topic How to create IPSec VPN tunnel between two Palo Alto 200 firewalls? in General Topics

How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Mon, 28 Aug 2017 19:51:48 GMT

Hi folks,

I went and bought another used PA 200 from Ebay to go along with my existing one to test my first IPSec VPN connection.

Neither have a support or threat license at all and not registered.

PA 200 #1 has PANOS 7.0.5-H2 and PA 200 #2 has PANOS 7.1.9.

I am using PA administrator's guides and other material to create an IPSec Tunnel, but still RED for me so far.

I am using the same IKE crypto and IPSec Crypto settings (default and custom). Double checked Peer and local ip address. Tried with and without proxy ID, tried with and without NAT traversal, with and without Local/Peer identification (IP address), but still RED. Created respective Tunnel interfaces and included a static route for the remote subnet in each virtual router.

I created a separate respective VPN zone for each and security rule to allow any access both ways to my Trust-L3 zone. Do I need to set anything for Untrust-L3?

I am able to ping each others respective external IP from each firewall (static IPs assigned to me from ISP in the same subnet).

Posting this in case anyone sees something obvious that I may be missing?

Does the PANOS have to be the same or licensed?

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

TranceforLife — Mon, 28 Aug 2017 20:32:23 GMT

Hi,

1) Allow IKE, IPSec protocols to your untrust zone

2) For P1 Use word HAGLE:

H= Hashing

A= Authentication

G= Diffie-Hellman

L= Lifetime

E= Encryption

Make sure above parameters are matching between the peers.

3) The same applies for P2. Make sure to have identical parameters

4) No need Proxy-IDs between the Palo`s

4) No need NAT-T (unless your external ip is RFC1918 ip address)

5) When you complete the set up generate the traffic between the sites or use test vpn command

6) Follow the video:

https://www.youtube.com/watch?v=5xgYhXlnGUw

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

9t89m8fu — Tue, 29 Aug 2017 11:38:12 GMT

Lifetimes do not have to match; they will be negotiated between the peers. The IKEv1 RFCs state that peers should agree on the lower of the two proposals. IKEv2 SAs are inherently independent.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

TranceforLife — Tue, 29 Aug 2017 11:40:18 GMT

Yes, correct. Was easier to write the message 😄 , but you are saying true

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Wed, 30 Aug 2017 13:12:32 GMT

Thanks for the feedback. I've configured like the video, including security rules. Still stays red. I don't what I could be doing wrong, but obviously something. I will keep trying, seems fairly straight forward, just matching settings between two PA 200 firewalls. They are not licensed and different PAN OS, but will keep troubleshooting.

Thanks again!

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

TranceforLife — Wed, 30 Aug 2017 13:15:37 GMT

If you believe that all config is matching between the peers then VERY IMPORTANT to initiate the tunnel with "interesting traffic" or with the test vpn command.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Wed, 30 Aug 2017 15:21:33 GMT

Thank you! I will try that.

I am noticing that I am able to ping the external IP from one but not the other.

Maybe has something to do with the fact that my two external IPs are on the same subnet issued from my isp (comcast business). They are respective layer3 interfaces on the firewall, but certainly on the same (external) subnet. Using the same ip on respective default static routes for the gateway.

Still working on it.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Wed, 30 Aug 2017 15:35:22 GMT

I think my test is flawed since even though my ethernet/1 interfaces are public IPs, they are on the same subnet and not communicating with each other from those interfaces. I need to do something different I think. Maybe try a local true layer3 test first or something else to make this work with these two external IPs I have from ISP that are on same subnet.

I will redo and update/close as soon as I can.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

TranceforLife — Wed, 30 Aug 2017 15:40:17 GMT

The same subnet should not be a problem, but if the interfaces cannot communicate within the same subnet then it is problem. Why do you think they cannot communicate?

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Fri, 01 Sep 2017 12:39:41 GMT

I don't know why they can not communicate. If I take that cable from ethernet/1, plug into my laptop, configure same external IP and subnet mask only, it pings fine. But for some reason when I plug it back into the PA 200 on ethernet/1 it won't ping. Could it be because the interface (on both PA 200s) are configured as layer3 and expecting to route between them?

I tried a static route thinking that might help but did not. When I ping the other ip, it fails and can tell it is trying to ping it out of the management interface ip, which is totally wrong.

I will close this thread. I need to create a better test, thanks for responding so far.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Fri, 01 Sep 2017 12:52:07 GMT

It's weird, I can't ping out to anything from this one PA, even though I can NAT to the internet fine. Must be something wrong with my config. I will stop commenting soon and close this thread. Sorry for all the spam...

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

TranceforLife — Fri, 01 Sep 2017 12:57:57 GMT

Hi,

We don't use routing between the same subnet, and no it should not be a problem. We expect Palo to ARP for an ip address within the same subnet.

You need to take a PCAP from the Palo and check what is going on, check your apr table. Can you see MAC address of other Palo interface?

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

Raido_Rattameister — Fri, 01 Sep 2017 13:02:08 GMT

Are you pinging from inside Palo?

If you use command "ping host 8.8.8.8" then ping request goes out from mgmt interface.

Is your mgmt interface connected?

Assuming your public IP is 1.2.3.4 then command "ping source 1.2.3.4 host 8.8.8.8" will send requests out from external interface.

If you can ping then initiate command "test vpn ipsec-sa tunnel VPN" (replace VPN with name of the tunnel).

Log into other firewall and go to System log. Responding side will show you in log what is wrong with tunnel.

Paste error message here.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Fri, 01 Sep 2017 13:02:25 GMT

I finally got it working by assigning a default gateway to the management interface on the PA 200 that could not ping out at all, to anything. My management interface has an internal IP address and same network as my ethernet/2 trust interface. My other PA 200 already had a default gateway on its management interface, set up the same way, internal ip and network.

After assigning a default gateway to the management interface, everything working, ping, now including my IPsec tunnels!

I still trying to wrap my head around why this was necessary in this configuration. But working now.

I should do some network traces and try to study further. Thank you for hanging with me!

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

Raido_Rattameister — Fri, 01 Sep 2017 13:08:47 GMT

Mgmt interface ping is not required for vpn.

But unless you configure IPSec monitoring that sends pings over tunnel there is no interersting traffic.

Palo will not bring tunnel up if there is no interesting traffic.

Other option is to use test vpn command as mentioned earlier.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Fri, 01 Sep 2017 13:25:24 GMT

Thank you. Using the test vpn command for ike and ipsec tunnel, and everything is green now on both sides for IPsec and IKE!

However, I am not able to ping or communicate with the internal subnets on the other side, even though I've input static routes respectively.

Working on this now. 🙂

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

Raido_Rattameister — Fri, 01 Sep 2017 13:41:48 GMT

Check traffic log Monitor > Traffic.

Add Ingress/Egress interface columns and check if traffic is sent towards tunnel interface and is permitted.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Fri, 01 Sep 2017 14:07:15 GMT

Yep, looks like I did not have my security rule proper. I just changed my one rule to source and destination to include my IPSecVPN zone and Trust interfaces only. I removed reference to Untrust, which is consistent with how our IPSec tunnels are configured at my job, but not consistent with the youtube video referenced earlier.

I am still pondering how it works in my test and at work without a VPN zone permission to Untrust directly. I have the Trust zone permission to Untrust of course for my internet access. My tunnel interfaces that I static route to are members of my IPSecVPN zone, as recommended. I will have to post my configuration and accept solutions to end this thread.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

Raido_Rattameister — Fri, 01 Sep 2017 14:16:55 GMT

It is bad-bad practice to place VPN into untrust zone. VPN has always have to have dedicated zone. I don't know why so many documentations suggest to place VPN into untrust zone.

Re: How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

OMatlock — Mon, 04 Sep 2017 13:38:42 GMT

Thanks folks for all the feedback. I now understand better and can see where I was confused a lot.

First, I did not understand that I was in the context of the management interface using SSH when I was unable to ping my public IP and needed a gateway entry there. Which is totally separate and unrelated to the IPSec tunnel being up or down. I needed to run the test vpn commands to generate the interesting traffic. You guys were trying to tell me that, and I was not getting it yet.

I am attaching my diagram for now and close this thread. I may come back and attach my firewall config.