IPSec Tunnel Creation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
100% helpful (1/1)

Brief Description

This skillet will take input variables and configure an IPSec Tunnel and IKE Gateway.

 

Target Audience

This skillet is designed for use by SEs, partners, customers, CEs and anyone who needs to quickly configure an IPSec tunnel.

 

Skillet Details

Authoring Group: This Skillet was designed by the DataCenter CE Group

Documentation: https://github.com/ceskillets/DCV-IPSec-Tunnel-Creation/blob/master/README.md

Github Location: https://github.com/ceskillets/DCV-IPSec-Tunnel-Creation

Github Branches: master

PAN-OS Supported: PAN-OS 7.1 – PANOS 9.0.

Cloud Provider(s) Supported: Any and all providers are supported by this skillet

Type of Skillet: xml configuration

Collections: IPSEC, Configure
Purpose: Any type of IPSec Tunnel Configuration

 

Detail Description

This skillet will take input variables and configure an IPSec Tunnel and IKE Gateway. This skillet is meant to be an easy IPSec tunnel setup that can be replicated for SE POCs, customer environments where hundreds of tunnels need to be configured, and can be leveraged for on-prem tunnels, site-2-site tunnels, and cloud environments. The skillet is also extensible in that it can be paired with other skillets designed to configure dynamic routing if dynamic tunnel routing is desired over static routing.

 

Limitations

This particular skillet is designed to configure IPv4 routes and gateways and would need to be adapted to support IPv6.

 

It is also designed to configure static tunnel routes, but dynamic configuration can be added using a dynamic routing skillet. Authentication is designed to be handled with a preshared key and if ProxyIDs are necessary, they must be added after the skillet is deployed. Additionally, the tunnel interface is designed to be "unnumbered," meaning it doesn’t have an IP address. If an IP address is needed for the tunnel interface to enable tunnel monitoring, for example, that must be added after the skillet is deployed.

 

User Entered Variables

The skillet supports use of the following variables, each of which have default values that support the most common tunnel configurations:

 

ike_gateway_name: Name for the IKE Gateway
ike_version: List of IKEv1, IKEv2, or IKEv2-Preferred

local_interface: IKE Interface on the local firewall

local_interface_address: IKE Interface address on the local firewall

peer_address: IKE Peer Address

preshared_key: Preshared Key in plaintext

remote_network_tunnel_route: The Destination Network/CIDR routed into the IPSec tunnel.

tunnel_interface: The tunnel interface (tunnel.Number)

tunnel_interface_zone: Zone applied to the Tunnel Interface (must exist)

tunnel_route_name: Name for the route-based tunnel route

virtual_router_name: Name of the virtual router (must exist)
vsys: VsysID

 

Additional IPSec and IKE Information

Set Up an IPSec Tunnel

How To Configure IPSec VPN

Rate this article:
Comments
L2 Linker

@scotchoaf Hello threre,

 

I am trying to use this skillets for testing purposes on PAN-OS 9.0.5. After entering information I receive the following error:

Edwardo_0-1583348156439.png

 

I see that it creates the tunnel interface and attach it to the untrust interface, however it stops there.. Do I have to create the IKE Gateway, IKE crypto and Ipsec crypto? How I can troubleshoot this?

 

Thanks in advance.

L4 Transporter

Can you share what your input web forms values were? I just ran with the following on 9.0.5 and no issues. Seeing if a way to replicate the issue and if a skillet problem or something conflicting in the config.

 

scotchoaf_0-1583353604440.png

 

L4 Transporter

Also curious what platform and interface used.

L1 Bithead

You can troubleshoot this by looking at the skillet to see what it's updating.  Does your existing virtual router happen to have a routing policy where bfd is enabled?