Palo Alto IPSEC Tunnel Step by step Configuration

  How to create a VPN tunnel on Palo Alto firewall

Introduction:

Virtual Private Network (VPN) provides a secure and encrypted connection between two or more remote networks over a public network. Palo Alto firewall, with its rich set of features and functionalities, makes it easy to set up a VPN tunnel to securely connect remote networks. In this blog, we will look at the steps to create a VPN tunnel on a Palo Alto firewall.

Step 1: Create a Tunnel Interface

The first step to create a VPN tunnel on Palo Alto firewall is to create a tunnel interface. This interface acts as the endpoint for the VPN tunnel, allowing communication between the two remote networks.

To create a tunnel interface, follow these steps:

• Go to Network > Interface > Tunnel tab
• Click Add to create a new tunnel interface
• Assign the following parameters:
  • Name: Choose a name for the tunnel interface. For example, tunnel.1
  • Virtual Router: Select the virtual router where you would like your tunnel interface to reside
  • Security Zone: Configure a new security zone for the tunnel interface for more granular control of traffic ingress/egressing the tunnel
  • IP address (optional): If you intend to run dynamic routing protocols over the tunnel interface, you need to configure an IP address for the tunnel interface

Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy is required to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

Step 2: Configure IKE Crypto Profile

The next step is to configure the IKE Crypto profile, which defines the protocols and algorithms for IKE Phase-1 negotiation. The IKE Crypto profile should match on the remote firewall for the IKE negotiation to be successful.

To configure the IKE Crypto profile, follow these steps:

• Go to Network > Network Profiles > IKE Crypto
• Click Add to create a new IKE Crypto profile
• Assign the following parameters:
• Name: Choose a name for the IKE Crypto profile.
• P1 Max Crypto: Define the maximum number of IKE SAs that can be established.
• 
  

Step 3: Configure IKE Gateway Go to Network > Network Profiles > IKE Gateway and click "Add" to configure the IKE Phase-1 Gateway.

1. Select the IKE version you wish to use: IKEv1 only mode, IKEv2 only mode, or IKEv2 preferred mode.
2. Select the external interface connected to the internet.
3. Define the format and identification of the local and peer gateway using FQDN (hostname), IP address, KEYID (binary format ID string in HEX), or User FQDN (email address). If no value is specified, the firewall will use the local/peer IP address as the identification value.
4. In the Advanced Options tab, you can enable Passive Mode and select the Exchange Mode (main mode or aggressive mode).

Step 4: Configure IPSec Crypto Profile Go to Network > Network Profiles > IPSec Crypto and click "Add" to create a new profile. Define the IPSec Crypto profile to specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2). These parameters should match the parameters on the remote firewall for the IKE Phase-2 negotiation to be successful.

Step 5: IPSec Tunnel Configuration Under the Network tab, go to IPSec Tunnels, and click on the Add button to create a new IPSec Tunnel. In the General window, you need to configure the parameters to establish the IPSec VPN tunnel between the two firewalls.

Use the Tunnel Interface, the IKE Gateway, and IPSec Crypto Profile that you created in the previous steps. You can assign a name for the IPSec Tunnel, and it should match on the remote firewall for easy identification.

Note: If the other side of the tunnel is a peer that supports policy-based VPN, you must define Proxy IDs. The Proxy-ID configuration identifies the local and remote IP networks for the traffic that is NATed. It is important to configure the Proxy-ID with the Post-NAT IP network information, because it defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

Step 6: Static Route Configuration Under the Network tab, go to Virtual Routers and click on your Virtual Router profile. Then, go to Static Routes and add a new route for the network that is behind the other VPN endpoint. Use the proper Tunnel Interface, and ensure that the route information is correct.

Step 7: Security Policy Configuration Finally, it's time to configure the required security rules or policies to allow IKE negotiation and IPSec/ESP packets. By default, the IKE negotiation and IPSec/ESP packets are allowed via the intrazone default allow, but if you need more granular control, you could specifically allow the required traffic and deny the rest.

Allow incoming and outgoing traffic through the tunnel. If you need more granular control, you may create separate rules for each direction. Make sure that the rules are correctly configured and allow the traffic to flow through the tunnel without any issues.

Step 8: Commit the Configuration Once you have completed all the above steps, it's time to commit the configuration. Go to Commit Changes and click on the Commit button to save the changes. If there are no errors in the configuration, the VPN tunnel should be up and running, and you can start using it to securely transfer data between the two firewalls.

In conclusion, creating a VPN tunnel on a Palo Alto firewall is a straightforward process. By following the steps outlined in this blog post, you should be able to successfully set up a VPN tunnel on your firewall and start using it to transfer data securely.