Professional Documents
Culture Documents
How To Configure IPSec VPNs 2.1
How To Configure IPSec VPNs 2.1
This procedure assumes the Palo Alto firewall has at least two interfaces operating in Layer3 mode, with IP addresses assigned, and routes added to a virtual router. The other end of the VPN tunnel can be any vendors firewall: Juniper, Cisco, Checkpoint, etc.
2. Go to Network tab -> Network Profiles -> IKE Gateways screen. You will configure the IKE phase 1 gateway on this screen. Click New, and enter the following parameters: IKE gateway: gw-to-siteX (or any name of your choosing) Local IP address: (select the firewall interface that is closest to the other vpn endpoint. This is called the public interface of the firewall.) Peer IP address: (enter the IP address of the public interface on the other vpn endpoint) Pre-shared key: (enter a key of your choosing, and remember it so you can enter it in the other firewalls VPN configuration)
If you put the tunnel interface in a zone that is different from the zone that the traffic will originate/depart, then you will need to create a policy to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
PANOS 2.1.3
3. To configure the IKE phase 2 VPN, go to Network tab -> IPSec Tunnels screen. Create a new VPN with the following parameters: Name: vpn-to-siteX (or any name of your choosing) Tunnel interface: (pull down to select tunnel.1) IKE gateway: (pull down to select the IKE gateway you created in the previous step) If the other side of the tunnel is configured as a policy-based VPN, then: Click Show advanced options
Enter the local proxy ID and remote proxy ID to match the other side: 2
Once you click OK, the IPSec tunnel will appear in the list, with the status circles colored red to indicate the tunnel is down. Here is an example:
PANOS 2.1.3
4. Go to Network tab -> Virtual Routers screen. Edit your existing virtual router. Add a new route for the network that is behind the other VPN endpoint. For interface, select tunnel.1. There is no need to enter a value for next hop. Click Add to add the static route.
You want to see messages that look like the followingthis is a successful VPN startup:
PANOS 2.1.3
If either IKE phase 1 or phase 2 does not complete successfully, refer to Appendix B: Troubleshooting IPSec VPNs.
Part 4: Confirmation
8. When the tunnel is up, the Network tab -> IPSec Tunnels page should show the phase 1 and 2 status in green:
9. You can use the following command to verify that the tunnel is active:
PANOS 2.1.3
10. To confirm that the data truly is going over the tunnel, do the following: show vpn flow tunnel-id ____ (enter id from the step above) At the bottom of the results you will see a count of encrypted and decrypted packets and bytes in the tunnel. This value will change as you send more data over the tunnel.
11. To view details on the active IKE phase 1 SAs: show vpn ike-sa gateway <gw_name>
12. To view details on the active IKE phase 2 SAs: show vpn ipsec-sa tunnel <vpn_name>
PANOS 2.1.3
14. Go to the Network tab -> IPSec Tunnels screen. Edit the VPN, and click show advanced options. At the bottom of the screen, look for the Tunnel Monitor configuration:
15. In that portion of the screen, do the following: Check the box to enable tunnel monitoring For destination IP, enter an IP address of a machine on the other side of the tunnel. This should be an internal (private) IP address. This is the machine that will answer the ICMP echo request. Either use the default profile (shown below), or create a new profile.
PANOS 2.1.3
Action: choose one of the following: wait recover- if the remote IP is not reachable, the firewall will continuously send ICMP messages over the tunnel in an attempt to bring the VPN back up. fail-over - traffic will fail over to a backup path, if one is available. Note: in either case, the phase 1 & 2 SAs are not torn down by the tunnel monitor feature.
Interval: how often to send an ICMP echo request over the tunnel Threshold: after this number of missed ICMP replies, the VPN will be declared down
16. Once the configuration change is committed, the tunnel will come up. 17. Now that tunnel monitoring is enabled, if the IP on the remote side is not reachable, you will get this error message in your system log:
Once the problem is fixed, this message will appear in the system log:
PANOS 2.1.3
19. Assign that profile by going to Network tab -> Network Profiles -> IKE Gateways screen. Edit your existing phase 1 configuration. Click on Show advanced Phase1 options. In the IKE Crypto Profile pulldown menu, select the profile you just created:
PANOS 2.1.3
20. To configure phase 2 proposals, go to Network tab -> Network Profiles -> IPSec Crypto screen. Click New. Give the profile a name (no spaces allowed), and put a checkmark next to all the algorithms that you want the PAN firewall to be able to use. If you do NOT want to enable Perfect Forward Secrecy (PFS), go to DH Group pulldown, and select no-pfs.
21. To use this new profile, go to Network tab -> IPSec Tunnels screen. Edit your existing tunnel configuration. Click on Show advanced options. In the IPSec Crypto Profile pulldown menu, select the profile you just created:
22. Once you commit the configuration, the new proposals will be used for this tunnel.
PANOS 2.1.3
PAN firewall
100.1.1.1
Firewall B
192.168.1.1 200.1.1.1
10.1.1.1
Internet
PC A 10.1.1.9
tunnel.1
VPN tunnel
tunnel.1
PC B 192.168.1.9
PANOS 2.1.3
10
PANOS 2.1.3
11
To initiate from network A: 4. If you are more familiar with the error messages in the other vendors firewall (firewall B), you can initiate IKE phase 1 by either: o Pinging from PCA to PCB; or o On fwA, run this command: test vpn ike-sa gateway <gw_name> To see if phase 1 is up, run this command on the PAN firewall: show vpn ike-sa gateway <gw_name> If the output shows an SA, that means that IKE phase 1 is up. If the output does NOT show an SA, look at the system log of the target firewall and use those messages to troubleshoot.
If PCA does not exist, you may be able to initiate the tunnel by pinging firewall As internal interface. But be carefulcheck the management profile on the firewallinternal interface to ensure it allows ping, and that it does not restrict permitted IP addresses.
4
You can view the system log either using the GUI (Monitor tab -> Logs -> System) or using the CLI (show log system subtype equal vpn direction equal backward) PANOS 2.1.3 12
6. To see if phase 2 is up, run this command on the PAN firewall: show vpn ipsec-sa tunnel <vpn_name> If the output does NOT show an SA, phase 2 did not complete successfully. Therefore, look at the event logs of both firewalls for clues. Refer to Appendix C: PANOS Error Messages for VPNs to determine how to interpret VPN error messages you see in the PAN system log.
PANOS 2.1.3
13
IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP x.x.x.x[1929]. received unencrypted Notify payload (NOPROPOSAL-CHOSEN) from IP x.x.x.x[500] to y.y.y.y[500], ignored.. IKE phase-1 negotiation is failed. unable to process peer's SA payload. pfs group mismatched: my:2 peer:0.
Check the IKE phase 1 proposals on both sides (refer to Part 6 of this document)
Check the IKE phase 1 proposals on both sides (refer to Part 6 of this document) Check the IKE phase 2 proposals on both sides. Either: one side has PFS enabled, the other side does not the Diffie Hellman groups do not match (refer to Part 6 of this document) Check the IKE phase 2 proposals on both sides (refer to Part 6 of this document)
IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer's SA payload. IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: x.x.x.x/x type IPv4_address protocol 0 port 0, received remote id: y.y.y.y/y type IPv4_address protocol 0 port 0.
The other side is using a policy-based VPN. On the PAN firewall, go to Network -> IPSec tunnels, and edit the tunnel configuration. Click on show advanced options. Configure a local proxy ID and remote proxy ID to match the other side. (refer to Part 1 step 3 of this document)
PANOS 2.1.3
14
Miscellaneous commands
To bring down phase 1 To bring down phase 2 To bring down both phase 1 & 2 clear vpn ike-sa clear vpn ipsec-sa clear vpn flow
Debugging IKE
Step 1 To turn on debugging of IKE Step 2 Try to bring up tunnel Step 3 View the debug log When finished Step 4 troubleshooting, make sure to set debug level to normal tail follow yes mp-log ikemgr.log debug ike global on debug
PANOS 2.1.3
15