01-13-2023 07:38 AM
Hello,
I am a novice administrator that has been tacked with getting our site to site vpn tunnels migrated from our legacy ASA to our new PA-850.
I believe i have the IKE gateways and IPSec tunnels configured properly.
Where i am stuck is how to set up "encryption domains" (the IP addresses that are allowed to communicate accross the tunnel), and the phase 1 and phase2 security.
01-13-2023 07:59 AM - edited 01-13-2023 08:00 AM
Hi @JimSlifko ,
Here is a great document that walks you through S2S VPNs. The "encryption domains" are the Proxy IDs. Proxy IDs are used for policy-based VPNs. They are not needed for route-based VPNs. (If you have a crypto map with an access-list, it is policy-based.)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
On the ASA, the phase 1 parameters are not tied to the tunnel. A good command to use to see the exact algorithms used is "show vpn-sessiondb detail l2l filter ipaddress <peer-ip>". If the tunnel is up, you will see the algorthms.
Thanks,
Tom
01-13-2023 08:02 AM - edited 01-13-2023 08:03 AM
IKE Gateway - Phase 1
IPSec Tunnel - Phase 2
It is essential that crypto settings need to match at both ends for tunnel to come up.
Palo don't care about encryption domains as it uses route based vpn.
Encryption domains can be configured in IPSec tunnel config. It is called ProxyID in Palo.
If you have tunnel to device that supports route based VPN then you can leave ProxyIDs empty (Palo will send 0.0.0.0/0).
If tunnel is between ASA and Palo then encryption domains you configure in ASA need to be matched under ProxyID in Palo.
01-13-2023 08:25 AM - edited 01-13-2023 08:32 AM
The phase 1/2 security are setup in the IKE/IPSEC Crypto profiles respectively. The encrypted domains are under "Proxy ID" on the IPSec tunnel configuration (as well as any security policies you set up in the firewall). Here is the way I usually setup a new IPSec tunnel:
1) Create a new tunnel interface that you will use for the traffic on the firewall (Network->Interfaces->Tunnels) and assign it to a security zone (i.e. S2S_VPNs, vs. Trust or Untrust). If you are going to use gateway IPs on the tunnel then assign it here, though as a tunnel is really like a point-to-point serial line, no IP is needed, you can just route the traffic to the interface itself.
2) Create an IKE Crypto profile (Network->Network Profiles->IKE Crypto) for the IPSec tunnel. This is all the phase 1 security settings. You can create a profile for each tunnel individually, or use a common security profile across multiple tunnels.
3) Create the IKE Gateway (Network->Network Profiles->IKE Gateways) for the phase 1 connection. This is where you specify the endpoint peers, IKE version, phase 1 security key, and under the "Advanced Options" tab select the IKE Crypto profile you just created.
4) Create an IPSec Crypto profile (Network->Network Profiles->IPSec Crypto) for the IPSec tunnel. This is all the phase 2 security settings. Like the IKE Crypto, you can create individual or common profiles.
5) Create the actual IPSec tunnel (Network->IPSec Tunnels). Here you will select the firewall tunnel interface the unencrypted traffic will appear on, select the IKE Gateway for initiating the tunnel, and assign the IPSec Crypto profile for encrypting traffic across the tunnel. Under the "Proxy IDs" tab you can set up IP domains for individually encrypting traffic streams if you want (though its not necessary, all streams will be encrypted with a single IPSec key if not specified).
6) Add necessary routes to the IP routing table (Network->Virtual Routers->[table]) pointing destination network to the appropriate firewall tunnel interface/gateway IPs.
7) Add security rules to allow traffic to/from the security zone, source/destination IPs, and/or interfaces, depending on how your rules are setup (Policies->Security).
8 ) Bounce the tunnel (if the far side auto-initiates) or try sending traffic to the destination (if on demand) to bring the tunnel up. You can also manually initiate the phase 1 and 2 stages from the CLI:
PA> test vpn ike-sa gateway [IKE-gateway-name]
PA> test vpn ipsec-sa tunnel [IPSec-tunnel-name]
01-13-2023 01:36 PM
Thanks for the help everyone!
My first tunnel is up.
But, i am unable to "talk" across it.
From a server on my end that is allowed across the tunnel, a trace route dies at the ethernet interface of the PA-850.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!