Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • How To Configure IPSec VPN Palo Alto Networks Live

    Încărcat de

    Chau Nguyen
    145 vizualizări7 pagini
    PCNSE7-course201-Day3-Site to Site VPN

    Titlu original

    How to Configure IPSec VPN  Palo Alto Networks Live

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    PCNSE7-course201-Day3-Site to Site VPN

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    145 vizualizări7 pagini

    How To Configure IPSec VPN Palo Alto Networks Live

    Încărcat de

    Chau Nguyen
    PCNSE7-course201-Day3-Site to Site VPN

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 7

    How to Configure IPSec VPN | Palo Alto Networks Live 3/25/15, 5:58 AM

    All Places > Knowledge Base > Documents

    How to Configure IPSec VPN Version 23

    created by dtickoo on Mar 12, 2014 8:08 PM, last modified by panagent on Jan 7, 2015 4:22 PM

    Details
    This document describes the steps to configure IPSec VPN and assumes the Palo Alto Networks firewall has at
    least two interfaces operating in Layer 3 mode.

    Steps
    1. Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:
    Name: tunnel.1
    Virtual router: (select the existing virtual router)
    Zone: (select the layer 3 internal zone from which the trac will originate)

    Note: If the tunnel interface is in a zone that is dierent from the zone that the trac will originate/depart,
    then a policy will need to be created to allow the trac to flow from the source zone to the zone containing
    the tunnel interface.

    2. Go to Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
    These parameters should match on the remote firewall for the IKE Phase-1 negotiation to be successful.

    https://live.paloaltonetworks.com/docs/DOC-6791 Page 1 of 7
    How to Configure IPSec VPN | Palo Alto Networks Live 3/25/15, 5:58 AM

    3. Go to Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway.
    Note: The Tunnel configured above will terminate in the Trust zone for trac traversing the tunnel, although if
    more granular control is desired for the policy configuration in the tunnel use a VPN or other zone. Also, note
    that the gateway configuration below will be configured for the Untrust interface and not to be confused with
    the tunnel terminating on a trusted interface.

    https://live.paloaltonetworks.com/docs/DOC-6791 Page 2 of 7
    How to Configure IPSec VPN | Palo Alto Networks Live 3/25/15, 5:58 AM

    4. Under Network > Network Profiles > IPSec Crypto Profile define IPSec Crypto profile to specify protocols
    and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA
    negotiation (IKEv1 Phase-2). These parameters should match on the remote firewall for the IKE Phase-2
    negotiation to be successful.

    https://live.paloaltonetworks.com/docs/DOC-6791 Page 3 of 7
    How to Configure IPSec VPN | Palo Alto Networks Live 3/25/15, 5:58 AM

    5. Under Network > IPSec Tunnel > General configure IPSec Tunnels to set up the parameters to establish
    IPSec VPN tunnels between firewalls.

    https://live.paloaltonetworks.com/docs/DOC-6791 Page 4 of 7
    How to Configure IPSec VPN | Palo Alto Networks Live 3/25/15, 5:58 AM

    Note: If the other side of the tunnel is a third party VPN device configured as a policy-based VPN, then
    enter the local proxy ID and remote proxy ID to match the other side.

    When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for trac
    that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP
    network information since the Proxy-ID information defines
    the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

    6. Under Network > Virtual Routers-Static Route add a new route for the network that is behind the other VPN
    endpoint.

    https://live.paloaltonetworks.com/docs/DOC-6791 Page 5 of 7
    How to Configure IPSec VPN | Palo Alto Networks Live 3/25/15, 5:58 AM

    7. Commit the configuration.

    Note: The Palo Alto Networks supports only tunnel mode for IPSec VPN. The transport mode is not supported for
    IPSec VPN.

    See Also
    Additional Documentation for more complex configurations with VPNs are:
    How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover
    Selecting an IP Address to use for PBF or Tunnel Monitoring
    Dead Peer Detection and Tunnel Monitoring

    owner: dtickoo

    23079 Views Categories: VPN Tags: vpn, ipsec, ipsec_tunnel

    Average User Rating

    (9 ratings)

    1 Comment

    ericgearhart Mar 24, 2014 10:20 AM


    I would just add that I usually allocate a /30 for my tunnel interfaces, so that I can configure tunnel monitoring
    on my firewalls.
    Like (2)

    https://live.paloaltonetworks.com/docs/DOC-6791 Page 6 of 7
    How to Configure IPSec VPN | Palo Alto Networks Live 3/25/15, 5:58 AM

    1.866.320.4788 Privacy Policy Legal Notices Site Index Subscriptions


    Copyright 2007-2013 Palo Alto Networks

    Home | Top of page | About Jive | Help 2007-2012 Jive Software |

    https://live.paloaltonetworks.com/docs/DOC-6791 Page 7 of 7

    S-ar putea să vă placă și