Subscribe to the Blog

Get articles sent directly to your inbox.

Step by Step Guide: IPSec VPN Configuration

Between a PAN Firewall and Cisco ASA

To keep your business online and ensure critical devices, such as Check Point firewalls, meet operational excellence standards it is helpful to compare your environment to a third party data set. As part of the Indeni Automation Platform, customers have access to Indeni Insight which benchmarks adoption of the Check Point capabilities and user behavior to adhere to ITIL best practices.

+++

Overview:

This document describes the step by step guide on how to configure IPSec VPN and assumes the Palo Alto Firewall has at least 2 interfaces in Layer 3 mode. If you find this article helpful check out how you can automate your PAN network with Indeni.

High Level Diagram:

IP schema specification:

Steps to be followed on Palo Alto Networks Firewall for IPSec VPN Configuration

Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:

Name: tunnel.1
Virtual router: default
Please refer this article if you need any help to configure Virtual Router on Palo Alto Networks.

Zone: (select the layer 3 internal zone from which the traffic will originate)
Please refer this article if you need any help to configure Layer 3 interface on Palo Alto Networks.

Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

Configure IPSec Phase – 1 configuration

To Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
(These parameters must match on the Cisco ASA firewall for the IKE Phase-1 negotiation to be successful)

[divider width=”full”]

Learn how indeni can enable pre-emptive maintenance of your Palo Alto Networks Firewalls

[divider width=”full”]

Go to Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway.;

Note: The tunnel configured above will terminate in the Trust zone for traffic traversing the tunnel, although if more granular control is desired for the policy configuration in the tunnel, use a VPN or other zone. Also, note that the gateway configuration below will be configured for the Untrust interface, not to be confused with the tunnel terminating on a trusted interface.

Under Network > Network Profiles > IPSec Crypto Profile, define IPSec Crypto profile to specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2). These parameters should match on the remote firewall for the IKE Phase-2 negotiation to be successful.

Note:
DPD is a monitoring function used to determine liveliness of the Security-SA (Security; Association and IKE, Phase 1) It is used to detect if the peer device still has a valid IKE-SA. Periodically, it will send a “ISAKMP R-U-THERE” packet to the peer, which will respond back with an “ISAKMP R-U-THERE-ACK” acknowledgement.
For more information about DPD, you may refer this article.

Configure IPSec Phase – 2 configuration

Under Network > IPSec Tunnel > General, configure IPSec Tunnels to set up the parameters to establish IPSec VPN tunnels between firewalls.

Note: If Cisco ASA is configured as a policy-based VPN, then enter the local proxy ID and remote proxy ID to match the other side.

When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information, because the Proxy-ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

Note: By expanding “show advanced options” checkbox, there is an interesting feature we can use, i.e. “Tunnel Monitor”.

By using “Tunnel Monitor” feature, you can automatically initiate IPSec VPN Tunnel as and when the defined destination IP address becomes reachable. In this example, 20.20.20.10 is the IP address configured on Remote site (behind Cisco ASA).

PSec Tunnel Status
The tunnel isn’t up, because on the other end i.e. Cisco ASA we haven’t configured the VPN yet.

Under Network > Virtual Routers > Static Route, add a new route for the network that is behind the other VPN endpoint.

Create the Security Policy to allow Local Network to communicate with Remote Network over the VPN.

Commit the configuration.

Here we are done configuring Palo Alto Firewall, now we can configure the Cisco ASA on the other end to successfully establish the IPSec VPN Tunnel.
On Cisco ASA Firewall:

Similar to Palo Alto Firewall, it also assumes the Cisco ASA Firewall has at least 2 interfaces in Layer 3 mode.
Configure IPSec Phase – 1 on Cisco ASA Firewall.

crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! !###################################### ! Configuring Local and Remote Network !###################################### object network Cisco-Side subnet 20.20.20.0 255.255.255.0 object network PA-Side subnet 10.10.10.0 255.255.255.0 ! !################################################### ! Configure ACL to allow VPN Traffic bi-directional !################################################### ! access-list VPN-INTERESTING-TRAFIC extended permit ip object Cisco-Side object PA-Side nat (inside,outside) source static Cisco-Side Cisco-Side destination static PA-Side PA-Side no-proxy-arp route-lookup ! !################################################# !Configure IPSec Phase – 2 Policy !################################################# ! tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key 1234567 isakmp keepalive threshold 10 retry 2 ! crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes esp-sha-hmac ! crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC crypto map CRYPTO-MAP 1 set pfs group2 crypto map CRYPTO-MAP 1 set peer 1.1.1.1 crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM crypto map CRYPTO-MAP interface outside

Verify IPSec VPN Tunnel status from Cisco ASA Firewall, by pinging to any of the available IP address behind Palo Alto Firewall.

ping 10.10.10.10 Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

As and when we complete the IPSec VPN Configuration on Cisco ASA Firewall as above, PA should show the following IPSec Tunnel Status.

To validate the Tunnel Monitor Status in detail, login to Palo Alto Firewall CLI, and execute the following command.

Note that even if we wouldn’t pass any traffic from Cisco ASA Firewall through the VPN Tunnel, Palo Alto Firewall would still show us the “Up” status for the IPSec VPN. The reason being, we have configured IPSec Tunnel Monitor on Palo Alto Firewall.

When we configure IPSec Tunnel Monitor (as shown above), it probes the destination IP address by sending ICMP Echo Request, and when it receives reply from the same IP address, it considers the IPSec Tunnel is Up.

> show vpn flow tunnel-id 1 tunnelPA-Cisco_IPSEC id:1 type:IPSec gateway id:1 local ip:1.1.1.1 peer ip:2.2.2.2 inner interface:tunnel.1 outer interface:ethernet1/1 state:active session:6443 tunnel mtu:1436 lifetime remain:2663 sec latest rekey:937 seconds ago monitor:on monitor status:up monitor interval:3 seconds monitor threshold:5 probe losses monitor packets sent:739180 monitor packets recv:732283 monitor packets seen:584 monitor packets reply:584 en/decap context:76 local spi:F18E58FF remote spi:B90FCFB2

In the above output:
monitor packets sent – Number of pings sent
monitor packets recv – Number of replies received to the pings sent.
monitor packets seen – Number of monitor packets received from remote side querying for us.
monitor packets reply – Number of replies sent in response to “monitor packets seen”. This will increment only if the requests
were made to tunnel interface IP.


Did you know Indeni can continuously check the health of your Palo Alto Networks firewalls?
 Indeni will give you a heads up when a firewall contract or certificate is about to expire by running these automation scripts:

– Contract(s) about to expire for Palo Alto Networks
– Certificate(s) about to expire for Palo Alto Networks
– Panorama certificate about to expire for Palo Alto Networks

We have hundreds of automation elements to prevent problems from occurring in your environment. When a VPN tunnel is down, we can automatically kick off investigative steps to determine the root cause of the problem, without human intervention. We can provide prescriptive remediation steps to fix the VPN tunnel down problem. Check out our top picks for Palo Alto Networks NGFW automation.

Want to learn more about Indeni? Check out our solution for Cisco and download our datasheet to see the latest Cisco versions supported.

Darshan K. Doshi is a Security Consultant. He has been working with Palo Alto firewalls for about two years. If you want to contribute as well, click here.

BlueCat acquires Indeni to boost its industry-leading DNS, DHCP and IP address management platform to help customers proactively assess network health and prevent outages.