How to Build an IPSec Tunnel Between Two Palo Alto Networks Firewalls

Posted by Charles Buege on Jan 7, 2019, 12:55:33 PM

Monday, January 7, 2018

By Charles Buege, Fuel User Group Member 

IPSec Tunnel Header ImageSetting up a connection between two sites is a very common thing to do. With a Palo Alto Networks firewall to any provider, it’s very simple. With a Palo Alto Networks firewall to another Palo Alto Networks firewall, it’s even easier. Here’s a step-by-step process for how to get an IPSec tunnel built between two Palo Alto Network firewalls.

 

Things to Know Before You Start

Before starting to set up a tunnel, a couple of items need to be decided on each end. At a minimum, the following items need to be known by both parties for the proper configuration of a tunnel:

  • For Phase 1 of the connectivity, you need to know the DH Group, Authentication, and Encryption. You also need to know the key lifetime for the IKE crypto profile.
  • For Phase 2 of the connectivity, you need to know the Encryption, Authentication, and DH Group number. You also need to know the lifetime for the IPSec crypto profile.
  • You will want a pre-shared key/passphrase that both sides will use for the initial authentication and connection to each other.
  • You will need to know the range (or ranges) of IP addresses on both sides that will need to be able to communicate with each other.

Getting Started

In this example, we will set up a connection from two Palo Alto Networks firewalls with IP addresses of 1.2.3.4 and 6.7.8.9.  These IP addresses are not real and just used for the sake of this example. Other than the obfuscation of the actual source and destination IP addresses of the tunnel, everything else that follows is real. 

“Office” Information –

  • Gateway IP Address: 2.3.4
  • Subnet Range: 241.0.0/16 

“Branch” Information –

  • Gateway IP Address: 7.8.9
  • Subnet Ranges: 25.1.0/24, 172.25.2.0/24, 172.25.3.0/24 

Shared Information –

  • IKE Crypto Information:
    • DH Group: 20
    • Authentication: sha512
    • Encryption: aes-256-cbc
    • Lifetime: 8 Hours
  • IKE Gateway:
    • Shared Key: AbCdEfGhIj123456@!
  • IPSec Crypto Information:
    • DH Group: 20
    • Authentication: sha512
    • Encryption: aes-256-cbc
    • Lifetime: 1 Hour

With this information, we can now begin the process of building the IPSec tunnel. 

Zone and Interface

First, we start by creating the zone and the interface that we will use for the tunnel on each side.  

“Office” side –
Network -> Zones -> ‘Add’
Name:  Branch_Zone
Type:  Layer3
Click ‘Ok.’

IPSec_1

Network -> Interfaces -> ‘Add’
Interface Name:  tunnel.201
Config tab -
Virtual Router: 10.241 Virtual Router (renamed from ‘default’)
Security Zone: Branch_Zone
Click ‘Ok.’

IPSec_2

“Branch” side –
Network -> Zones -> ‘Add’
Name: Office_Zone
Type: Layer3
Click ‘Ok.’

IPSec_3

Network -> Interfaces -> ‘Add’
Interface Name: tunnel.301
Config tab -
Virtual Router: 10.241 Virtual Router (renamed from ‘default’)
Security Zone: Branch_Zone
Click ‘Ok.’

IPSec_4

IKE Crypto 

“Office” side –
Network -> Network Profiles -> IKE Crypto -> ‘Add’
Name: Branch_IKE_Crypto
DH Group: 20
Authentication:  sha512
Encryption:  aes-256-cbc
Key Lifetime: 8 Hours

IPSec_5

“Branch” side –
Network -> Network Profiles -> IKE Crypto -> ‘Add’
Name:  Office_IKE_Crypto
DH Group: 20
Authentication:  sha512
Encryption:  aes-256-cbc
Key Lifetime: 8 Hours

IPSec_6

IKE Gateway 

“Office” side –
Network -> Network Profiles -> IKE Gateway -> ‘Add’
General tab -
Name: Branch_IKE_Gateway
Version: IKEv1 only mode
Interface: ethernet1/1  (the interface associated with the ‘outside’ IP address that will be connecting to the ‘Branch side’)
Local IP Address: 1.2.3.4  (the external IP address associated with this interface that will be connecting to the ‘Branch side’)
Peer IP Address Type:  IP
Peer Address: 6.7.8.9  (the external IP address at the ‘Branch Side’ that will be connected to)
Authentication: Pre-Shared Key
Pre-shared Key: AbCdEfGhIj123456@!
Confirm Pre-shared Key: AbCdEfGhIj123456@!
Local Identification: IP Address / 1.2.3.4
Peer Identification: IP Address / 6.7.8.9

IPSec_7

Advanced Options Tab -
IKEv1 -> IKE Crypto Profile:  Branch_IKE_Crypto
Click ‘Ok.’

IPSec_8

“Branch” side –
Network -> Network Profiles -> IKE Gateway -> ‘Add’
General Tab -
Name:  Branch_IKE_Gateway
Version: IKEv1 only mode
Interface: ethernet1/1  (the interface associated with the ‘outside’ IP address that will be connecting to the ‘Branch side’)
Local IP Address: 6.7.8.9  (the external IP address associated with this interface that will be connecting to the ‘Branch side’)
Peer IP Address Type: IP
Peer Address: 1.2.3.4 (the external IP address at the ‘Branch Side’ that will be connected to)
Authentication: Pre-Shared Key
Pre-shared Key: AbCdEfGhIj123456@!
Confirm Pre-shared Key: AbCdEfGhIj123456@!
Local Identification: IP Address / 6.7.8.9
Peer Identification: IP Address / 1.2.3.4

IPSec_9

Advanced Options Tab -
IKEv1 -> IKE Crypto Profile: Office_IKE_Crypto
Click ‘Ok.’

IPSec_10

IPSec Crypto 

“Office” side –
Network -> Network Profiles -> IPSec Crypto -> ‘Add’
Name:  Branch_IPSec_Crypto
Encryption: aes-256-cbc
Authentication: sha512
DH Group: Group 20
Lifetime: 1 Hour

IPSec_11

“Branch” side –
Network -> Network Profiles -> IPSec Crypto -> ‘Add’
Name:  Office_IPSec_Crypto
Encryption: aes-256-cbc
Authentication: sha512
DH Group: Group 20
Lifetime: 1 Hour

IPSec_12

IPSec Tunnel

At this point, we have all of the components that we need to build the tunnel, so we can begin that process. Remember that since the ‘IKE Crypto’ options are assigned at the ‘IKE Gateways,’ those options are not available on this screen. 

“Office” side –
Network -> IPSec Tunnels -> Add
Name:  Branch_Tunnel
Tunnel Interface: tunnel.201
Type: Auto Key
Address Type: IPv4
IKE Gateway: Branch_IKE_Gateway
IPSec Crypto Profile: Branch_IPSec_Crypto
Click ‘Ok.’

IPSec_13

“Branch” side –
Network -> IPSec Tunnels -> Add
Name: Office_Tunnel
Tunnel Interface: tunnel.301
Type: Auto Key
Address Type: IPv4
IKE Gateway: Office_IKE_Gateway
IPSec Crypto Profile: Branch_IPSec_Crypto
Click ‘Ok.’

IPSec_14

Static Routes 

The next step is to set up the necessary static routes so the traffic will traverse the proper tunnel. 

 “Office” side –
Network -> Virtual Routers -> 10.241 Virtual Router -> Static Routes -> Add
Name: Branch-Remote-01
Destination: 172.25.1.0/24
Interface: tunnel.201
Next Hop: None
These steps are repeated for Branch-Remote-02 with 172.25.2.0/24 and Branch-Remote-03 with 172.25.3.0/24ss

IPSec_15

“Branch” side –
Network -> Virtual Routers -> default -> Static Routes -> Add
Name: Office-Remote-01
Destination: 10.241.0.0/16
Interface: tunnel.301
Next Hop: None

IPSec_16

Security Policy

Once the static routes are in place, set the Security Policy to grant access across the tunnel for the subnets you want to be able to traverse the subnet.

“Office” side –
Policies -> Security -> Add
General tab –
Name: Office to Branch - Bidirectional

IPSec_17

Source tab –
Source Zone: Internal – 10.241 and Branch_Zone

IPSec_18

Destination tab –
Destination Zone: Internal – 10.241 and Branch_Zone
Click ‘Ok.’

IPSec_19

“Branch” side –
Policies -> Security -> Add
General tab –
Name: Branch to Office - Bidirectional

IPSec_20

Source tab –
Source Zone: Internal – 172.25.1_24, Internal – 172.25.2_24, Internal – 172.25.3_24, Office_Zone

IPSec_21

Destination tab –
Destination Zone: Internal – 172.25.1_24, Internal – 172.25.2_24, Internal – 172.25.3_24, Office_Zone
Click ‘Ok.’

IPSec_22

At this time, perform a commit to the firewall to put all of the changes into effect.  

Once the commit is complete, try to do anything that will cause traffic to traverse the travel. Go back to Network -> IPSec Tunnels and check the status lights to confirm that the tunnel is up.

“Office” side –

IPSec_23

“Branch” side –

IPSec_24

 

Conclusion

These are the steps necessary to get an IPSec tunnel up and running. As mentioned at the start of this article, connecting two Palo Alto Networks firewalls is very simple and straightforward. The best news is, now that you have the two sides connected with the configuration shared here, the communication channel between the different networks will have no limits. Alternatively, you can now define additional security rules limiting the subnets, applications, or ports that you wish to control. 

In a future article, I will be covering how to connect a Palo Alto Networks firewall to a non-Palo Alto Networks firewall – what differences there are, what extra steps need to be taken, etc.  There will also be another article where I will detail the steps necessary for connecting a Palo Alto Networks firewall into Microsoft Azure.

 


More to Explore

Check out these Fuel blog posts for further reading:

 

Topics: Charles Buege

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all