1. VPN IPSEC L2L intro and configuration steps
In this lecture we will talk about the Palo Alto Firewall VPN capability. Three setup supported in the Palo Alto Firewall VPN you have site to site and that side to side utilizes IPsec for traffic protection and then you have the Remote User support, remote VPN, remote Users VPN support, and you can use IPsec for remote users connectivity and you can use SSL which is using Global Protect. And then you also have large scale VPN and this large scale VPN allows you to roll out configuration for hub and spoke with support to opt to. So you have a hub and you have spokes and you can support up to 1024 spokes per large VPN. It’s called Lsvpn, large scale VPN and this solution requires Palo Alto Firewall to be deployed at the hub and at every spoke.
So the hub and spoke has to be Palalo firewalls and it uses SSL for securing the communication between components and it uses IPsec to protect data. So it uses a combination of SSL and IPsec, SSL for authentication and then chooses IPsec for traffic encryption. So some terminology, when we start talking about side to side VPN, some terminology we need to be aware of it. Gateway is the actual firewall that terminates VPN connection is referred to as I Gateway. And then you have the tunnel interface. The tunnel interface is used to forward traffic to the tunnel and the Palo Alto firewall is using route based VPN. There are multiple vendors that supports side to side VPN and some of them uses proxy based VPN. Proxy based VPN does not rely on a tunnel interface throughout the traffic.
Proxy based VPN relies on specifying what network, source and destination will be encrypted and it has to be listed in the proxy IDs that will be protected with the VPN tunnel. The Palo Alto is a raw based VPN, but it also supports proxy IDs. You can create on the Palo Alto Firewall, you create a tunnel interface and you specify what traffic is going to go through that tunnel interface and traffic that goes through the tunnel interface will get encrypted. If on the other side you have proxy ID based like Cisco ASA, you would have to specify in a tunnel in the configuration that you have proxy ID so that it knows what traffic will be encrypted and both sides have to agree on what traffic will be encrypted. So if you are dealing with a Cisco ASA, for example, on the other side you have to have proxy ID.
If here if you’re going to be protecting network A to network B here, you’re going to have to have an ASA network B to network A. So traffic going this way from A to B and traffic returning from B to A, those two have to match. So in the case of IPsec VPN, there are some topics we have to be aware of. And if you’re not familiar with IPsec VPN, I’m going to do my best to summarize what the components of IPsec VPN is. So IPsec VPN is based on RFC or Standard based protocol that defines some rules of communication between different I gateways. And there are two phases of communication. You have phase one and then phase two. Phase one provides the authentication between the two I gateway and provides agreement on what type of encryption and hashing will be used to protect the phase two, what type of agreement of what encryption and what hashing will be used. And once that phase is done, it’s going to negotiate phase two.
Which phase two would provide agreement on how the traffic data encryption, how the traffic will be encrypted. So phase one provides you the authentication or the first step, the handshake between the two agateway. And phase two provides you with data encryption. Phase one, there are two type of phase one communication. You have main mode and aggressive mode. And the main mode requires both sides to know in advance what the IP address of the other side is and what the pre shared key and the authentication that will be used for that aggressive mode. So one side doesn’t have to know what the other side IP address will be coming from. It relies on authentication to land the traffic on the correct policy and the firewall. So main mode and then you have aggressive mode. And then phase two is the agreement on what networks is going to be protected.
And this is where proxy IDs come in. And if you have two firewalls, they have to agree on what network will get protected. If this firewall has network A to network B, this firewall should have network B to network A, and then what type of encryption will be used and what type of hashing will be used. So this is phase two. When we set up the Palo Alto firewalls, we need to configure phase one and phase two. And the steps are as followed under the network tab, you have the Igateway that specifies the other side, the other firewall, IP address and details. But in order for us to specify that, we need to first build the IPsec crypto. So this is phase two and then the iCrypto. This is phase one. The agreement on I crypto profile has to match on both sides for them to be able to establish the communication and negotiate phase two.
What you need to specify is the Diffie Hellman group, which is the public key that gets used, the public key that gets used when they first initiate the connection and what type of encryption is going to be used for phase one and what type of authentication is going to get used for phase one. So if you’re not familiar with Diffihelman Group, diffielman Group is a way of two entities to communicate with each other using modulus math. And what will happen is the two sides would communicate and if somebody is listening to the conversation, they will not be able to figure out what the shared secret key that comes out of that communication. There’s multiple diffiehellment group, you have group one, group two, group five, those are using modular math. And then you have group 1419 and 20, those are using elliptical curve logarithmic math.
So the group one, two, five and 14, the more, the higher the group, the higher number of bits used to calculate the shared secret key. So the higher you go, the better protection you have for your communication and traffic getting somebody, somebody’s eavesdropping, it’s going to be difficult for them to figure out what the shared secret key once you go up in the group. The group 1419 and 20. Actually group one, two, five and 14 uses oxley based modular and a group 19 and 20 using elliptical curve. The electrical curve is much harder to break, but it has less CPU overhead. So it’s better to use the elliptical curve because that guarantees semi guarantee that there is nobody, nobody can break into your communication. So let’s create a profile here. We’ll say profile is phase one profile. And then we’re going to use group, let’s use group 19. So you can have multiple groups specified.
Both sides have to agree on one of them at least. Encryption, you can use desk des 128, as 192, as 256. This is the phase one encryption. And then you can use authentication. MD five, Shaw, sha 256, sha 384, sha 512. The higher you go, the better the protection of the communication. So we’re going to use Shaw and click okay, now we define the phase one. Now we need to define phase two. Phase two is how the data encryption is going to be done. In the case of phase two, phase two profile, you have encryption we can use as 128. As an example, diffiheldman group. If you want to renegotiate every time the lifetime of the IPsec expires, if you want to renegotiate the keys to make it harder to break into the conversation, you can use something called perfect forward secrecy. And what happens is they negotiate an additional set of keys once the phase two lifetime expire.
So lifetime, you can specify the lifetime maybe 24 hours. Or you can also specify the lifetime to be by megabit. So you can specify 100 megabits or greater. So it’s at 200 megabits. Authentication is what type of authentication it’s going to get used. The authentication is basically the hashing algorithm. You can specify Sha one, Shaw 256, Shaw 384, and so on. You can specify shao one and then click okay. So now that you specified your phase one and phase two, now you can create the I gateway. So you can add I gateway. There are two type of IC, version one and version two. IC version two is newer and it is more flexible compared to IC version one. We’re going to just do Ike version one right now because I want to show you the IC version one.
We call this I gateway one and interface for the communication we’re going to use the outside interface and then the local IP address is this. And then the pre or IP address. You need to specify the peer IP, the IP address of the other file and then pre shared key or certificate. You can authenticate using pre shared key or certificate. We’re going to start by using pre shared key. Test key test key there’s advanced options here. You can enable net traversal in case the other side is behind that or you are behind the net. The exchange mode there’s auto main or aggressive. We talked about main and aggressive. It’s better to specify your mode. The crypto profile is the phase one profile that you selected and then that specifies the I gateway settings.
Okay now the last step is create an IPsec tunnel interface and that tunnel interface tie in the pieces together and you create the tunnel interface. We call this tunnel to remote side and then you need to create a new tunnel interface. The tunnel interface is going to get used in your communication. Give it a number. So tunnel five specify the virtual router and the security zone. You can create a separate security zone for your tunnel interface. Call this VPN and then you specify if you’re going to be using a route based VPN then you specify the IP address of the interface. If you’re going to use proxy based VPN then you don’t really need to have to specify the IP address of the interface. But you can put the IP address of the interface in case you want to do additional routing.
And then we specify the tunnel interface. What type of addressing this is IP before? What is the igate way? The igate way that we specified? What is the phase two profile? The phase two we specified you can check and show advanced option. You can enable replay protection. You can do also tunnel monitoring to monitor the tunnel interface to verify that there is a connectivity and this is used in policy based routing. Okay in case we’re doing Cisco ESA we need to specify the proxy ID. Proxy ID. We give it a name local. Let’s say one two 1680-024-1024 remove 172. So this is an example, I’m just giving you the steps and we’re going to look at specific examples and this is the completes your setup. So just to recap you first need to specify phase one policy and then you specify phase two policy and then you specify the I gateway settings and then you create a tunnel interface. You create a tunnel configuration and the tunnel configuration that gateway takes that phase one policy. The tunnel interface will be used to terminate traffic. The tunnel configuration would specify the item gateway and the phase two policy and that would complete your setup. You can also create routes to send the traffic to that tunnel interface. If you’re connected to proxy based firewall, you need to specify the proxy IDs.
2. VPN IPSEc L2L PaloAlto to PaloAlto Example
So in this example, we have two Palo Alto firewalls, one in site A and one in site B. And we want to tunnel the traffic between 192 and 68, 100:24 on one side and the traffic and to the other side, 182 and 68, 200:24. So let’s see how to create that. So this is site A firewall. We have the network already set up, the interfaces configured. This is the untrust interface and this is the trust interface. And then we have the virtual router that points to the default route to one, one, two on one side and two two on the other side. So this is the default, this Internet router is the default gateway of this site A, firewall on one two and site B firewall on two. So both Palo Alto Firewalls or both firewalls are Paul Alto Firewalls. So we’re going to start by this example and let’s see how to create that.
So first you can create the tunnel interface first. So we’re going to go to the tunnel tab and then click Add and call this tunnel two. And then we use the virtual auto default and then create a security zone. We’re going to call this security zone VPN. Then we can give it an IP address. Since the other side is a Palo Alto firewall, it’s tunnel based. We can create an IP address. We’re going to give it an IP address of three dot, three dot, three dot, one slash 24 on one side and three dot, three dot, three dot, two on the other side. Okay, so here on site B firewall, we’re going to go ahead and create a tunnel interface, call this tunnel two and do the same thing we did on site B. Create a zone called VPN and then give it an IP address of three, 3224.
So this set up the tunnel interface. Now we need to go through the phase one that’s iCrypto. We’re going to create a, you can use the default, but we’re going to create one. We’re going to call this phase one, one side B. We’re going to select if you have a group 19 and encryption is yes, 128 and authentication shaw one. We’re going to leave the key, the lifetime default and click okay, then we’re going to create phase two, the same thing, encryption. We’re going to use as 128. You can use perfect for secrecy to renegotiate the keys, or you can use no PFS. Going to go ahead and choose no PFS. And since there is no PFS, the lifetime of the SA will not negotiate new diffi Hammond keys. It’s going to use the same keys negotiated in phase one authentication called Shao one click.
Okay, so now we have phase one set up and phase two setup. And we’re going to go ahead and create the I gateway. The I gateway. We’re going to call this site P. We’re going to use version one. Version one only the interface is the interface on the outside. And this is basically the interface that the traffic for the VPN will come in on. It’s 101 started by Site B. This needs to be Site A. I’m going to rename it site A. And this is Site A. And the I gateway. We’re going to create one called Site A. This is the name for the other site interface that this traffic will be triggered on is the outside interface ethernet one one is Ethernet 1121. Local IP addresses. Two, two, one. Peer IP. If you select Peer IP dynamic that means we’re going to be using Aggressive mode. If the PR IP is static we’re going to be using May mode.
So the Peer IP address will be one one pre shirt key. I’m going to give you the pre shirt key and advanced option. You can enable net reversal debt. Peer detection is enabled by default. The crypto profile that we’re going to use is the phase one profile which is phase One, no fragmentation and then click okay. And then now we need to route the traffic to the other side. So how are we going to do that? We’re going to go to the virtual router and say if we create a static route, says if. If you want to reach 1921-6810-2492-1681-024 use the tunnel interface. Tunnel two that we created. And the next hub is three, three one. The tunnel interface on the other side click okay. So because this is a tunnel based, route based, you need to specify the route that’s a must.
You have to specify the route and then click okay. And then now we’re going to go and set up the same thing on the other side. We’re going to hit crypto and carry site B. Phase One site B. And let’s just make sure we have the settings correct. As 128 shaw one, group 19. As 128. Group 19. As 128 Shawn. And then phase two. Phase two, sorry. BS 128. Chat one. If you have a group no. PFS, this is phase one. Phase two here. Diffium group no. PFS and the I gateway. We’re going to create an igway and call it Side B. I version one only. The interface is the outside interface. IP address is the IP address of the outside interface. PR IP is two, two, one. Reshared key and advanced mode. We’re going to select the Exchange Mode type to be main mode. I profile is type B and deadpool detection is enabled. Click okay. So let’s validate.
So now we have the IC gateway here. We’re going to create the IPsec tunnel. The IPsec tunnel, the IPsec tunnel tunnel, tunnel. Site B. This is on site A. Right now the interface is going to be used is tunnel two. So manual keys, if you’re going to be using encryption keys, statically assigned so that’s typically not used. Auto keys is basically going to rely on phase two to create the keys. The I gateway that we selected is site B. We’re going to choose the phase two site B and then proxy IDs. We don’t need to specify Proxy IDs because this is a route based VPN and the other side is a Palo Alto firewall. So that should be fine. Click okay and do the same thing on the other side. IPsec tunnel, site A, tunnel interface, tunnel two auto keys site A and phase two and proxy is empty. So object we have a default route here we have the VPN route. Set a route.
So here if you go into one eight two and 68 10 use tunnel two. You need to create it out on site A. Retro router, static route site 00:24. We’re going to use the tongue interface and the default. The next hop is three three two. Here the tongue interface IP address is three three one. The tongue interface IP address is three three two here. So basically I’m pointing 182 and 68 10 to the other side which is three three one and vice versa. Before we commit we need to create a policy. So we need to create a policy that allows this traffic. So we are going to allow the traffic between the VPN source is Trust, destination is untrust, VPN and application. Any action allow to make sure it’s allowed on both sides. We’re going to add VPN also as a source and trust as a destination.
This way trust to VPN and VPN to Trust is allowed. Okay, same thing on this side. VPN source trust or VPN to trust or VPN and action is allowed. So what we need to do is create a security policy to allow traffic coming into the untrust interface or untrust zone for VPN protocols allow and then the source is going to be untrust. Destination is going to be untrust because this traffic is coming in to the outside interface service or application. You’re going to specify IC. This is the phase one and then we’re going to specify IPsec. So IPsec includes ASP, UDP and ah and I can explain this to you in a different lecture. What are those three different protocols and then we click OK, we need to do the same thing on the other side. So now we have a untrust to untrust allow the IPsec.
And here on the policy on this side we need to do the same add and this will have allow VPN, source is untrust to destination untrust and then application is IC and IPsec action allow. And then we’re going to commit. Now let’s trigger the traffic rule allow VPN shadows rule VPN allow. Okay let me add recreate the rule for VPN which is the sources trust, destination is VPN source trust destination source or destination trust VPN and then action is allow. Okay, commit. Show. VPN. IPsec nothing. Okay what about on this side? This side is correct. We have Trust to trust VPN trust VPN or VPN to trust is allow. Untrust to untrust. Allow IC and IPsec on this side. Also, we have the same untrust on trust. Allow IC and IPsec and trust to VPN. Allow trust VPN.
Allow VPN to trust. Allow. Show VPN, Episco? Nothing. Let’s initiate the traffic. Let’s initiate the traffic. Show VPN. Show VPN. Show session. All. There’s an IQ session, but there’s no IPsec session. Okay, now I see IPsec session. And I session. We should have that tunnel up with tunnel is up. See here is green, green and green. For some reason, I’m unable to ping. Ping 182 and six 8121-921-6822. From trust to trust. Let’s verify the routes. Virtual router default default routing table. Side B is 181 68, dot two, dot zero. Oh interface here is tunnel. So I mistakenly put the interface ethernet one, too. So that’s why it’s not working. We’ll go ahead and commit that and then basically do the same here. Just verify it. Virtual router static route, tunnel two. So we should be able to ping now.
Okay, now we’re able to ping if we do show session. All. Show session. ID 55. Okay, we see here that the Egress interfaces, ethernet one, two, which is this interface, the eager centerfaces tunnel two, which is the tunnel that we created. And then the rule is VPN, which is this rule. And the there’s no net translation we’re doing we’re going to look at net translation here and see what happens. But this is an example on how to do Palo Alto to Palo Alto. We’re going to we’re going to see additional examples and scenarios in future lectures.
