Route-Based VPN between PaloAlto & Strongswan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Route-Based VPN between PaloAlto & Strongswan

L0 Member

Hi! 

If anyone have some experience about this topic? I need a vpn between our PaloAlto and a virtual machine with strong swan installed. To route some traffic from our local network to this vpn tunnel. How to make this possible?

2 REPLIES 2

Community Team Member

Hi @zloyBarsuk ,

 

No personal experience but there has been a previous discussion about this you might want to check into.

 

site-to-site-vpn-with-strongswan-opensource 

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L0 Member

You need to follow several steps on both devices for setting up VPN. Here's a breakdown of the process:

On the Palo Alto firewall:

1. Create a VPN Tunnel:

Go to Network > VPN > Tunnels.
Click Add and configure your VPN tunnel settings:
Type: IPSec
Name: Choose a descriptive name for your tunnel.
Local Interface: Select the interface connected to your internal network.
Peer Address: Enter the IP address of your VPN gateway/virtual machine running StrongSwan.
Preshared Key: Define a shared secret for authentication.

2. Configure Phase 1 and Phase 2:

Go to Phase 1 and Phase 2 tabs within the tunnel configuration.
- Define the encryption algorithms, authentication methods, and other relevant security settings for both phases as per your desired security level.
- Ensure compatibility with the StrongSwan configuration on your VM.

3. Create Route Policy:

Go to Network > Route > Policies.
Click Add and create a route policy for your VPN tunnel:
Name: Assign a relevant name.
Source Zone: Select the internal zone(s) where traffic originates for the VPN route.
Destination Zone: Choose the "VPN" zone associated with your tunnel.

4. Create Route Tag:

Go to Network > Tags > Route Tags.
* Click Add and create a route tag for your specific traffic:
Name: Choose a descriptive name like.
Match Criteria: Define criteria to identify the desired traffic.

5. Apply Route Policy and Tag:

- Go back to the Route Policy you created.
- In the Tags tab, add the route tag you created earlier.
- This associates the specific traffic defined by the tag with the VPN tunnel route policy.

On the Virtual Machine with StrongSwan:

1. Install StrongSwan:

Ensure StrongSwan is installed and configured on your VM.

2. Configure StrongSwan:

- Edit your StrongSwan configuration files.
- Define settings for your connection to the Palo Alto firewall, including:
- Local/remote addresses.
- Phase 1 and Phase 2 parameters.
- Security algorithms and authentication methods.

3. Bring Up the Connection:

Use the `ipsec up` command or relevant StrongSwan tools to initiate the VPN connection to the Palo Alto firewall.

4. Verify Connectivity and Routing:

Test the VPN connection and validate that the desired traffic from your local network is routed through the tunnel to the VM.

Additional Notes:

* Consult the documentation for your specific Palo Alto firewall model and StrongSwan version for detailed configuration instructions and parameter options.
* Consider applying advanced features of PureVPN or ExpressVPN like split tunneling on the Palo Alto firewall to route only specific traffic through the VPN tunnel.
* Ensure proper firewall rules are in place on both devices to allow traffic flow.
* Test and verify the setup thoroughly before putting it into production.

By following these steps you should be able to establish a VPN tunnel between your Palo Alto firewall and the virtual machine.

  • 1214 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!