How To Create Ipsec Tunnel In Palo Alto

Disclaimer

This document is based on Palo Alto version 10.1. While we expect that IPsec tunnels will continue to work with devices as each vendor updates their device, Umbrella cannot guarantee connectivity for versions not explicitly listed as tested in this document.

Palo Alto VPN IPsec connection enables you to connect two Networks to a site-to-site VPN. You can configure route-based VPNs to connect Palo Alto Networks firewalls with a third-party security device at another location. The firewall can also interoperate with third-party policy-based VPN devices; the Palo Alto Networks firewall supports route-based VPN.

In order to set up the VPN tunnel, first the peers need to be authenticated. After successful authentication, the peers negotiate the encryption mechanism and algorithms to secure the communication. The Internet Key Exchange (IKE) process is used to authenticate the VPN peers, and IPsec Security Associations (SAs) are defined at each end of the tunnel to secure the VPN communication. IKE uses digital certificates or preshared keys, and the Diffie Hellman keys to set up the SAs for the IPsec tunnel. The SAs specify all of the parameters that are required for secure transmission— including the security parameter index (SPI), security protocol, cryptographic keys, and the destination IP address— encryption, data authentication, data integrity, and endpoint authentication.

The following figure shows a VPN tunnel between two sites. When a client that is secured by VPN Peer A needs content from a server located at the other site, VPN Peer A initiates a connection request to VPN Peer B. If the security policy permits the connection, VPN Peer A uses the IKE Crypto profile parameters (IKE phase 1) to establish a secure connection and authenticate VPN Peer B. Then, VPN Peer A establishes the VPN tunnel using the IPsec Crypto profile, which defines the IKE phase 2 parameters to allow the secure transfer of data between the two sites.

Site-to-Site VPN

You must select an Umbrella SIG Data Center IP address to use when creating the IPsec tunnel.

In the sample commands, \<umbrella_dc_ip> refers to this IP address. We recommend choosing the IP address based on the data center located closest to your device.

In the Umbrella dashboard, navigate to Deployments > Core Identities > Network Tunnels, then click Add.

Give your tunnel a meaningful Tunnel Name, from the Device Type drop-down list choose ISR, then click Save.
Note: Use ISR because the ISR profile defaults to FQDN IKE identity.

Select your Tunnel ID from the drop-down list. Enter the Pre-Shared-Key (PSK) Passphrase, then click Save.

The new tunnel appears in the Umbrella dashboard with a status of Not Established. The tunnel status is updated once it is fully configured and connected with the Palo Alto Firewall.

To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel interface for the firewall to connect to and establish a VPN tunnel. A tunnel interface is a logical (virtual) interface that is used to deliver traffic between two endpoints.

Select Network > IPsec Tunnels and then click Add .
From the General tab, add a Name for the new tunnel.
Select the Tunnel interface that will be used to set up the IPsec tunnel.

Select Tunnel Interface > New Tunnel Interface.
In the Interface Name field, specify a numeric suffix, such as .2.
From the Config tab, select the Security Zone drop-down to define the zone.
Click Ok.

Use your trust zone as the termination point for the tunnel—select the zone from the drop-down. Associating the tunnel interface with the same zone (and virtual router) as the external-facing interface on which the packets enter the firewall mitigates the need to create inter-zone routing.

Select Network > Network Profiles > IKE Crypto and then Add.
Add a Name for the new profile.
Specify the DH (Diffie–Hellman) Group for key exchange and the Authentication and Encryption algorithms.
Click Add in the corresponding sections (DH Group, Authentication, and Encryption), and then choose the following values from the drop-downs:
- DH Group – group19
- Authentication – non-auth
- Encryption – aes-256-gcm
- Timers – Key Lifetime: Hours 8 / IKEv2 Authentication Multiple: 0
Click OK and then click Commit

The IPsec crypto profile is invoked in IKE Phase 2 . It specifies how the data is secured within the tunnel when Auto Key IKE is used to automatically generate keys for the IKE SAs.

Select Network > Network Profiles > IPsec Crypto and then select Add.
Enter a Name for the new profile.
Select the IPsec Protocol – ESP
Click Addand then select the Authentication and Encryption algorithms for ESP, and Authentication algorithms for AH . Then DH Group for the IPsec SA negotiations for IKE Phase 2 and Lifetime:
- Encryption – aes-256-gcm
- Authentication – sha256
- DH Group – no-pfs / Lifetime - Hours - 1
Commit your IPsec profile. Click OK and then click Commit.

To set up a VPN tunnel, the VPN peers or gateways must authenticate each other—using pre-shared keys and establish a secure channel in which to negotiate the IPsec security association (SA) that will be used to secure traffic between the hosts on each side.

Select Network > Network Profiles > IKE Gateways, Add a gateway, and enter the gateway Name (General tab).
Set the Version to IKEv2 only mode.
Select the Address Type: IPv4
Select the physical, outgoing Interface on the firewall where the local gateway resides.
From the Local IP Address drop-down, select the IP address that the VPN connection will use as the endpoint; this is the external-facing interface with a publicly routable IP address on the firewall.
Establish the peer at the far end of the tunnel (gateway).For Peer IP Address Type, select IPv4 (Select the closest Umbrella Data Center location and use a created Palo Alto Host Object with that IP address)
IP—Enter Object which is the IP address of closest Umbrella data center. Example UMB-NYC which is Umbrella NYC datacenter IP 146.112.83.8. For more information, see Connect to Cisco Umbrella Through Tunnel.
Select the Authentication method: Pre-Shared Key (Use Pre-shared key from Umbrella Dashboard) and enter same Pres-shared key into Confirm Pre-Shared-Key
- For Local Identification – User FQDN (email address). This email address is obtained from the Umbrella Dashboard which is described at the beginning. Syntax is <[email protected]>.
- Peer identification – None.

Select Advanced Options
Check off Enable NAT Traversal
In IKEv2 Section IKE Crypto Profile, select the previous IKE Crypto profile you created. For example, use the previously created IKE profile UMB-IKE.
Enable Liveness Check and enter 5.
Click OK, then Click Commit.

The IPsec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.

Select the IKE Gateway you previously created.
Select the IPsec Crypto Profile previously created.
Click OK, then click Commit

Use the routing table under Network > Virtual Routers > Default.

Virtual Router.
Assign an IP address to the tunnel interface, select the IPv4 tab, click Add in the IP section, and enter the IP address and network mask to assign to the interface. With static routes, the tunnel interface does not require an IP address. For traffic that is destined to a specified subnet/IP address, the tunnel interface will automatically become the next hop. Consider adding an IP address if you want to enable tunnel monitoring.

Configure a static route, on the virtual router, to the destination subnet.

Select Network > Virtual Router and click the router you defined in the prior step.
Select Static Route, click Add, and enter a new route to access the subnet that is at the other end of the tunnel:
- Destination – 172.16.0.1/24
- Interface – Tunnel-IP

The configuration for VPN Peer B is:

Destination – 146.112.83.8
Interface – Tunnel 2-Address

This is an example of a properly established IPsec tunnel with Umbrella:

                  show vpn ike-sa detail gateway UMB-NYC

                  tail lines 50 mp-log ikemgr.log

Updated about an hour ago