Site-to-Site VPNsEDU-210

PAN-OS® 8.0

Courseware Version A

2 | ©2017, Palo Alto Networks, Inc.

Agenda Site-to-site VPN

Configuring site-to-site tunnels

IPsec troubleshooting

3 | ©2017, Palo Alto Networks, Inc.

Site-to-Site VPN

4 | ©2017, Palo Alto Networks, Inc.

Site-to-Site Overview PAN-OS® software implements route-based

IPsec VPNs.

The tunnel is represented by a logical tunnelinterface.

The tunnel interface is placed within a zone.

The routing table chooses the tunnel settings.

Multiple versions of Internet Key Exchange(IKE) are supported:• IKEv1• IKEv2

5 | ©2017, Palo Alto Networks, Inc.

IKE Phase 1 IKE Phase 1 identifies the endpoints of the VPN.

IKE Phase 1 uses peer IDs to identify the devices:• For devices with known addresses, the peer ID usually is the IP address.• A peer ID also can be a domain name or other string.

Three settings (modes): Aggressive, Main, Auto

Peer: 24.1.1.12 Peer: 161.10.12.34Key Exchange

6 | ©2017, Palo Alto Networks, Inc.

IKE Phase 2 Each side of the tunnel has a proxy ID to identify traffic:

• Support for multiple proxy IDs

Networks are identified by proxy ID and can be either:• Masked network (e.g., 10.2.0.0/24)• Any network (0.0.0.0/0)

LAN 1: 192.168.10.0/24 LAN 2: 10.2.0.0/24Tunnel

7 | ©2017, Palo Alto Networks, Inc.

Route-Based Site-to-Site VPN

10.2.0.0/24192.168.10.0/24

Ethernet 1/324.1.1.12

Ethernet 1/8161.10.12.64

IPsec Tunnel

Tunnel.1

Routing Table10.2.0.0/24 >

Tunnel.1

8 | ©2017, Palo Alto Networks, Inc.

VPN Tunnel Component Interaction

IKE CryptoProfile

IKEGateway

PhysicalConnection

IPSEC CryptoProfile

EncryptedTunnelZone

Tunnel

Firewall - Site 1

To Firewall - Site 2

Zone

EthPort

Phase 1

Phase 2To Firewall ‒ Site 2

EncryptedTunnel

VirtualRouter

IKE CryptoProfile

IKEGateway

Phase 1

IPSec CryptoProfile

Zone

Tunnel

Phase 2

1.Configure phase 1 objects2.Configure phase 2 objects3.Configure routing and security

rules

9 | ©2017, Palo Alto Networks, Inc.

Configuring Site-to-Site Tunnels

10 | ©2017, Palo Alto Networks, Inc.

Phase 1 Object: IKE Gateway – GeneralNetwork > Network Profiles > IKE Gateways

11 | ©2017, Palo Alto Networks, Inc.

Phase 1 Object: IKE Gateway – Advanced OptionsNetwork > Network Profiles > IKE Gateways > Advanced Options

When in passive modethe firewall will not initiate

When in passive modethe firewall will not initiate

12 | ©2017, Palo Alto Networks, Inc.

Phase 1 Object: IKE Cryptographic ProfilesNetwork > Network Profiles > IKE Crypto

Asymmetric key exchange:DH Group 1, 2, 5, 14, no-pfsAsymmetric key exchange:

DH Group 1, 2, 5, 14, no-pfs

13 | ©2017, Palo Alto Networks, Inc.

Phase 2 Object: IPsec Cryptographic Profiles

Network > Network Profiles > IPSec Crypto

14 | ©2017, Palo Alto Networks, Inc.

VPN Tunnel InterfaceNetwork > Interfaces > Tunnel Tab

Add interface to VR andzone, as with any Layer 3

interface

Add interface to VR andzone, as with any Layer 3

interface

IP address needed if thedynamic routing protocol ortunnel monitor is enabled

IP address needed if thedynamic routing protocol ortunnel monitor is enabled

TunnelidentifierTunnel

identifier

15 | ©2017, Palo Alto Networks, Inc.

Phase 2 Object: IPsec TunnelNetwork > IPSec Tunnel

Phase 2 proposalPhase 2 proposal

To confirm route validity (if tunnelinterface has been configured

with an IP address)

To confirm route validity (if tunnelinterface has been configured

with an IP address)

Must check to beable to see

Advanced Options

16 | ©2017, Palo Alto Networks, Inc.

Phase 2 Object: IPsec Tunnel (Cont.)Network > IPSec Tunnel > Proxy IDs

Override defaultProxy ID

Override defaultProxy ID

17 | ©2017, Palo Alto Networks, Inc.

Static Route for VPNNetwork > Virtual Routers > Add > Static Routes > IPv4

Static routes must usetunnel interfaces

Static routes must usetunnel interfaces

Next Hop is not requiredNext Hop is not required

18 | ©2017, Palo Alto Networks, Inc.

IPsec Tunnel Status – Check Connectivity

Network > IPSec Tunnels

19 | ©2017, Palo Alto Networks, Inc.

IPsec Troubleshooting

20 | ©2017, Palo Alto Networks, Inc.

IPsec Tunnel Status – Check Connectivity

Network > IPSec Tunnels

Investigate the following links: Tunnel Info IKE Info Show Routes

21 | ©2017, Palo Alto Networks, Inc.

VPN Error Messages

Issue Initiator Error Responder ErrorWrong IP/no connection P1 - Timeout P1 – Timeout

No matching P1 proposal P1 - Timeout No suitable proposal (P1)

Mismatched peer ID P1 - Timeout Peer identifier does not match

No matching P2 proposal No proposal chosen No suitable proposal (P2)

PFS group mismatch P2 - Timeout PFS group mismatch

Mismatched proxy ID P2 - Timeout Cannot find matching phase-2tunnel

22 | ©2017, Palo Alto Networks, Inc.

Reading VPN Error Messages (System Log)peer identifier (type fqdn [bad.peer]) does not match remoteRemote2.

IKE phase-2 negotiation failed when processing proxy ID.cannot find matching phase-2 tunnel for received proxy ID.received local id: 192.168.41.1/24 type IPv4_subnet protocol0 port 0, received remote id: 192.168.42.1/24 typeIPv4_subnet protocol 0 port 0.

Name of Local Phase 1 IKE Gateway Object

Remote Sides Phase 1 Peer Configuration

The “Remote Proxy ID” from the other sideThe “Local Proxy ID” from the other side

23 | ©2017, Palo Alto Networks, Inc.

Questions?

24 | ©2017, Palo Alto Networks, Inc.

Site-to-Site VPN Lab (Pages 120-124 in the Lab Guide) Create a Site-to-Site VPN Tunnel

Assign the Tunnel to a VPN Zone

Create a Security Policy Rule to Allow Traffic from the Partner’s Trust Network

Ping to Activate VPN

Secures the NetworkSecures the Network