How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?

L4 Transporter

Hi folks,

 

I went and bought another used PA 200 from Ebay to go along with my existing one to test my first IPSec VPN connection.

Neither have a support or threat license at all and not registered.

PA 200 #1 has PANOS 7.0.5-H2 and PA 200 #2 has PANOS 7.1.9.

 

I am using PA administrator's guides and other material to create an IPSec Tunnel, but still RED for me so far.

I am using the same IKE crypto and IPSec Crypto settings (default and custom).  Double checked Peer and local ip address.  Tried with and without proxy ID, tried with and without NAT traversal, with and without Local/Peer identification (IP address), but still RED.  Created respective Tunnel interfaces and included a static route for the remote subnet in each virtual router.

 

I created a separate respective VPN zone for each and security rule to allow any access both ways to my Trust-L3 zone.  Do I need to set anything for Untrust-L3?

 

I am able to ping each others respective external IP from each firewall (static IPs assigned to me from ISP in the same subnet).

 

Posting this in case anyone sees something obvious that I may be missing?

Does the PANOS have to be the same or licensed?

1 accepted solution

Accepted Solutions

If you believe that all config is matching between the peers then VERY IMPORTANT to initiate the tunnel with "interesting traffic" or with the test vpn command. 

View solution in original post

19 REPLIES 19

L6 Presenter

Hi,

 

1) Allow IKE, IPSec protocols to your untrust zone 

2) For P1 Use word HAGLE:

 

H= Hashing

A= Authentication

G= Diffie-Hellman

L= Lifetime

E= Encryption

 

Make sure above parameters are matching between the peers.

 

3) The same applies for P2. Make sure to have identical parameters

4) No need Proxy-IDs between the Palo`s

4) No need NAT-T (unless your external ip is RFC1918 ip address)

5) When you complete the set up generate the traffic between the sites or use test vpn command

6) Follow the video:

 

https://www.youtube.com/watch?v=5xgYhXlnGUw

Lifetimes do not have to match; they will be negotiated between the peers. The IKEv1 RFCs state that peers should agree on the lower of the two proposals. IKEv2 SAs are inherently independent.

Yes, correct. Was easier to write the message 😄 , but  you are saying true 

Thanks for the feedback.  I've configured like the video, including security rules.  Still stays red.  I don't what I could be doing wrong, but obviously something.  I will keep trying, seems fairly straight forward, just matching settings between two PA 200 firewalls.  They are not licensed and different PAN OS, but will keep troubleshooting.

 

Thanks again!

If you believe that all config is matching between the peers then VERY IMPORTANT to initiate the tunnel with "interesting traffic" or with the test vpn command. 

Thank you!  I will try that.

 

I am noticing that I am able to ping the external IP from one but not the other.

Maybe has something to do with the fact that my two external IPs are on the same subnet issued from my isp (comcast business).  They are respective layer3 interfaces on the firewall, but certainly on the same (external) subnet.  Using the same ip on respective default static routes for the gateway.

 

Still working on it.

 

 

I think my test is flawed since even though my ethernet/1 interfaces are public IPs, they are on the same subnet and not communicating with each other from those interfaces.  I need to do something different I think.  Maybe try a local true layer3 test first or something else to make this work with these two external IPs I have from ISP that are on same subnet.

 

I will redo and update/close as soon as I can.

The same subnet should not be a problem, but if the interfaces cannot communicate within the same subnet then it is problem. Why do you think they cannot communicate? 

I don't know why they can not communicate.  If I take that cable from ethernet/1, plug into my laptop, configure same external IP and subnet mask only, it pings fine.  But for some reason when I plug it back into the PA 200 on ethernet/1 it won't ping.  Could it be because the interface (on both PA 200s) are configured as layer3 and expecting to route between them?

 

I tried a static route thinking that might help but did not.  When I ping the other ip, it fails and can tell it is trying to ping it out of the management interface ip, which is totally wrong.

 

I will close this thread.  I need to create a better test, thanks for responding so far.

It's weird, I can't ping out to anything from this one PA, even though I can NAT to the internet fine.  Must be something wrong with my config.  I will stop commenting soon and close this thread.  Sorry for all the spam...

Hi,

 

We don't use routing between the same subnet, and no it should not be a problem. We expect Palo to ARP for an ip address within the same subnet.

You need to take a PCAP from the Palo and check what is going on, check your apr table. Can you see MAC address of other Palo interface?

 

 

Are you pinging from inside Palo?

If you use command "ping host 8.8.8.8" then ping request goes out from mgmt interface.

Is your mgmt interface connected?

Assuming your public IP is 1.2.3.4 then command "ping source 1.2.3.4 host 8.8.8.8" will send requests out from external interface.

 

If you can ping then initiate command "test vpn ipsec-sa tunnel VPN" (replace VPN with name of the tunnel).

Log into other firewall and go to System log. Responding side will show you in log what is wrong with tunnel.

Paste error message here.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I finally got it working by assigning a default gateway to the management interface on the PA 200 that could not ping out at all, to anything.  My management interface has an internal IP address and same network as my ethernet/2 trust interface.  My other PA 200 already had a default gateway on its management interface, set up the same way, internal ip and network.

 

After assigning a default gateway to the management interface, everything working, ping, now including my IPsec tunnels!

 

I still trying to wrap my head around why this was necessary in this configuration.  But working now.

 

I should do some network traces and try to study further.  Thank you for hanging with me!

Mgmt interface ping is not required for vpn.

But unless you configure IPSec monitoring that sends pings over tunnel there is no interersting traffic.

Palo will not bring tunnel up if there is no interesting traffic.

Other option is to use test vpn command as mentioned earlier.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 11078 Views
  • 19 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!