09-07-2011 10:01 AM
I need to setup a VPN tunnel with a Cisco device which we don't control or have any access to.
The intention is that I can allow a group of IP addresses on our LAN to have access to resources on the other side of the tunnel.
These are the settings that I've been given by the people who own/control the other side of the tunnel:
Phase 1
ISAKMP Identification: IP Address
ISKAMP Pre Share Key: <TBC via Phone or Secure Email do not include on this form>
ISKAMP Lifetime: 86400 seconds
ISKAMP Encryption: AES256
ISKAMP Authentication: Pre share key
ISKAMP Hash: SHA
DH Group: 2
NAT-T: Enabled
IKE Negotiation Mode: Main
Phase 2
IPSEC ESP Authentication: SHA
IPSEC ESP Encryption: AES256
IPSEC SA Lifetime Kbytes: 4608000
IPSEC SA Lifetime Hrs: 8
Perfect Forward Secrecy: Yes
Mode: Tunnel
Connection Type: Bidirectional
I'm pretty new to VPN tunnels. Is there anything I need to know when trying to set this up on the PAN?
My understanding is that ideally I would create a new zone called "CustomerX" and put the tunnel.x interface that I create into that zone so that I have to have a rule to allow any traffic to flow between our "trust" zone and the far side?
Any info would be really appreciated and any questions or things I haven't mentioned, just ask.
Thanks.
09-07-2011 10:49 PM
The trick to getting this to work with Cisco is that access list on Cisco would equate to proxy-id settings on PAN device. Basically for each local and remote side subnets that are configured on Cisco, you would need to have an associated proxy-id on PAN in order to complete phase2 negotiation. Below article is an example.
https://live.paloaltonetworks.com/docs/DOC-1328
Otherwise, remember that PAN uses route-based VPNs. So you would also need to set up route to Cisco side subnets with next hop as your associated tunnel interface.
-Richard
09-08-2011 11:29 AM
Brilliant thanks Richard. I would be grateful for any specific tips on any options in the PAN GUI that are unusual/specific to getting a tunnel up and running with the settings I listed.
Thanks.
09-09-2011 06:45 AM
Hi,
Your config should be fine.
You can use "test vpn" command to bring up the VPN tunnel for testing, and you can always find reasons why the IPSec tunnel is not up from monitor -> system log
01-31-2012 04:52 PM
What would these routes look like? I can ping from the remote side with a cisco pix into my network but I am not able to ping from the paloalto side to the remote network.
01-31-2012 11:21 PM
Route would basically be same as regular static route, but you only need to specify the interface. No nexthop is needed since tunnel interface is essentially a point-to-point link.
Example:
set network virtual-router default routing-table ip static-route vpn1 destination 10.1.1.0/24 interface tunnel.1
-Richard
02-01-2012 11:23 AM
Here is what is listed as the route. If I drop this the pings break from the remote > to local network. Remote network is 192.168.254.0/24 and the local is 10.0.0.0/8. I still can't ping from local > remote network. Below is the Proxy Ids that I think are correct. Any ideas? I added several routes to the pix and none helped.
02-01-2012 03:45 PM
That part's good, and equates to Cisco's "interesting traffic" crypto-map brain-deadness.
Now you need to do the same in your Virtual Router config. Set up a static route to 192.168 land via interface tunnel.1 (or whatever). Don't put a next hop IP in, just the interface. Then you should be all set.
02-01-2012 03:58 PM
I have that route in and that is were we are getting the route. I think the problem is the pix 501 version of code. I was testing our other 501 on our Cisco concentrator andit has the same ping issue. The ASA on the concentrator does not so I am going to be up a pix with a later version of code like the ASA and see how it behaves.
02-01-2012 04:09 PM
Hm, the static route and proxy should do it. Your tunnels do show up as "Up" in the IPSec Tunnels list, right?
As far as I'm concerned, 501s and even 5505s are programmed in PFM. I've seen them work after a reboot, with no changes, way too much for my taste. No thanks.
02-01-2012 04:13 PM
Yes the tunnel is up and working.
I hear you about some of the Pix code.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
