Configuring IPSec Site-to-Site VPN on Palo Alto Networks hardware

This article is a continuation of the previous material on the features of setting up equipment Palo Alto Networks . Here we want to talk about setting up IPSec Site-to-Site VPN on Palo Alto Networks equipment and about a possible configuration option for connecting several Internet providers.

For the demonstration, the standard scheme of connecting the head office to the branch will be used. In order to provide a fail-safe Internet connection, the head office uses simultaneous connection of two providers: ISP-1 and ISP-2. A branch has connection to only one ISP-3 provider. Two tunnels are built between the PA-1 and PA-2 firewalls. Tunnels operate in Active-Standby mode, Tunnel-1 is active, Tunnel-2 will begin to transmit traffic if Tunnel-1 fails. Tunnel-1 uses an ISP-1 ISP connection, Tunnel-2 uses an ISP-2 ISP connection. All IP addresses are randomly generated for demonstration purposes, and are not related to reality.


')
To build a Site-to-Site VPN, IPSec will be used - a set of protocols to ensure the protection of data transmitted over IP. IPSec will work using the security protocol ESP (Encapsulating Security Payload), which will provide encryption of the transmitted data.

IPSec includes IKE (Internet Key Exchange), a protocol responsible for negotiating SA (security associations) security parameters, which are used to protect the transmitted data. PAN firewalls support IKEv1 and IKEv2 .

In IKEv1, a VPN connection is built in two phases: IKEv1 Phase 1 (IKE tunnel) and IKEv1 Phase 2 (IPSec tunnel), thus creating two tunnels, one of which serves to exchange service information between firewalls, the second to transmit traffic. In IKEv1 Phase 1, there are two modes of operation - main mode and aggressive mode. Aggressive mode uses fewer messages and is faster, but does not support Peer Identity Protection.

IKEv2 has replaced IKEv1 , and compared to IKEv1, its main advantage is lower bandwidth requirements and faster SA negotiation. IKEv2 uses fewer service messages (4 in total), supports EAP, MOBIKE, and adds a mechanism for checking accessibility of the peer that is used to create a tunnel — Liveness Check , replacing Dead Peer Detection in IKEv1. If the check fails, IKEv2 can reset the tunnel and then automatically recover as soon as possible. More details about the differences can be found here .

If the tunnel is built between firewalls from different manufacturers, then there may be bugs in the IKEv2 implementation, and for compatibility with such equipment it is possible to use IKEv1 . In other cases, it is better to use IKEv2 .

Setup steps:

• Setup of two Internet providers in the Active \ Standby mode

There are several ways to implement this feature. One of them is to use the Path Monitoring mechanism, which has become available since PAN-OS 8.0.0 . This example uses version 8.0.16. This feature is similar to IP SLA in Cisco routers. In the static default route parameter, ping packets are sent to a specific IP address from a specific source address. In this case, the ethernet1 / 1 interface pings the default gateway once a second. If there is no response to three pings in a row, then the route is considered non-working and is deleted from the routing table. The same route is configured in the direction of the second Internet provider, but with a larger metric (it is a backup). As soon as the first route is removed from the table, the firewall will start sending traffic along the second route - Fail-Over . When the first provider starts responding to pings, its route will return to the table and replace the second one because of the best metric - Fail-Back . The Fail-Over process takes several seconds depending on the configured intervals, but, in any case, the process is not instantaneous, and at this time the traffic is lost. Fail-Back passes without loss of traffic. It is possible to make a Fail-Over faster, with the help of BFD , if the Internet provider provides such an opportunity. BFD is supported starting with the PA-3000 Series and VM-100 models. As a ping address, it is better to specify not the provider's gateway, but a public, always accessible Internet address.



• Creating a tunnel interface

Traffic inside the tunnel is transmitted through special virtual interfaces. Each of them must be configured with an IP address from the transit network. In this example, 172.16.1.0/30 will be used for Tunnel-1, and 172.16.2.0/30 for Tunnel-2.
The tunnel interface is created in the Network -> Interfaces -> Tunnel section. You must specify the virtual router and security zone, as well as the IP address from the corresponding transport network. Interface number can be any.





In the Advanced section, you can specify the Management Profile that will allow pinging on this interface, this can be useful for testing.



• Configure IKE Profile

The IKE Profile is responsible for the first step in creating a VPN connection; the parameters for the IKE Phase 1 tunnel are indicated here. A profile is created in the Network -> Network Profiles -> IKE Crypto section. You must specify the encryption algorithm, hashing, Diffie-Hellman group and the key lifetime. In general, the more complex the algorithms, the worse the performance, they need to be selected on the basis of specific security requirements. However, it is strongly recommended not to use the Diffie-Hellman group below 14 to protect important information. This is due to the vulnerability of the protocol, which can be leveled only by using the size of modules 2048 bits and higher, or by elliptic cryptography algorithms, which are used in groups 19, 20, 21, 24. These algorithms have higher performance compared to traditional cryptography. Read more here . And here .



• Configure IPSec Profile

The second stage of creating a VPN connection is an IPSec tunnel. SA parameters for it are configured in Network -> Network Profiles -> IPSec Crypto Profile . Here you need to specify the IPSec protocol - AH or ESP , as well as the SA parameters - hashing algorithms, encryption, Diffie-Hellman groups and key lifetime. SA options in IKE Crypto Profile and IPSec Crypto Profile may not match.



• Configure IKE Gateway

IKE Gateway is an object that represents a router or firewall with which a VPN tunnel is built. For each tunnel you need to create your own IKE Gateway . In this case, two tunnels are created, one through each ISP. The corresponding outgoing interface and its ip-address, ip-address of the peer, and the common key are indicated. As an alternative to the shared key, you can use certificates.



This indicates the previously created IKE Crypto Profile . The settings for the second IKE Gateway object are similar, with the exception of IP addresses. If the Palo Alto Networks firewall is located behind a NAT router, then you must enable the NAT Traversal mechanism.



• Configure IPSec Tunnel

IPSec Tunnel is an object in which IPSec tunnel parameters are specified, as the name suggests. Here you need to specify the tunnel interface and previously created IKE Gateway objects, IPSec Crypto Profile . To ensure automatic switching of routing to the backup tunnel, you need to enable Tunnel Monitor . This is the mechanism that checks if the peer is alive using ICMP traffic. As the destination address, you must specify the IP address of the peer tunnel interface with which the tunnel is built. The profile indicates the timers and action when communication is lost. Wait Recover - wait until the connection is restored, Fail Over - send traffic on another route, if any. The configuration of the second tunnel is completely the same; the second tunnel interface and the IKE Gateway are indicated.





• Configure Routing

This example uses static routing. On the PA-1 firewall, in addition to the two default routes, you need to specify two routes to the 10.10.10.0/24 subnet in the branch office. One route uses Tunnel-1, the other Tunnel-2. The route through the Tunnel-1 is the main because it has a smaller metric. Path Monitoring is not used for these routes. For switching responsible Tunnel Monitor .



The same routes for the 192.168.30.0/24 subnet need to be configured on the PA-2.



• Configure network rules

For the tunnel to work, you need three rules:

1. For Path Monitor to work, enable ICMP on external interfaces.
2. For IPSec, allow ike and ipsec applications on external interfaces.
3. Allow traffic between internal subnets and tunnel interfaces.

Conclusion

This article describes the configuration option for a fault-tolerant Internet connection and Site-to-Site VPN . We hope the information was useful, and the reader got an idea about the technologies used in Palo Alto Networks . If you have questions about customization and suggestions on topics for future articles - write them in the comments, we will be happy to answer.