Route-Based VPN between PaloAlto & Strongswan

zloyBarsuk — Mon, 16 Jan 2023 15:36:34 GMT

Hi!

If anyone have some experience about this topic? I need a vpn between our PaloAlto and a virtual machine with strong swan installed. To route some traffic from our local network to this vpn tunnel. How to make this possible?

Re: Route-Based VPN between PaloAlto & Strongswan

kiwi — Tue, 17 Jan 2023 08:30:57 GMT

Hi @zloyBarsuk ,

No personal experience but there has been a previous discussion about this you might want to check into.

site-to-site-vpn-with-strongswan-opensource

Hope this helps,

-Kiwi.

Re: Route-Based VPN between PaloAlto & Strongswan

GeorgeJay — Tue, 23 Jan 2024 12:37:44 GMT

You need to follow several steps on both devices for setting up VPN. Here's a breakdown of the process:

On the Palo Alto firewall:

1. Create a VPN Tunnel:

Go to Network > VPN > Tunnels.
Click Add and configure your VPN tunnel settings:
Type: IPSec
Name: Choose a descriptive name for your tunnel.
Local Interface: Select the interface connected to your internal network.
Peer Address: Enter the IP address of your VPN gateway/virtual machine running StrongSwan.
Preshared Key: Define a shared secret for authentication.

2. Configure Phase 1 and Phase 2:

Go to Phase 1 and Phase 2 tabs within the tunnel configuration.
- Define the encryption algorithms, authentication methods, and other relevant security settings for both phases as per your desired security level.
- Ensure compatibility with the StrongSwan configuration on your VM.

3. Create Route Policy:

Go to Network > Route > Policies.
Click Add and create a route policy for your VPN tunnel:
Name: Assign a relevant name.
Source Zone: Select the internal zone(s) where traffic originates for the VPN route.
Destination Zone: Choose the "VPN" zone associated with your tunnel.

4. Create Route Tag:

Go to Network > Tags > Route Tags.
* Click Add and create a route tag for your specific traffic:
Name: Choose a descriptive name like.
Match Criteria: Define criteria to identify the desired traffic.

5. Apply Route Policy and Tag:

- Go back to the Route Policy you created.
- In the Tags tab, add the route tag you created earlier.
- This associates the specific traffic defined by the tag with the VPN tunnel route policy.

On the Virtual Machine with StrongSwan:

1. Install StrongSwan:

Ensure StrongSwan is installed and configured on your VM.

2. Configure StrongSwan:

- Edit your StrongSwan configuration files.
- Define settings for your connection to the Palo Alto firewall, including:
- Local/remote addresses.
- Phase 1 and Phase 2 parameters.
- Security algorithms and authentication methods.

3. Bring Up the Connection:

Use the `ipsec up` command or relevant StrongSwan tools to initiate the VPN connection to the Palo Alto firewall.

4. Verify Connectivity and Routing:

Test the VPN connection and validate that the desired traffic from your local network is routed through the tunnel to the VM.

Additional Notes:

* Consult the documentation for your specific Palo Alto firewall model and StrongSwan version for detailed configuration instructions and parameter options.
* Consider applying advanced features of PureVPN or ExpressVPN like split tunneling on the Palo Alto firewall to route only specific traffic through the VPN tunnel.
* Ensure proper firewall rules are in place on both devices to allow traffic flow.
* Test and verify the setup thoroughly before putting it into production.

By following these steps you should be able to establish a VPN tunnel between your Palo Alto firewall and the virtual machine.

topic Re: Route-Based VPN between PaloAlto & Strongswan in General Topics

Route-Based VPN between PaloAlto & Strongswan

Re: Route-Based VPN between PaloAlto & Strongswan

Re: Route-Based VPN between PaloAlto & Strongswan