In this post, I wanted to go over a typical IPsec tunnel between 2 Palo Alto Firewalls, using static routing, and a single ISP.
Referring to our lab topology below, we have our 2 ISPs, configured for redundancy for outbound traffic should one ISP fail. I want to connect the sites via only ISP1 at each site, with an IPsec tunnel
Perform the following on each firewall. Screen shots are from the Site 1 firewall unless otherwise noted
Step 1
Create Layer 3 Zones for your Outside \Untrust Traffic and add the appropriate interfaces if you haven’t already
Network-Zones – here I used “outside” to define my internet facing zone(s)
Step 2
Network-Zones- Create a Layer 3 Zone for the tunnel interfaces\traffic also – tunnel-site2 (tunnel-site1 on Site 2’s firewall) (See above)
Step 3
Define your IKE Crypto and IPSEC Crypto profiles – these values need to match exactly on both firewalls. I’m just using the defaults here, but in production you want to use the strongest supported authentication and encryption algorithms (see Palo recommendations HERE) – no DES,MD5 or SHA1 for certain ! – Choose the highest DH group number in general.
Network-Network Profiles-IPSec Crypto \ IKE Crypto
Step 4
Create a tunnel interface (tunnel.xx) and associate with the security zone you created earlier – also place the interface in the default router (in this example)
No ip address is needed for this method, so you can leave that blank
Network-Interfaces-Tunnel
Step 5
Create your IKE Gateway – Define your local \ peer interfaces \ ip address here. You also will want to define a preshared string value\key to use at both ends.
The peers in this topology are ethernet1/3 interfaces:
Site 1: 1.1.1.10 /29
Site 2: 2.2.2.10 /29
IKE-Gateway name: ike-gtwy-1
You would also want to use IKEv2 in production if supported
Network-Network Profiles- IKE Gateways
Note- this is where you would specify the IKE Crypto Profile you created earlier– again, using default here so there’s nothing specific to choose.
Step 6
Create your IPSec Tunnel- this is where the final “tie-in” happens.
Chose the IKE Gateway you created earlier – and the tunnel interface (tunnel.1 here) -again, the IPSec Crypto Profile is using the default
Network-IPSec Tunnels
Step 7
Create security policy rules to allow the tunnel traffic and IKE setup.
You’ll need to create a rule for the IKE application as it needs to be allowed inbound to the internet facing zone (Outside)- you could, and should, scope this rule further to only allow known peers - here I just allowed any source
And a “in-out” rule for your interzone traffic between the LAN facing zone (Inside) and Tunnel Zone (tunnel-sitexx) as shown below
Policies-Security
Step 8
Create routes to each site – in this network, site 1 is 10.1.x.x – site 2 is 10.2.x.x
Simply create a static route to each destination network on each site firewall in the default router, pointing to the respective tunnel interface we created (tunnel.1).
Network-Virtual Routers
This should do it … now send some traffic across sites– you should see the IKE setup (Phase1) -traffic below in Monitor-Traffic – to port 500
And your tunnel should turn green – and your pings or other traffic should be successful!
I hope this was a useful guide to a basic tunnel config on Palo Alto ! Next post I’ll cover redundant tunnels and failover – thanks for reading !!