Cradlepoint to Paloalto VPN Example… · This configuration covers an IPSec VPN tunnel setup between a Cradlepoint Series 3 router and a Paloalto firewall. IPSec is customizable

Global Leader in 4G LTE Network Solutions

805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com 1

Cradlepoint to Paloalto VPN Example

Summary

This configuration covers an IPSec VPN tunnel setup between a Cradlepoint Series 3 router and a Paloalto firewall. IPSec is customizable on both the Cradlepoint and Paloalto platforms to fit into a variety of network and security requirements however; this configuration example will address only the basic configuration and a VTI configuration (Firmware 5.4 or greater).

Standard IPSec VPN Topology



Configuration

Configuration Difficulty: Intermediate

Cradlepoint Configuration:

- Step 1: Log into the router's Setup Page. For help with logging in please click here. - Step 2: Click on Internet and select VPN Tunnels from the drop-down menu.

- Step 3: Under VPN Tunnels click Add.

- Step 4: Enter a Tunnel Name. - Step 5: Enter a Pre-Shared Key. - Step 6: Set the Initiation Mode to your desired setting.

o Note: On Demand will leave the tunnel idle until traffic bound for the other side of the tunnel is detected. Always

On will keep the tunnel active whenever the WAN connection is active. - Step 7: Click Next.

http://knowledgebase.cradlepoint.com/articles/Support/Accessing-the-Setup-Pages-of-a-Series-3-CradlePoint-router?c=WiPipe_Series_3&c=All_Products



- Step 8: In the Local Networks section click Add and enter the LAN of Cradlepoint you want to be available across the VPN

tunnel. - Step 9: Click Next.

- Step 10: Enter the WAN IP of Paloalto in the Remote Gateway. - Step 11: In the Remote Networks section click add and enter the LAN of the Paloalto you want to be available across the

VPN tunnel. - Step 12: Click Next.



- Step 13: For IKE Phase 1 select AES 128 encryption, SHA1 hash and DH Group 2. - Step 14: Click Next.

- Step 15: For IKE Phase 2 select AES encryption, SHA1 hash and DH Group 2. - Step 16: Click Next.



- Step 17: For Dead Peer Detection leave the default settings. - Step 18: Click Finish.

- Step 19: Verify all settings on the Tunnel Summary Screen.



- Step 20: Click Yes to submit your VPN tunnel. - Step 21: Under VPN Tunnels click Enable VPN Service to start the VPN service on the router.



Paloalto Configuration:

Note: This configuration assumes you already have a Virtual Router setup for basic internet connectivity

- Step 1: Log into the Paloalto management interface as admin - Step 2: Navigate to Network > Interfaces > Tunnel

- Step 3: Click Add at the bottom of the page

- Step 4: Enter an unused number after the Interface Name

- Step 5: Enter the Virtual Router and the Security Zone (Recommended: trust) You plan to use

- Step 6: Under the IPv4 tab Add the Paloalto’s tunnel IP address

- Step 7: Under the Advanced tab Select a Management Profile



o If there isn’t one available you can click the link to create a new profile (Recommended at a minimum: Ping and all

forms of HTTP)

- Step 8: From the left hand menu select Virtual Routers and select the name of the Virtual Router being used

- Step 9: Choose Static Routes from the left hand menu and click Add at the bottom of the page

- Step 10: Set the Name for the static route

- Step 11: Set the Destination to the LAN address range of the Cradlepoint

- Step 12: Set the Next Hop to None

- Step 13: click OK at the bottom of the window and check that the routes are correct

Step 14: Click OK on the Virtual Router window

- Step 15: From the left, select IKE Crypto under Network Profiles and click Add at the bottom of the page

- Step 16: Add the DH Group as group 2

- Step 17: Add the Authentication Algorithm as sha1



- Step 18: Add the Encryption Algorithm as aes128

- Step 19: Click OK

- Step 20: From the left, select IPSec Crypto under Network Profiles and click Add at the bottom of the page

- Step 21: For the IPSec Protocol select ESP

- Step 22: follow steps 16 to 19 above

- Step 23: From the left, select IKE Gateways under Network Profiles and click Add at the bottom of the page

- Step 24: Enter a Name and set the Interface to the physical external interface (with the public IP assigned to it)

- Step 25: Set the Peer IP Type to Static and the Peer IP Address to the remote IP of the Cradlepoint

- Step 26: Set the Authentication to Pre-Shared Key and set the Pre-shared Key with the password for the tunnel

- Step 27: Confirm it in the Confirm Pre-shared Key



- Step 28: Select the Advanced Phase 1 Options from the tabs at the top of the window

- Step 29: Set the Exchange Mode to main and the IKE crypto profile to the previously created profile

- Step 30: Optional: ensure Dead Peer Detection is enabled and select OK

- Step 31: From the left, select IPSec Tunnels and click Add at the bottom of the page

- Step 21: Fill in a Name and set the Tunnel Interface to the interface originally created

- Step 32: Leave the Type as Auto Key

- Step 33: Set the IKE Gateway and IPSec Crypto Profile to the previously configured gateway and profile



- Step 34: Click the Proxy IDs tab at the top of the window and click Add at the bottom of the window

- Step 35: Enter a name in the Proxy ID field

- Step 36: In Local enter the Paloalto’s LAN network

- Step 37: in Remote enter the Cradlepoint’s LAN network

- Step 38: Leave Protocol as Any and click OK for both popup windows

- Step 39: Click Commit at the top right of the page to save the settings and commit it to the Paloalto

- Step 40: After a few minutes the Status lights on the tunnel should go green

- Step 42: Also check on the Cradlepoint under Status > VPN Tunnels



VTI VPN Topology

VTI VPN Configuration

Configuration Difficulty: Intermediate

Note: This requires at least firmware version 5.4 on the Cradlepoint



Cradlepoint Configuration:

- Step 1: Log into the router's Setup Page. For help with logging in please click here. - Step 2: Click on Internet and select VPN Tunnels from the drop-down menu.

- Step 3: Under VPN Tunnels click Add.

- Step 4: Enter a Tunnel Name. - Step 5: Enter a Pre-Shared Key.

Step 6: Set the Mode to “VTI Tunnel” - Step 7: Set the Initiation Mode to your desired setting.

o Note: On Demand will leave the tunnel idle until traffic bound for the other side of the tunnel is detected. Always

On will keep the tunnel active whenever the WAN connection is active. - Step 8: Click Next.

http://knowledgebase.cradlepoint.com/articles/Support/Accessing-the-Setup-Pages-of-a-Series-3-CradlePoint-router?c=WiPipe_Series_3&c=All_Products



- Step 9: In the Local VTI Configuration section enter the Local virtual address and Local subnet with the tunnel network of

Cradlepoint you want to use. - Step 10: Click Next.

- Step 11: Enter the WAN IP of the Paloalto in the Remote Gateway. - Step 12: Enter the Paloalto’s VPN tunnel endpoint in the Remote virtual address. - Step 13: In the Remote Networks section click add and enter the LAN of Paloalto you want to be available across the VPN

tunnel. - Step 14: Click Next.







- Step 19: For Dead Peer Detection leave the default settings. - Step 20: Click Finish.

- Step 21: Verify all settings on the Tunnel Summary Screen. - Step 22: Click Yes to submit your VPN tunnel.



- Step 23: Under VPN Tunnels click Enable VPN Service to start the VPN service on the router. - Step 24: Go to Network Settings > Firewall / QoS and select Zone Firewall - Step 25: Click Add under Zones and fill in a name for the new Zone - Step 26: Click Add to create a new Interface and set the VTI Config Name - Step 27: Click Submit

- Step 28: Go to the Forwardings section and Add forwarding rules as needed o Note the example below





Paloalto Configuration:

- Step 1: Follow the Paloalto configuration for a standard IPSec VPN tunnel found above - Step 2: Under the Virtual Routers select the virtual router being used and select Static Routes from the left

- Step 4: Edit the static route for the VPN tunnel by clicking the configured name (destination of Cradlepoint’s LAN) - Step 5: Change the Next Hop to IP Address, fill in the Cradlepoint’s tunnel interface address in the box and select OK

- Step 7: Under IPSec Tunnels, edit the tunnel created - Step 8: Click on the Proxy IDs tab at the top and delete the Proxy ID that is configured

- Step 9: Click OK - Step 10: After a few minutes the Status lights on the tunnel should go green

Documents

Cradlepoint to Paloalto VPN Example… · This configuration covers an IPSec VPN tunnel setup between a Cradlepoint Series 3 router and a Paloalto firewall. IPSec is customizable