IPsec VPN Between Two Palo Alto Firewalls
In this guide, we will configure an IPsec VPN tunnel to connect two sites using Palo Alto Firewalls. The topology is set up in EVE-NG, featuring two Palo Alto firewalls running PANOS 10.1.12, each located at a different site, referred to as Site-A and Site-B.
To keep this guide straightforward, we will focus primarily on the IPsec configuration with a single local network at each site. Site-A’s LAN IP subnet is 10.1.1.0/24, and Site-B’s LAN IP subnet is 172.16.32.0/24. Additionally, we have a management PC on the 192.168.10.0/24 network to manage both firewalls.
To configure the IPsec tunnel, we will be going through the following steps on each firewall:
- Assign management IP for GUI access
- Configure Zones and Interfaces
- Configure IPsec
- Create IKE Crypto
- Create IPsec Crypto
- Configure IKE Gateway
- Create a Tunnel Interface
- Create IPsec Tunnel
- Add a Virtual Route
- Configure Policies
Configuring PA-1
1. Getting GUI Access
To gain GUI access to the firewall, we need to assign an IP address to the Management Interface. We’ll start by connecting to the CLI session and logging in with the default credentials (admin/admin). Upon logging in, you’ll be prompted to change the admin password. After setting a strong password for the admin user, we can configure the Management Interface.
admin@PA-VM>configure
admin@PA-VM# set deviceconfig system set static
admin@PA-VM# set deviceconfig system ip-address 192.168.10.5 netmask 255.255.255.0
admin@PA-VM# commit
We should now be able to access the firewall from our management PC at 192.168.10.5.
2. Configuring Zones and Interfaces
Creating Zones
We will need at least two zones: Inside and Outside. The Inside Zone will be the LAN-facing zone, while the Outside Zone will be Internet-facing and will also be used for the VPN tunnel.
To create a zone:
- Navigate to the Network tab
- Click on Zones from the options on the left
- Click Add at the bottom of the screen
- Provide a name: Inside
- Change the type to Layer3
- Click OK
Similarly, create another Zone and name it as Outside. Once both the Zones are created, click Commit to make the changes.
On PA-2 on Site-B, the same configuration can be done for creating Zones.
Configuring Interfaces
We will now configure eth1/1 and eth1/2 for LAN and Tunnel respectively. As per our lab, we will assign IP 10.1.1.5/24 to eth1/1 and 100.1.1.5/24 to eth1/2.
To configure Interface eth1/1:
- Click on the Interface you want to edit
- Interface Type: Layer3
- Under Config tab:
- Virtual Router: default ( We will configure the default router later)
- Security Zone: Inside
- Under IPv4 tab
- Click Add and then click New Address
- Select Static
- Click Add and type 10.1.1.5/24
- Click Ok
- Under the Advanced tab:
- Management Profile: Add New Management Profile
- Name: Ping
- Select Ping from the list
- Click OK twice to save
To configure Interface eth1/2:
- Click on the Interface you want to edit
- Interface Type: Layer3
- Under Config tab:
- Virtual Router: default ( We will configure the default router later)
- Security Zone: Outside
- Under IPv4 tab
- Click Add and then click New Address
- Select Static
- Click Add and type 100.1.1.5/24
- Click Ok
- Under the Advanced tab select the Management profile Ping that we created in the above step
After committing the changes, both the Interfaces will show UP with the IP addresses assigned to them.
3. Configuring IPsec Tunnel
Configure IKE Crypto Profile
To configure the IKE crypto profile:
- Click on IKE Crypto
- Click Add
- Name: SiteA-to-SiteB-IPsec-Crypto
- DH-GROUP: group2
- AUTHENTICATION: SHA1
- ENCRYPTION: des
- Click OK
Configure IPsec Crypto Profile
To configure the IPsec crypto profile:
- Click on IPsec Crypto
- Click Add
- Name: SiteA-to-SiteB-IPsec-Crypto
- ENCRYPTION: des
- AUTHENTICATION: SHA1
- DH-GROUP: group2
- Click OK
We will commit the changes here before proceeding to the next step.
Configure IKE Gateway
To configure the IKE Gateway:
- Select IKE Gateway from the options on the left
- Click Add
- Name: SiteA-to-SiteB-IKE-Gateway
- Version: IKEv2 only mode
- Address Type: IPv4
- Interface: ethernet1/2
- Local IP: 100.1.1.5/24
- Peer IP Address Type: IP
- Peer Address: 200.1.1.10
- Pre-shared Key: Secret123!
- Click OK
- Under Advanced Options
- Choose the IKE crypto profile created (SiteA-to-SiteB-IKE-Crypto)
Configuring Tunnel Interface
To create a Tunnel Interface:
- Go to Interfaces > Tunnel > Add
- Type ID: 1
- Under Config tab
- Virtual Router: Default
- Security Zone: Outside
- Under IPv4 tab
- Add IP 192.168.0.1/30
The IP assigned to the tunnel. interface must not be a part of an active subnet in your network
Configuring IPsec Tunnel
To configure the IPsec tunnel:
- Click on IPsec Tunnel > Add
- Under General
- Name: SiteA-to-SiteB-IPsec-Tunnel
- Tunnel Interface: tunnel.1
- IKE Gateway: SIteA-to-SiteB-IKE-Gateway
- IPsec Crypto Profile: SiteA-to-SiteB-IPsec_crypto
- Perform Commit
4. Add a Virtual Route
To add a virtual route:
- Click on Virtual Routers > default > Static Routes> Add
- Name: VPN-Tunnel
- Destination: 172.16.32.0/24
- Interface: tunnel.1
- Next Hop: None
- Click OK twice
5. Creating Policies
We will need to create two policies; one for incoming VPN tunnel traffic and the other for outgoing tunnel traffic.
To create a Policy for incoming traffic:
- Go to the Policies tab > Add
- Under General
- Name: Allow-SiteA-to-SiteB
- Under Source
- Zone: Inside
- Source Address: 10.1.1.0/24
- Under Destination
- Zone: Outside
To create a Policy for outgoing traffic:
- Go to the Policies tab > Add
- Under General
- Name: Allow-SiteB-to-SiteA
- Under Source
- Zone: Outside
- Source Address: 172.16.32.0/24
- Under Destination
- Zone: Inside
Commit the changes
We have made all the configuration changes needed to create a VPN tunnel. We will do the same on the PA-2 at Site B. Most of the configuration will be similar to the PA-1.
Apart from the configuration below, the rest of the settings will be the same as PA-1. For example:
- Zones: Inside and Outside
- Creating a Management Profile
- IKE Crypto, except:
- Name: SiteB-to-SiteA-IKE-Crypto
- IPsec Crypto Profile, except:
- Name: SiteB-to-SiteA-IPsec-Crypto
- Tunnel Interface
Configuring PA-2
Configuring Interfaces
To configure Interface eth1/1:
- Click on the Interface you want to edit
- Interface Type: Layer3
- Under Config tab:
- Virtual Router: default ( We will configure the default router later)
- Security Zone: Inside
- Under IPv4 tab:
- Click Add and then click New Address
- Select Static
- Click Add and type 172.16.32.10/24
- Click Ok
To configure Interface eth1/2:
- Click on the Interface you want to edit
- Interface Type: Layer3
- Under Config tab:
- Virtual Router: default ( We will configure the default router later)
- Security Zone: Outside
- Under IPv4 tab:
- Click Add and then click New Address
- Select Static
- Click Add and type 200.1.1.10/24
- Click Ok
Configuring IPsec Tunnel
Configure IKE Crypto Profile
To configure the IKE crypto profile:
- Click on IKE Crypto
- Click Add
- Name: SiteB-to-SiteA-IKE-Crypto
- DH-GROUP: group2
- AUTHENTICATION: SHA1
- ENCRYPTION: des
- Click OK
Configure IPsec Crypto Profile
To configure the IPsec crypto profile:
- Click on IPsec Crypto
- Click Add
- Name: SiteB-to-SiteA-IPsec-Crypto
- ENCRYPTION: des
- AUTHENTICATION: SHA1
- DH-GROUP: group2
- Click OK
Configure IKE Gateway
To configure the IKE Gateway:
- Select IKE Gateway from the options on the left
- Click Add
- Name: SiteB-to-SiteA-IKE-Gateway
- Version: IKEv2 only mode
- Address Type: IPv4
- Interface: ethernet1/2
- Local IP: 200.1.1.10/24
- Peer IP Address Type: IP
- Peer Address: 100.1.1.5
- Pre-shared Key: Secret123!
- Click OK
- Under Advanced Options
- Choose the IKE crypto profile created (SiteB-to-SiteA-IPsec-Crypto)
Configure a Tunnel Interface
To create a Tunnel Interface:
- Go to Interfaces > Tunnel > Add
- Type ID: 1
- Under Config tab
- Virtual Router: Default
- Security Zone: Outside
- Under IPv4 tab
- Add IP 192.168.0.2/30
Configuring IPsec Tunnel
To configure the IPsec tunnel:
- Click on IPsec Tunnel > Add
- Under General
- Name: SiteB-to-SiteA-IPsec-Tunne;
- Tunnel Interface: tunnel.1
- IKE Gateway: SIteB-to-SiteA-IKE-Gateway
- IPsec Crypto Profile: SiteB-to-SiteA-IPsec-Crypto
- Perform Commit
Add a Virtual Route
To add a virtual route:
- Click on Virtual Routers > default > Static Routes> Add
- Name: VPN-Tunnel
- Destination: 10.1.1.0/24
- Interface: tunnel.1
- Next Hop: None
- Click OK twice
Creating Policies
We will need to create two policies; one for incoming VPN tunnel traffic and the other for outgoing tunnel traffic.
To create a Policy for incoming traffic:
- Go to the Policies tab > Add
- Under General
- Name: Allow-SiteB-to-SiteA
- Under Source
- Zone: Inside
- Source Address: 172.16.32.0/824
- Under Destination
- Zone: Inside
To create a Policy for outgoing traffic:
- Go to the Policies tab > Add
- Under General
- Name: Allow-SiteA-to-SiteB
- Under Source
- Zone: Outside
- Source Address: 10.1.1.0/24
- Under Destination
- Zone: Inside
Commit the changes
We should see the tunnel showing UP after the commit finishes.
Troubleshooting IPsec Tunnel
Your configuration is right, but the tunnel still won’t show up. Here are a couple of things you can try:
- Try testing the IKE and IPsec SA using CLI
- Check again to see if the tunnel has been established by running the following command
admin@PA-VM>test vpn ike-sa
admin@PA-VM>test vpn ipsec-sa
admin@PA-VM>show vpn ike-sa
admin@PA-VM>show vpn ipsec-sa
Also, make sure there are policies to allow Inside-to-Outside
and Outside-to-Inside
traffic on both firewalls.
Testing the Connectivity
PING
To test the connectivity, simply start by pinging the IPs:
From PC at Site-A with IP 10.1.1.2
- Ping 10.1.1.5 (eth1/1 for PA on Site-A)
- Ping 100.1.1.5 (eth1/2, the PA’s local tunnel interface at Site-A)
- Ping 200.1.1.10 (eth1/2, the PA’s remote tunnel interface at Site-B)
- Ping 172.16.32.10 (eth1/1 for PA on Site-B)
- Ping 172.16.32.2 (PC at Site-B)
Web Server
We will confiure a simple web server using Python3 on the Linux Web Server at Site-B and access it from Site-A’s PC. We will create a simple index.html
file and host it on port 8000
.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Site B</title>
</head>
<body>
<h1>Welcome to Site B</h1>
</body>
</html>
We can access the web server on Site-B (172.16.32.2:8000) from PC (10.1.1.2) at SIte-A!
Next Thing to Try..
The main purpose of creating an IPsec (Internet Protocol Security) tunnel is to provide secure communication over an untrusted network, such as the Internet. The data passing through the tunnel is encrypted and cannot be tampered with assuring Confidentiality and Integrity.
To test this, we can try to improve our web server by implementing a login form and then capturing the traffic using Wireshark
and look for cleartext data. There should not be any visible sensitive data–such as login credentials–in cleartext.
Conclusion
In conclusion, we have successfully established an IPsec VPN tunnel between two Palo Alto firewalls, ensuring secure communication between Site-A and Site-B. By configuring the necessary interfaces, IKE gateways, IPSec tunnels, static routes, and security policies, we have created a robust connection that facilitates seamless data transfer across different networks. This setup not only enhances security but also provides a reliable and efficient means of connecting geographically separated sites. Hope this writeup, Helped you to have a clear understanding of the steps involved in setting up an IPsec VPN tunnel, enabling you to implement similar solutions in your network environment.
Thanks for reading.
Leave a Reply