topic Re: Setting up an IPSEC VPN? in General Topics

Setting up an IPSEC VPN?

networkadmin — Thu, 12 Aug 2010 19:44:01 GMT

We want to use our PA-500 (3.1.3) at our site to create a tunnel to a remote site which will have a McAfee/Secure Computing Sidewinder.

I've never used IPSEC VPN before so I guess I want to be clear on how I do this.

Our PA-500 is setup in a simple L3 deployment, so:

ethernet1/1 is "trust" private IP of 10.6.1.1/16

ethernet1/2 is "untrust" public IP of 193.35.x.x/24

and a single virtual router.

The remote sites LAN IP range will be 10.7.x.x/16 and for their public IP for testing will also be 193.35.x.x/24 as I'll be connecting the Sidewinder to the same switch/subnet as the PA-500's ethernet1/2 interface.

So at our main site everyone's default gateway is our main router, which routes 0.0.0.0 to 10.6.1.1.

What we want is for all traffic in the remote site to be tunnelled back here, and to go out through out PA-500 so their traffic is subject to the same policies as ours.

I appreciate the Sidewinder is outside the scope here so I'll have to work that out, but with regards to the PA-500 any pointers on a quick and simple config to achieve what I want?

Thanks in advance.

Re: Setting up an IPSEC VPN?

jnguyen — Fri, 13 Aug 2010 18:04:01 GMT

Please call into support to set up a trouble shooting session to go over basic vpn configuration.

Re: Setting up an IPSEC VPN?

jpa — Fri, 13 Aug 2010 18:38:20 GMT

Here is good document that provide step by step instructions on setting up IPSec VPN

https://live.paloaltonetworks.com/docs/DOC-1163

Re: Setting up an IPSEC VPN?

networkadmin — Mon, 16 Aug 2010 13:16:22 GMT

OK I got this working, all by the book apart from having to manually specify local/remote proxy addresses.

I've configured a tunnel and it works, however I've noticed that if I run iperf I get a higher throughput from a client behind the Sidewinder pushing to a server behind the Palo Alto, and a lower throughput with the server behind the Sidewinder and the client behind the Palo Alto.

I'm assuming this isn't normal and VPN throughput should be symmetrical given that for testing both firewalls external interfaces are connected to the same switch?

Re: Setting up an IPSEC VPN?

migration — Thu, 19 Aug 2010 02:40:37 GMT

I would begin by checking the policy and inspection order within the security policy on the PAN. Can you provide a latency number in both directions?

Re: Setting up an IPSEC VPN?

networkadmin — Thu, 19 Aug 2010 19:49:26 GMT

I haven't defined anything in my security policy, this is just a simple deployment as per the PDFs linked to above.

Latency, well both units are plugged into the same 100mbps switch for testing, so I'd hope it's not that.