This article will present steps to configure IPSec tunnel between two Palo alto firewalls
We have two type networks on Internet, type 1. Public and type 2. Private. Public networks can be routed point-to-point or location-to-location over the globe but Private networks can not be routed same way as public, that’s reason they are called private. Private networks can be routed over public networks through a concept called virtual tunnel or Virtual Private Network, this tunnel is built between two sites and these sites private networks will be able to route each other through the tunnel. And The best protocol used for building VPN is IPSec(Internet Protocol Security) . There are many vendors in networking industry who manufacture L3 equipment including Firewalls does provide this protocol as a functionality. Palo alto Networks is one of them and this article will provide steps on how to do that.
Three Steps are needed to configure IPSec on PA Firewall.
- Tunnel Interface
- security policy
- IKe Gateway
- IPSec tunnel
Lets first create Interface which is a virtual interface that is used to deliver the traffic between two end points. This interface can also be used to monitor the tunnel through its IP address. when you select to create a new tunnel interface, basically providing a tunnel number, type of interface, virtual router, security zone, IP address(Which is optional) and interface management profile. The configuration is same on both sides so, please configure a firewall first and then copy same to peer firewall and change “peer ipaddress” on both sides.
To allow data traffic coming from or going into tunnel interface, we have to write a security policy with tunnel interface zone.
This is phase 1 of IPSec tunnel configuration, here type of encryption, hashing and peer details are entered and these details should be same on both peers. I will show you each step in configuring that on both firewalls. If any minute misconfiguration will lead to not forming Phase 1.
This is phase 2 in configuring tunnel. Select “IKE Gateway” and “IPSec Crypto Profile”, “IPSec Crypto Profile” should be same as the peer. Type and Address type can be as default but even these should be same as peer, remember All the hashing and crypto profiles should match exact between peers and share key as well if configured. Once all parameters match phase 1 and phase 2 sessions are created and ready to create IPSec tunnel, to make tunnel up there should be some sort of traffic passed through it. So, for basic purpose, perform ping between to remote networks, then you will notice green lights on status. Below images will have IPSec tunnel configuration from both peers including status.
A video format of this article is in below video or it is available on my youtube channel 😊.