How to Configure an IPSEC VPN with Route and Tunnel Configuration from CLI
Resolution
Overview
This document provides the CLI commands to create an IPSec VPN, including the tunnel and route configuration, on a Palo Alto Networks firewall. Before running the commands, ensure that the IKE and IPSec crypto profiles are configured on the firewall.
Note: For the commands listed in this document, it is recommended to use the same IKE and IPSec cryptos for the new IPSec tunnels.
Details
The following information is used as example data for the commands.
| Tunnel: | Tunnel.10 (zone = vpn) |
| Name of the tunnel: | NewYork VPN |
| Virtual Router: | Virtual Router 1 |
| IKE Crypto: | ike-crypto-profile IKE_Profile |
| IKE Gateway: | NewYork VPN |
| IPsec Crypto: | ipsec-crypto-profile IPsec_Profile |
| Peer IP address: | 100.100.100.1 |
| Subnet on the other side of the tunnel: | 192.168.3.0/24 |
The commands below should be executed in the order listed.
> configure
# set network interface tunnel units tunnel.10 ipv6 enabled no
# set network interface tunnel units tunnel.10 ipv6 interface-id EUI-64
# set network interface tunnel units tunnel.10 comment "NewYork VPN"
# set zone vpn network layer3 tunnel.10
# set network virtual-router "Virtual Router 1" interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 tunnel.10 ]
# set network ike gateway NewYork VPN protocol ikev1 dpd enable no
# set network ike gateway NewYork VPN protocol ikev1 dpd interval 5
# set network ike gateway NewYork VPN protocol ikev1 dpd retry
# set network ike gateway NewYork VPN protocol ikev1 ike-crypto-profile IKE_Profile
# set network ike gateway NewYork VPN protocol ikev1 exchange-mode auto
# set network ike gateway NewYork VPN authentication pre-shared-key key paloalto
# set network ike gateway NewYork VPN protocol-common nat-traversal enable no
# set network ike gateway NewYork VPN protocol-common passive-mode no
# set network ike gateway NewYork VPN peer-address ip 100.100.100.1
# set network ike gateway NewYork VPN local-address interface ethernet1/1
# set network tunnel ipsec NewYork VPN auto-key ike-gateway NewYork VPN
# set network tunnel ipsec NewYork VPN auto-key ipsec-crypto-profile IPsec_Profile
# set network tunnel ipsec NewYork VPN tunnel-monitor enable no
# set network tunnel ipsec NewYork VPN anti-replay yes
# set network tunnel ipsec NewYork VPN copy-tos no
# set network tunnel ipsec NewYork VPN tunnel-interface tunnel.10
# set network virtual-router "Virtual Router 1" routing-table ip static-route Route_to_NewYork interface tunnel.10
# set network virtual-router "Virtual Router 1" routing-table ip static-route Route_to_NewYork metric 10
# set network virtual-router "Virtual Router 1" routing-table ip static-route Route_to_NewYork destination 192.168.3.0/24
Note: Since the cloning feature is not available through the web UI, the commands above can be used to clone IPSec tunnels on same firewall or copied to another Palo Alto Networks firewall.
To view existing configuration, run the show command with the appropriate options.
For example:
# show network ike
# show network tunnel ipsec
owner: kadak