How to Configure an IPSec VPN

This procedure assumes the Palo Alto firewall has at least two interfaces operating in Layer3 mode, with IP addresses assigned, and routes added to a virtual router. The other end of the VPN tunnel can be any vendors firewall: Juniper, Cisco, Checkpoint, etc.

Part 1: Configure tunnel endpoint on the PAN device

1. Go to the Network tab -> Interfaces screen. Create a new tunnel interface. Assign the following parameters: Name: tunnel.1 Virtual router: (select the existing virtual router) Zone: (select the layer 3 internal zone from which the traffic will originate) 1 Shown below is an example tunnel interface, tunnel.1:

2. Go to Network tab -> Network Profiles -> IKE Gateways screen. You will configure the IKE phase 1 gateway on this screen. Click New, and enter the following parameters: IKE gateway: gw-to-siteX (or any name of your choosing) Local IP address: (select the firewall interface that is closest to the other vpn endpoint. This is called the public interface of the firewall.) Peer IP address: (enter the IP address of the public interface on the other vpn endpoint) Pre-shared key: (enter a key of your choosing, and remember it so you can enter it in the other firewalls VPN configuration)

If you put the tunnel interface in a zone that is different from the zone that the traffic will originate/depart, then you will need to create a policy to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

PANOS 2.1.3

Here is an example of an IKE gateway configuration:

3. To configure the IKE phase 2 VPN, go to Network tab -> IPSec Tunnels screen. Create a new VPN with the following parameters: Name: vpn-to-siteX (or any name of your choosing) Tunnel interface: (pull down to select tunnel.1) IKE gateway: (pull down to select the IKE gateway you created in the previous step) If the other side of the tunnel is configured as a policy-based VPN, then: Click Show advanced options

Enter the local proxy ID and remote proxy ID to match the other side: 2

Once you click OK, the IPSec tunnel will appear in the list, with the status circles colored red to indicate the tunnel is down. Here is an example:

Refer to Appendix A for a network diagram.

PANOS 2.1.3

4. Go to Network tab -> Virtual Routers screen. Edit your existing virtual router. Add a new route for the network that is behind the other VPN endpoint. For interface, select tunnel.1. There is no need to enter a value for next hop. Click Add to add the static route.

new route 5. Commit the configuration.

Part 2: Configure the tunnel on the other firewall

6. Configure the other end of the tunnel for a route based VPN. By default, the Palo Alto device uses 3des/aes128 with sha1, PFS with DH group 2. (Note: If you want to change the PAN settings for IKE phase1 or phase2, go to Network -> Network Profiles and edit either IKE Crypto ->default for phase 1 proposals or IPSec Crypto ->default for phase 2 proposals.)

Part 3: Testing the VPN

7. Ping from a device on the far network, through the VPN, and to a target PC on the local network protected by the PAN firewall. The first ping will fail, but the rest should be successful. Examine the system log on the PAN firewall, either via:

Monitor tab -> Logs-> System, or

show log system subtype equal vpn direction equal backward

You want to see messages that look like the followingthis is a successful VPN startup:

PANOS 2.1.3

If either IKE phase 1 or phase 2 does not complete successfully, refer to Appendix B: Troubleshooting IPSec VPNs.

Part 4: Confirmation
8. When the tunnel is up, the Network tab -> IPSec Tunnels page should show the phase 1 and 2 status in green:

IKE phase 2 is up or down

IKE phase 1 is up or down

9. You can use the following command to verify that the tunnel is active:

PANOS 2.1.3

10. To confirm that the data truly is going over the tunnel, do the following: show vpn flow tunnel-id ____ (enter id from the step above) At the bottom of the results you will see a count of encrypted and decrypted packets and bytes in the tunnel. This value will change as you send more data over the tunnel.

11. To view details on the active IKE phase 1 SAs: show vpn ike-sa gateway <gw_name>

12. To view details on the active IKE phase 2 SAs: show vpn ipsec-sa tunnel <vpn_name>

PANOS 2.1.3

Part 5: Configuring Tunnel Monitor (Optional)

VPN monitor sends a heartbeat (ICMP messages) over the VPN to determine if it is up or down. It can be enabled on either or both sides of the VPN. To enable tunnel monitoring, you must 1) configure the tunnel interface with an IP address, and 2) enable tunnel monitoring on the phase 2 configuration. 13. Go to Network tab -> Interfaces screen. Edit the tunnel interface. Assign an IP address to the tunnel interface that is appropriate for the zone that the tunnel is in.

14. Go to the Network tab -> IPSec Tunnels screen. Edit the VPN, and click show advanced options. At the bottom of the screen, look for the Tunnel Monitor configuration:

15. In that portion of the screen, do the following: Check the box to enable tunnel monitoring For destination IP, enter an IP address of a machine on the other side of the tunnel. This should be an internal (private) IP address. This is the machine that will answer the ICMP echo request. Either use the default profile (shown below), or create a new profile.

PANOS 2.1.3

Action: choose one of the following: wait recover- if the remote IP is not reachable, the firewall will continuously send ICMP messages over the tunnel in an attempt to bring the VPN back up. fail-over - traffic will fail over to a backup path, if one is available. Note: in either case, the phase 1 & 2 SAs are not torn down by the tunnel monitor feature.

Interval: how often to send an ICMP echo request over the tunnel Threshold: after this number of missed ICMP replies, the VPN will be declared down

16. Once the configuration change is committed, the tunnel will come up. 17. Now that tunnel monitoring is enabled, if the IP on the remote side is not reachable, you will get this error message in your system log:

Once the problem is fixed, this message will appear in the system log:

PANOS 2.1.3

Part 6: Configuring Proposals (Optional)

The default proposals on the PAN firewall are: Phase 1: Diffie Helman group 2, sha1, aes128 or 3des Phase 2: PFS enabled with DH group 2, sha1, ESP with aes128 or 3des If these proposals will not work for the other firewall, you can configure different proposals as follows: 18. To configure phase 1 proposals, go to Network tab -> Network Profiles -> IKE Crypto screen. Click New. Give the profile a name (no spaces allowed). Put a checkmark next to all the algorithms that you want the PAN firewall to be able to use. Here is an example profile that will use DH group 2, either md5 or sha1, and either aes128 or aes256:

19. Assign that profile by going to Network tab -> Network Profiles -> IKE Gateways screen. Edit your existing phase 1 configuration. Click on Show advanced Phase1 options. In the IKE Crypto Profile pulldown menu, select the profile you just created:

PANOS 2.1.3

20. To configure phase 2 proposals, go to Network tab -> Network Profiles -> IPSec Crypto screen. Click New. Give the profile a name (no spaces allowed), and put a checkmark next to all the algorithms that you want the PAN firewall to be able to use. If you do NOT want to enable Perfect Forward Secrecy (PFS), go to DH Group pulldown, and select no-pfs.

21. To use this new profile, go to Network tab -> IPSec Tunnels screen. Edit your existing tunnel configuration. Click on Show advanced options. In the IPSec Crypto Profile pulldown menu, select the profile you just created:

22. Once you commit the configuration, the new proposals will be used for this tunnel.

PANOS 2.1.3

Appendix A: Network Diagram

This is the diagram of the network from which the screenshots in this document were taken.

PAN firewall
100.1.1.1

Firewall B
192.168.1.1 200.1.1.1

10.1.1.1

trust untrust zone zone E1/2 E1/1

untrust trust zone zone E?/? E?/?

Internet

PC A 10.1.1.9

tunnel.1

VPN tunnel

tunnel.1

PC B 192.168.1.9

Routing table on PAN fw: 192.168.1.0/24 -> tunnel.1

Routing table on fw B: 10.1.1.0/24 -> tunnel.1

PANOS 2.1.3

10

Appendix B: Troubleshooting IPSec VPNs

If you have configured both sides of the VPN, and the tunnel does not come up, use the following steps to troubleshoot.

Test Network Connectivity

1. Confirm the network is up between the two firewalls: a) On fwA, ping out its public interface to public interface of fwB. ping source x.x.x.x host y.y.y.y where x.x.x.x is the public IP of fwA, and y.y.y.y is the public IP of fwB b) Do the reverse of the previous step- ping from fwB public interface to fwA public interface. 2. Confirm LAN connectivity between the firewalls and the local PCs: a) On fwA, ping from internal interface to PCA ping source z.z.z.z host <IP_of_PCA> where z.z.z.z is the internal IP of fwA b) On fwB, ping from internal interface to PCB

PANOS 2.1.3

11

Initiate IKE phase 1

You will now attempt to bring up IKE phase 1. You can initiate the tunnel from either side. To initiate from network B: 3. Ping from PCB to PCA 3 . Examine the system log on the PAN firewall 4 . Compare the messages to the error message table in Appendix C: PANOS Error Messages for VPNs, and take the action listed there.

To initiate from network A: 4. If you are more familiar with the error messages in the other vendors firewall (firewall B), you can initiate IKE phase 1 by either: o Pinging from PCA to PCB; or o On fwA, run this command: test vpn ike-sa gateway <gw_name> To see if phase 1 is up, run this command on the PAN firewall: show vpn ike-sa gateway <gw_name> If the output shows an SA, that means that IKE phase 1 is up. If the output does NOT show an SA, look at the system log of the target firewall and use those messages to troubleshoot.

If PCA does not exist, you may be able to initiate the tunnel by pinging firewall As internal interface. But be carefulcheck the management profile on the firewallinternal interface to ensure it allows ping, and that it does not restrict permitted IP addresses.
4

You can view the system log either using the GUI (Monitor tab -> Logs -> System) or using the CLI (show log system subtype equal vpn direction equal backward) PANOS 2.1.3 12

Initiate IKE phase 2

5. You can initiate IKE phase 2 by either: a) Pinging from PCB to PCA; or b) Pinging from PCA to PCB; or c) On fwA, run this command: test vpn ipsec-sa tunnel <vpn_name>

6. To see if phase 2 is up, run this command on the PAN firewall: show vpn ipsec-sa tunnel <vpn_name> If the output does NOT show an SA, phase 2 did not complete successfully. Therefore, look at the event logs of both firewalls for clues. Refer to Appendix C: PANOS Error Messages for VPNs to determine how to interpret VPN error messages you see in the PAN system log.

Tunnel is up, still cannot ping end to end

7. Once both IKE phase 1 and phase 2 are up, if you cannot ping from PCA to PCB (or vice versa), examine the following items: o Routing table on the PAN firewall. Are the proper routes listed there? To see what route will match a packet going to <target_IP>, use this command: test routing fib-lookup virtual-router <vr_name> ip <target_IP> To see the intermediate network path, use traceroute on PC A. o Policies on the PAN firewall. Is the traffic arriving in a zone different than the zone that contains the tunnel interface? If yes, you must create a policy to allow that traffic to traverse zones. o Routing table and policies on firewall B. Use traceroute on firewall B to see the route the packets are taking.

PANOS 2.1.3

13

Appendix C: PANOS Error Messages for VPNs

Look in the system log for these messages. If you see this error message: IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: x.x.x.x[500]y.y.y.y[500] cookie:84222f276c2fa2e9:0000000000000000. Due to timeout then do this: Make sure that the public IP addresses for both VPN endpoints are entered correctly in the IKE phase 1 configuration. Also make sure the public IPs can ping each other, that there is no routing or other network issue between them. (refer to Part 1 step 2 of this document) Same as above

IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP x.x.x.x[1929]. received unencrypted Notify payload (NOPROPOSAL-CHOSEN) from IP x.x.x.x[500] to y.y.y.y[500], ignored.. IKE phase-1 negotiation is failed. unable to process peer's SA payload. pfs group mismatched: my:2 peer:0.

Check the IKE phase 1 proposals on both sides (refer to Part 6 of this document)

Check the IKE phase 1 proposals on both sides (refer to Part 6 of this document) Check the IKE phase 2 proposals on both sides. Either: one side has PFS enabled, the other side does not the Diffie Hellman groups do not match (refer to Part 6 of this document) Check the IKE phase 2 proposals on both sides (refer to Part 6 of this document)

IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer's SA payload. IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: x.x.x.x/x type IPv4_address protocol 0 port 0, received remote id: y.y.y.y/y type IPv4_address protocol 0 port 0.

The other side is using a policy-based VPN. On the PAN firewall, go to Network -> IPSec tunnels, and edit the tunnel configuration. Click on show advanced options. Configure a local proxy ID and remote proxy ID to match the other side. (refer to Part 1 step 3 of this document)

PANOS 2.1.3

14

Miscellaneous commands
To bring down phase 1 To bring down phase 2 To bring down both phase 1 & 2 clear vpn ike-sa clear vpn ipsec-sa clear vpn flow

Debugging IKE
Step 1 To turn on debugging of IKE Step 2 Try to bring up tunnel Step 3 View the debug log When finished Step 4 troubleshooting, make sure to set debug level to normal tail follow yes mp-log ikemgr.log debug ike global on debug

debug ike global on normal

PANOS 2.1.3

15