IPSec VPN Setup

Video Activity

The components and configuration of a basic IPSec (Site to Site) VPN tunnel between two Palo Alto Networks firewalls.

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

54 minutes
Video Description

The components and configuration of a basic IPSec (Site to Site) VPN tunnel between two Palo Alto Networks firewalls.

Video Transcription
Hi, everyone.
My name is Jason and I'm from the Global Enablement Team here, Apollo Little Networks.
Today I'm gonna show you how to configure an I P sec based site to site VPN between two of our firewalls.
Now, I want to begin with this diagram here which outlines the components that we need to configure in order to set up our site to site VPN
now configuring a V p M. Between two Paulo Alto Networks. Firewalls is essentially three steps and we start with our layer three interface.
That brings us to step number one
and step number one means we're gonna configure our face one objects. Now this includes a crypto profile and the like Gateway as well as authentication settings. Now I'm referring to these objects is belonging to phase one because an I. P set V, p and tunnels established through two phases. I'll show you where these actual objects live
in the firewall and how to configure them
in a moment
that brings us to step number two. Next you'll configure the face to objects, which is the second part of an i p. Sec VPN. And this includes another crypto profile and the tunnel itself.
Step number three. You'll need to configure a route that references the tunnel because Paul Alta Networks uses a route based approach with the VPN.
So now you have a summary of the components required to build a VPN on our firewalls. Let me show you where in the firewall to do this.
In this scenario, I have two sites. Site one site to now. I've already configured the site. One firewall. I'm on the site to firewall, and I want to complete my configuration. As you can see here, I have a couple of interfaces 11 and Ethernet one to either at one one's going to be Mike
External facing interface. Now, I know that the I p. Address years
one of those private i p addresses. But just pretend with me that's a public I P address. I'm going to attach to this layer three interface my tunnel interface. So we're gonna come back to this tunnel tab here in a little bit, and I'm gonna configure a tunnel interface. Now the other thing I've done is I've pre configured a VPN zone so that I can also attach that to the interface
and then use that in my security rules.
Now, to complete my configuration, I need to create the face one face to objects. So down here, let's begin with her Phase one. And that includes the Ike crypto down here. And, like Gateway under Ike crypto, this is where I can define my encryption authentication and Mikey exchange protocols.
And I can use the built in one says you can see here there are few already created for me,
or I can use this ad button down here and create my own custom.
I could crypto profile that I can then use my gateway for the sake of this tutorial. I'm just going to use the defaults. Now let's go to the ICU Gateway
to create me. I gateway. I'm gonna choose ad.
I'm gonna give it a name.
Now I need to go through and define a handful of important settings for the Internet key exchange or phase one portion of my I p sec VPN tunnel.
Now, the decisions I make here and the changes I make here need to be compatible with the other side.
There are a lot of choices or decisions to be made like for instance, which, like version or in a key exchange version protocol is am I going to use Ah, what interface am I going to use the Ike gateway on? So in this case, my extra interfaces Ethernet 11
Let me grab my I P address right there
and then who am I talking to on the other side? That's my peer I p type here so I can either use dynamic and Aiken reference that end point by name. I'm just going to use static and type in that I p address manually right there
and then the authentication settings. So have two choices pre sharqi or certificate.
I choose certificate. There's several other decisions I have to make. I need to ensure that I haven't installed trusted certificate. I can define validation settings here. How I want that certificate to be verified by the firewall. In my case, I'm gonna choose pre Sharqi as this
matches a configuration on the other firewall. So I'm just gonna put in
the appropriate password here.
Now I can click on advanced options when I click on advanced Options. This is where I connect the Eiken gateway and the like crypto profile So if I had a specific profile that I wanted to use
accustom profile or one of these three built in profiles, I want to select that here
now, depending on what actually like protocol I'm using. Well, if I had, like, v to and I could be one listed I could Well, let me show you. If I go to general
and choose like V two Preferred mode on actually changes the advanced options tab where I can define a crypt, a profile for each respective protocol.
Now, I also have a couple of other options here. Like, for instance, if I want this particular part of my VPN tunnel to be more responsive, I can turn on passive mode. So it's not initiating this session. And then I can also turn on Nat Reversal. If there's a gnat device between this VPN firewall,
um, and the other side. So I got a couple of other settings here that might be of interest to you.
I'm gonna go ahead and click okay to this.
So that's my face. One object configuration. The next thing I need to do is my face, too. Now that configure face to there's a couple of places I need to go. So I need to actually configure my tunnel under interfaces. I need to configure an I p set crypto profile. This might be important. And then finally, I'm gonna configure the I p sec tunnel itself.
Let's begin here again under the crypto profile. In this case, I've pre configured a custom i p sec crypto profile. So I'm gonna click on this
and just show you how you can actually add additional protocols whether they be encryption authentication or key exchange protocols. I'm gonna choose adhere. Let's grab advanced encryption standard 1 28 Here it's like so and click Okay,
now that I've configured my I p. Said crypto profile, the next thing I want to do is I want to make sure I configure my tunnels. So we're gonna go to interfaces
and I'm going to configure a tunnel on my Layer three interface here. So I'm gonna come in here, we're going to give it a number. So this is an identify WR In this case, I'm just gonna call it, too,
and then I'm going to assign it
virtual router and the security zone that I pre configured earlier.
If I needed to create a security zone just from a VPN, I could do that. I could choose own right here. I could use an existing zone that I have, but I want to be able to control traffic in my security rules for this particular tunnel. So having its own security zone is recommended.
Click okay to that.
All right, now that I have my tunnel interface and of configure my i p set crypto profile, let's go to I p sec tunnels.
And this is really where I'm gonna pull it all together.
I'm gonna click, add
give it a name
identifying the tunnel interface Select the gateway
Select the eyepiece Ed Crypto profile
If I want to include some additional settings Like, for instance, if I want to configure a tunnel monitor, I can do that under advanced options And then if I'm connecting to
of firewall or device that supports proxy ideas that needs no local and destination networks for the VPN tunnel, I can configure proxy I d. S
when connecting to Palo Alto. Network firewalls, thes air not necessary because we're going to use a route entry instead.
So this is all I need really for my basic VPN site to site configuration from a click. Okay to this.
Now, the final step is Step three, and that's to configure my virtual router so that traffic is directed over this VPN tunnel.
I'm going to select virtual routers. Now,
select a virtual router,
click on static routes
and I might add a route for
the site one internal network so that my sight two people can connect over the VPN tunnel through this firewall and over that VPN connection.
So I'm gonna give it a name.
Type in the destination address.
This address is the remote network that morning to reach through the VPN tunnel,
the interface, which is going to be my tunnel interface.
And then I'm gonna choose no next hop
and click OK to this.
And okay,
the final thing here is to make sure that the security rules air set up and in place, and I've already defined those for the sake of time. Now I'm gonna choose, commit,
save my changes
while that finishes committing. Let's go back to the I P sec tunnel page
and what I'm going to do then, is I'm going to initiate a peeing in the background and refresh this screen.
And once the VPN tunnel's been established, we should see these turn from red to green
In there you have it. We just configured a site to site VPN between two Paul Ultima Networks Firewalls. We configure the phase one objects the face to objects and configured the route we needed to establish the VPN tunnel.
I hope you found this tutorial helpful. See you next time.