Monday, September 8, 2025

Module 10 Palo Alto Site to Site VPN

 

Module 10  Palo Alto  Site to Site VPN

 
IPSec VPN Troubleshooting 
  • VPN Concept and configuration
  • Troubleshooting IPSec VPPN connectivity issues
  • Troubleshooting IKE phase 1
  • Troubleshooting IKE Phase 2 
  • Interpret VPN error Messages
  • Check Routing and security policy rules
  • Proxy IDs- route and policy Based VPNs
  • IPSec Tunnel is up but packet is getting dropped
  • Dead peer detection and Tunnel monitoring
  • IPSec with overlapping networks
  • How to enable debug in a single vpn peer

 To set up a site-to-site VPN on Palo Alto firewalls


Information Needed
1. Deciding on Ciphers
2. Collecting IP information
- Remote Peer IP
- Local Peer IP
3.Select a Shared Key



  

1. Configure a tunnel Interface 
2. Define IKE (Phase 1) and IPSec (Phase 2) Policies Include Crypto Profiles.
3. Create an IKE Gateway, establish the IPSec Tunnel 
4. Configure Routing
5. Create Security Policy to allow Traffic throught the Tunnel. 

Both firewalls must use matching pre-shared keys and IKE/IPsec parameters for the tunnel to establish successfully. 


All Configurations are under the NETWORK TAB

Firewall Rules/NAT


1. Prepare the Network Environment

a. 
Create a Tunnel Interface: 
Go to Network > Interfaces > Tunnel and create a tunnel interface. Assign it a virtual router and a security zone (e.g., a dedicated VPN zone or the untrust zone) and an IP address. 

Identify Networks: 
Determine the local and remote subnets that will be communicating over the VPN. 

Firewall A 
Go to Network > Interfaces > Tunnel 
Click +  to Create a Tunnel Interface.
Virtual Router:
Security Zone:




















2. Configure Phase 1 (IKE Gateway)

Create a Crypto Profile: 
Go to Network > Network Profiles > 
IKE Crypto and create a profile with the desired encryption and authentication algorithms.

Create an IKE Gateway: 
Navigate to Network > IPsec Tunnels > IKE Gateway. 
Interface: Select the public-facing interface on your firewall.
IPsec Peer: Enter the public IP address of the remote firewall. 
Authentication: Configure the authentication method (e.g., pre-shared key) and enter the shared key, which must match the remote firewall. 
IKE Crypto Profile: Select the IKE Crypto Profile you created. \\






  • 3. Configure Phase 2 (IPsec Tunnel)

  • Create a Crypto Profile: 
    Go to Network > Network Profiles > IPsec Crypto 
  • Define the encryption and authentication settings for Phase 2.

  • Create an IPsec Tunnel: 
    Go to Network > IPsec Tunnels and click Add.
  • General: Set the tunnel interface, assign the IKE Gateway you created, and select the IPsec Crypto Profile.
  • Proxy IDs: Define the Proxy ID to match the local and remote networks, which ensures the VPN tunnel is established only for authorized traffic. 
  • General: Set the tunnel interface, assign the IKE Gateway you created, and select the IPsec Crypto Profile.
  • Proxy IDs: Define the Proxy ID to match the local and remote networks, which ensures the VPN tunnel is established only for authorized traffic. 








4. Configure Routing and Security Policies

Configure Static Routes: 
Add a static route to direct traffic destined for the remote network through the IPsec tunnel interface. 
Create Security Policies:
Tunnel Security Policy: Create a security policy that allows traffic between the tunnel interface and the remote network. 
User Traffic Security Policy: Create additional security policies to permit traffic from your internal networks to the remote network through the VPN tunnel.

5. Repeat for the Remote Firewall

Reverse the configuration process on the other firewall, ensuring the IP addresses, subnets, pre-shared keys, and crypto parameters are identical.


Tunnel Interface





IPSec Crypto Profile 





IKE CRYPTO PROFILE
Name: Prisma-IKE-Crypto
DH Group: Group20
Authentication: sha256, sha1
Encrytion: ses-256-cbc
Timer: 8hrs



GENERAL TAB
Create IKE Gateway
Name: Business_A
Version: IKEv2 Only Mode
Address Type: IPv4
Interface: ethernet1/13   (your external interface for tunnel)
Local IP address: 216.200.199.70/24
Peer Address:217.200.19.10/24
Authentication: Pre-Share-Key
Pre-SharedKey: PaloAlto
Confirmed Pre-SharedKey: PaloAlto
Local Identification: 216.200.199.70
Peer Identification: 217.200.19.10



ADVANCED OPTION
IKE Crypto Profile: Prisma-IKE-Crypto





https://www.youtube.com/watch?v=wpV7Q03WQkY
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Ai Training

 ChatGPT Claude Gemini Perplexity Deepseek Copilot Crok Lovable Manus NanaBanana Leonardo Ai Meta Ai Assembly Ai Canva AI Veo3 Sora 2 Kimi K...