How to Configure IPSec VPN on Palo Alto Firewall

IPSec configuration in Palo alto Networks firewall is easy and simple. In this lesson we will learn, how to configure IPSec VPN on Palo Alto Firewall. So, let’s get started.

IPSec configuration will be done in several steps. These are-

  • Tunnel Zone
  • Tunnel Interface
  • IKE Crypto (phase 1)
  • IPSec Crypto (phase 2)
  • IKE Gateway
  • IPSec Tunnel
  • Routes
  • Security Policy

Diagram:

IPSec VPN on Palo Alto Networks

IPSec Configuration:

Before going into details, here is all the necessary parameters for IPSec tunnel. In our case, we will be using two (2) Palo Alto firewall.

Advertisements

VPN Details:

DescriptionPA-01PA-02
VPN Gateway IP (WAN)10.1.1.10010.1.1.200
LAN IP172.16.0.0/24192.168.0.0/24
Tunnel Interface IP (St0.0)10.10.10.1/3010.10.10.2/30

VPN Negotiation Parameters:

Phase 1
Authentication MethodPre-Shared Key
Authentication-algorithmsha-256
Diffie-Hellman GroupGroup 5
Encryption AlgorithmAES192
Lifetime (for renegotiation SEC)86400
Pre Shared Keyletsconfig
Phase 2
Encapsulation (ESP or AH)ESP
Encryption AlgorithmAES256
Authentication Algorithmsha1
Lifetime (for renegotiation)28800

Tunnel Zone

Go to Network >> Zones and click Add. Now add the zone name as VPN and Type of the zone Layer3. And, then click OK.

Palo Alto Networks IPSec VPN Zone

Tunnel Interface

Go to Network >> Interface >> Tunnel and click Add to add a new tunnel. A pop-up will open, add Interface Name, Virtual Router, Security Zone, IPv4 address. In my case, below are the information-

Interface Name: tunnel.5
Virtual Router: Our-VR
Security Zone: VPN
IPv4: 10.10.10.1/30

Palo Alto Networks IPSec Tunnel Interface

Palo Alto Networks IPSec Tunnel Interface IP Address

IKE Crypto (phase 1)

Go to Network >> Network Profile >> IKE Crypto and click Add. Now add below details-

Name: OUR-IKE-CRYPTO
DH Group: group5
Authentication: sha256
Encryption: aes-192-cbc
Timers (Key Lifetime): 50,000 seconds

Advertisements

Palo Alto Networks IPSec configuration IKE Crypto Profile

IPSec Crypto (phase 2)

Go to Network >> Network Profile >> IPSec Crypto and click Add. Now add below details-

Name: OUR-IPSEC-CRYPTO
Encryption: aes-256-cbc
Authentication: sha1
DH Group: group2
Lifetime: 10,000 seconds

Palo Alto Networks IPSec configuration IPSec Crypto Profile

IKE Gateway

Go to Network >> Network Profile >> IKE Gateway and click Add. Now, enter below information-

Name: OUR-IKE-GATEWAY
Version: IKEv1
Interface: ethernet1/1 (IPSec interface)
Local IP Address: 10.1.1.100/24
Peer IP Address Type: IP
Peer Address: 10.1.1.200
Authentication: Pre-Shared Key
Pre-shared Key: LetsConfig

Now go to Advanced Options of the same pop-up window and add IKE Crypto Profile as OUR-IKE-CRYPTO (previously created).

Palo Alto Networks IPSec configuration IKE Gateway 1

Palo Alto Networks IPSec configuration IKE Gateway 2

IPSec Tunnel

Go to Network >> IPSec Tunnels and click Add. Now, enter below information-

Name: OUR-IPSEC
Tunnel Interface: tunnel.5
IKE Gateway: OUR-IKE-GATEWAY
IPSec Crypto Profile: OUR-IPSEC-CRYPTO

Palo Alto Networks IPSec configuration IPSec Tunnel

Routes

We need to add routes to reach SITEA to SITEB and vise-versa. Below are the route from SITEA to SITEB, where gateway is IPSec peer IP, which is 10.10.10.2

IPSec Route

Security Policy

You need to add two policies. Our from IPSec and other for Site to Site’s communication. Below are the info.

IPSec
Source Zone: Outside
Destination Zone: Outside
Application: ike, ipsec-esp

Site to Site communication
Source Zone: LAN & VPN
Source IP: 172.16.0.0/24 & 192.168.0.0/24
Destination Zone: LAN & VPN
Destination IP: 172.16.0.0/24 & 192.168.0.0/24
Application: any (as per requirement)

Palo Alto Security Policy Configuration for IPSec

Similarly, you need to configure siteB with all the details.

Verification:

Let’s try to ping from siteA to siteB.

PC-1> ping 192.168.0.10

84 bytes from 192.168.0.10 icmp_seq=1 ttl=62 time=8.956 ms
84 bytes from 192.168.0.10 icmp_seq=2 ttl=62 time=10.322 ms
84 bytes from 192.168.0.10 icmp_seq=3 ttl=62 time=9.418 ms
84 bytes from 192.168.0.10 icmp_seq=4 ttl=62 time=11.895 ms
84 bytes from 192.168.0.10 icmp_seq=5 ttl=62 time=11.569 ms

We can successfully reach SiteB from SiteA. Let’s verify IPSec information from palo alto using below command-

admin@PA-VM> show vpn ipsec-sa tunnel OUR-IPSEC

IPSec Verification

You can clearly see our IPSec tunnel is up and running. So, this is how to configure IPSec VPN on Palo Alto Networks Firewall. Let me know if you have any questions.

Reference guide for troubleshoot.

Leave a Comment

Your email address will not be published. Required fields are marked *

4 thoughts on “How to Configure IPSec VPN on Palo Alto Firewall”

Scroll to Top