Scribd Logo
Upload

Welcome to Scribd!

  • Sample IPSec Tunnel Configuration

    Uploaded by

    ankit
    5 views6 pages
    This document provides a sample configuration for an IPSec tunnel between a Palo Alto Networks firewall and a Cisco ASA firewall. It includes configurations for the Phase 1 and Phase 2 proposals, gateways, and proxy IDs/tunnels on each device to establish the IPSec connection. The Phase 1 proposal configures IKE parameters like encryption, hash, and lifetime. The Phase 2 proposal configures the IPSec ESP parameters. The gateway section configures the peer addresses and pre-shared keys. And the Phase 2 proxy ID section defines the subnets to secure over the tunnel.

    Original Description:

    Original Title

    Sample IPSec tunnel configuration

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a sample configuration for an IPSec tunnel between a Palo Alto Networks firewall and a Cisco ASA firewall. It includes configurations for the Phase 1 and Phase 2 proposals, gateways, and proxy IDs/tunnels on each device to establish the IPSec connection. The Phase 1 proposal configures IKE parameters like encryption, hash, and lifetime. The Phase 2 proposal configures the IPSec ESP parameters. The gateway section configures the peer addresses and pre-shared keys. And the Phase 2 proxy ID section defines the subnets to secure over the tunnel.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    5 views6 pages

    Sample IPSec Tunnel Configuration

    Uploaded by

    ankit
    This document provides a sample configuration for an IPSec tunnel between a Palo Alto Networks firewall and a Cisco ASA firewall. It includes configurations for the Phase 1 and Phase 2 proposals, gateways, and proxy IDs/tunnels on each device to establish the IPSec connection. The Phase 1 proposal configures IKE parameters like encryption, hash, and lifetime. The Phase 2 proposal configures the IPSec ESP parameters. The gateway section configures the peer addresses and pre-shared keys. And the Phase 2 proxy ID section defines the subnets to secure over the tunnel.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 6

    Sample IPSec tunnel configuration - Palo

    Alto Networks firewall to Cisco ASA


    56766
    Created On 09/25/18 17:15 PM - Last Modified 06/13/23 01:50 AM
    VPNS
    NEXT-GENERATION FIREWALL

    Resolution

    The following is a sample IPSec tunnel configuration with a Palo Alto Networks firewall connecting to a Cisco ASA
    firewall.

    Phase 1 Proposal

    Cisco ASA:

    crypto isakmp policy 10

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    lifetime 86400

    Palo Alto Networks firewall:

    <ike-crypto-profiles>

    <entry name="default">

    <encryption>

    <member>aes192</member>

    <member>aes256</member>

    <member>aes128</member>

    <member>3des</member>
    </encryption>

    <hash>

    <member>sha1</member>

    <member>md5</member>

    </hash>

    <dh-group>

    <member>group2</member>

    <member>group1</member>

    </dh-group>

    <lifetime>

    <hours>24</hours>

    </lifetime>

    </entry>

    </ike-crypto-profiles>

    Phase 2 Proposal

    Cisco ASA:

    crypto ipsec transform-set palo-alto esp-aes-256 esp-sha-hmac

    crypto map outside 20 set transform-set palo-alto

    Palo Alto Networks firewall:

    <ipsec-crypto-profiles>

    <entry name="default">

    <esp>

    <encryption>

    <member>aes256</member>

    </encryption>
    <authentication>

    <member>sha1</member>

    </authentication>

    </esp>

    <dh-group></dh-group>

    <lifetime>

    <hours>24</hours>

    </lifetime>

    </entry>

    </ipsec-crypto-profiles>

    <crypto-profiles>

    Gateway

    Cisco ASA:

    crypto map outside 20 set peer 10.9.3.8

    tunnel-group 10.9.3.8 type ipsec-l2l

    tunnel-group 10.9.3.8 ipsec-attributes

    pre-shared-key *

    isakmp keepalive threshold infinite

    prompt hostname context

    Cryptochecksum:2e764f8b78fffa0bef7a212795ec0ebe

    Palo Alto Networks firewall:

    <gateway>

    <entry name="XYZ.ASA">

    <peer-address>

    <ip>10.88.12.253</ip>
    </peer-address>

    <local-address>

    <ip>10.9.3.8/24</ip>

    <interface>ethernet1/1</interface>

    </local-address>

    <authentication>

    <pre-shared-key>

    <key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>

    </pre-shared-key>

    </authentication>

    <protocol>

    <ikev1>

    <exchange-mode>auto</exchange-mode>

    <ike-crypto-profile>default</ike-crypto-profile>

    <dpd>

    <enable>yes</enable>

    <interval>10</interval>

    <retry>3</retry>

    </dpd>

    </ikev1>

    </protocol>

    </entry>

    </gateway>

    Phase 2 - Proxy ID/tunnel

    Cisco ASA:
    access-list ASAtoPAN extended permit ip 10.211.168.0 255.255.252.0 10.61.0.0
    255.255.0.0

    crypto map outside 20 match address ASAtoPAN

    Palo Alto Networks firewall:

    <tunnel>

    <ipsec>

    <entry name="XYZTunnel">

    <anti-replay>no</anti-replay>

    <copy-tos>no</copy-tos>

    <tunnel-monitor>

    <enable>no</enable>

    </tunnel-monitor>

    <tunnel-interface>tunnel.1</tunnel-interface>

    <auto-key>

    <ike-gateway>

    <entry name="XYZ.ASA"/>

    </ike-gateway>

    <ipsec-crypto-profile>default</ipsec-crypto-profile>

    <proxy-id>

    <local>10.61.0.0/16</local>

    <remote>10.211.168.0/22</remote>

    </proxy-id>

    </auto-key>

    </entry>

    </ipsec>

    </tunnel>
    Note: Protocol field under proxy-ID should match on both sides.

    You might also like