Setting up an IPSEC VPN?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Setting up an IPSEC VPN?

L4 Transporter

We want to use our PA-500 (3.1.3) at our site to create a tunnel to a remote site which will have a McAfee/Secure Computing Sidewinder.

I've never used IPSEC VPN before so I guess I want to be clear on how I do this.

Our PA-500 is setup in a simple L3 deployment, so:

ethernet1/1 is "trust" private IP of 10.6.1.1/16

ethernet1/2 is "untrust" public IP of 193.35.x.x/24

and a single virtual router.

The remote sites LAN IP range will be 10.7.x.x/16 and for their public IP for testing will also be 193.35.x.x/24 as I'll be connecting the Sidewinder to the same switch/subnet as the PA-500's ethernet1/2 interface.

So at our main site everyone's default gateway is our main router, which routes 0.0.0.0 to 10.6.1.1.

What we want is for all traffic in the remote site to be tunnelled back here, and to go out through out PA-500 so their traffic is subject to the same policies as ours.

I appreciate the Sidewinder is outside the scope here so I'll have to work that out, but with regards to the PA-500 any pointers on a quick and simple config to achieve what I want?

Thanks in advance.

5 REPLIES 5

L3 Networker

Please call into support to set up a trouble shooting session to go over basic vpn configuration.

L4 Transporter

Here is good document that provide step by step instructions on setting up IPSec VPN

https://live.paloaltonetworks.com/docs/DOC-1163

L4 Transporter

OK I got this working, all by the book apart from having to manually specify local/remote proxy addresses.

I've configured a tunnel and it works, however I've noticed that if I run iperf I get a higher throughput from a client behind the Sidewinder pushing to a server behind the Palo Alto, and a lower throughput with the server behind the Sidewinder and the client behind the Palo Alto.

I'm assuming this isn't normal and VPN throughput should be symmetrical given that for testing both firewalls external interfaces are connected to the same switch?

I would begin by checking the policy and inspection order within the security policy on the PAN.  Can you provide a latency number in both directions?

I haven't defined anything in my security policy, this is just a simple deployment as per the PDFs linked to above.

Latency, well both units are plugged into the same 100mbps switch for testing, so I'd hope it's not that.

  • 3493 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!