top of page
Search

How to Configure IPSec VPN on Palo Alto Firewall

  • Jan 20
  • 2 min read



We need to configure below steps to configure S2S vpn into Paloalto

 

 

-->> Tunnel Zone

-->> Tunnel Interface

-->> IKE Crypto (phase 1)

-->> IPSec Crypto (phase 2)

-->> IKE Gateway

-->> IPSec Tunnel

-->> Routes

-->> Security Policy





Zone -- 

 

1- Inside- For internal traffic 

2- Outside - this connect to Internet 

3- VPN - this zone use for VPN tunnel 


 ---->> Configure Tunnel Interface <<--- 

1- Login into Webgui -->> Go into Network Tab-->> Tunnel Interface 

 

Interface Name: tunnel.12


Virtual Router: MY-VR


Security Zone: VPN


IPv4: 192.168.1./30


 



---->> IKE Crypto (phase 1) <<---

1- Go to Network >> Network Profile >> IKE Crypto and click Add

 

Name: Test-IKE-CRYPTO

DH Group: group5

Authentication: sha256

Encryption: aes-192-cbc

Timers (Key Lifetime): 50,000 seconds 



--->> IPSec Crypto (phase 2)<<-----

1- Go to Network >> Network Profile >> IPSec Crypto and click Add.

 

 

Name: Test-IPSEC-CRYPTO

Encryption: aes-256-cbc

Authentication: sha1

DH Group: group2

Lifetime: 10,000 seconds



----->>>  IKE Gateway<<<-----

  

1- Go to Network >> Network Profile >> IKE Gateway and click Add

 

Name: Test-IKE-GATEWAY

Version: IKEv1

Interface: ethernet1/1 (IPSec interface)

Local IP Address: 10.1.1.1/24

Peer IP Address Type: IP

Peer Address: 10.1.1.2

Authentication: Pre-Shared Key

Pre-shared Key: "Test@123"




Now click on Advanced Tab and select our IKE crypto profile.




 --->>>IPSec Tunnel---->>

1- Go to Network >> IPSec Tunnels and click Add-

 

Name: TEST-IPSEC

Tunnel Interface: tunnel.12

IKE Gateway: Test-IKE-GATEWAY

IPSec Crypto Profile: Test-IPSEC-CRYPTO


In this profile, we can call our both profile IKE and IPSEC on that and include the Tunel group which we created Tunnel .12





In Proxy id , we only allowed interested traffic on that like LAN IPs





--->>> Routes<<-----

Add routes to reach PA-A to PA-B and vise-versa. Below are the route from PA-A to PA-B, where the gateway is IPSec peer IP, which is 192.168.1.1


Router Name - Router

Destination IP- 10.10.10.0/24

Next Hop IP - 192.168.1.2(Gateway IPSec Peer ip)




--->> Security Policy<<---

-->>  We can use two policies for this Site to site VPN


1- IPSec 

2-  For LAN to LAN communication between peer

 

-->> IPSec

Source Zone: Outside

Destination Zone: Outside

Application: ike, ipsec-esp


-->> For LAN to LAN communication between peer 

Source Zone: LAN & VPN

Source IP: 172.16.0.0/24 & 10.10.10.0/24

Destination Zone: LAN & VPN

Destination IP: 172.16.0.0/24 & 10.10.10.0/24

Application: any 



-->> check Logs <<--

1 - Go into Monitor -->> logs -->> system 



--->>> Troubleshooting for Site to Site VPN <<----

# show vpn ike-sa



#show vpn ipsec-sa tunnel "tunnel name"

 #show vpn flow name "tunnel name"

show running tunnel flow



Please command if you still face any issue.

Comments

Tags

bottom of page