to ‘any’. If you don’t, trying to access any resources on non-standard ports (like accessing HTTPS on port 54321 for example) will be blocked.
At this time, perform a commit to the firewall to put all of the changes into effect.
Next, we go to the PfSense configuration steps.
Go to https://[PfSenseIPAddress] and login with your credentials that you defined upon installation of the firewall. Once logged in, go to VPN -> IPsec.
Click ‘Add P1’ to start the tunnel creation with a phase one definition. Fill it in with the following values:
Key Exchange version – IKEv2
Remote Gateway – External IP Address of the PA-220 you are connecting to
Description – Office Tunnel
Pre-Shared Key – AbCdEfGhIj123456@!
Algorithm – AES
Key length – 256 bits
Hash – SHA512
DH Group – 20
Lifetime – 28800
Click ‘Save’ when complete.
Don’t click on ‘Apply Changes’ yet. We’re not ready yet. Next, we need to create the Phase 2 entry for this tunnel. Click on ‘+ Show Phase 2 Entries (0)’ and then click ‘+ Add P2’.
On the ‘Edit Phase 2’ screen, enter the following information:
Address – 10.241.0.0/16
Description – 10.241 Network
Hash Algorithms – SHA512
PFS key group – 20 (nist ecp384)
Lifetime – 3600
Click ‘Save’ when complete
Now we can apply the changes to the firewall. Click ‘Apply Change’ for the tunnel settings to take effect.
Once you see a message of ‘The changes have been applied successfully.’, the changes are in place.
Going back and looking at the Palo Alto Networks firewall’s IPSec Tunnels page, you should see the tunnel has connected successfully.
Image shows a successful tunnel connection where the green circles show that Phase 1 (box 2) and Phase 2 (box 7) have been completed successfully.
You should be able to ping across the tunnel at this point. If you’re unable to, I’d recommend going back and verifying that the IKE and IPsec tunnels match on both sides.
Congratulations! You now have a tunnel set up between your office and your branch using pfSense and your Palo Alto Networks firewall.
Thank you for reading this article. If there are any “how-to” topics that are of interest — not limited to only IPSec tunnels — please reach out to the Fuel for Thought blog managing editor at firstname.lastname@example.org and share your thoughts.
The next articles I will be writing will continue in this vein with regards to connecting to other firewalls – both commercial and open source. Here is a list of the topics that I aim to cover in future articles with regards to IPSec tunnels to Palo Alto Networks firewalls:
- Cisco Meraki MX
- Microsoft Azure
- Palo Alto Networks firewall back to itself for those users with a single Palo Alto Networks firewall
- Palo Alto Networks firewall virtual machine
- VyOS (open source fork of Vyatta)
Interested in learning how to build other IPSec tunnels? Check out these blog posts in the series:
- How to Build an IPSec Tunnel Between a Palo Alto Networks Firewall and a Cisco ASA (Adaptive Security Appliance
- How to Build an IPSec Tunnel Between a Palo Alto Networks Firewall and an IPFire Firewall
- How to Build an IPSec Tunnel Between Two Palo Alto Networks Firewalls
More to Explore
Check out these Fuel blog posts for further reading: