Prisma SD-WAN Administrator’s Guide
    : Prisma SD-WAN Standard VPN
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Prisma SD-WAN Ports and Interfaces
    7. Prisma SD-WAN Standard VPN
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    Prisma SD-WAN Standard VPN

    Table of Contents

    Prisma SD-WAN
     Standard VPN

    Prisma SD-WAN ION devices can communicate with other
    Prisma SD-WAN
     devices through
    Prisma SD-WAN
     Secure Fabric Links or communicate with standard VPN endpoints through traditional IPsec or GRE tunnels.
    Prisma SD-WAN
     ION devices can communicate with other
    Prisma SD-WAN
     devices through
    Prisma SD-WAN
     Secure Fabric Links or communicate with standard VPN endpoints through traditional IPsec or GRE tunnels. Similar to all other paths, a standard VPN will be monitored for application reachability and best path selection. Traffic on a standard VPN is subject to QoS policies.
    A Standard VPN can be of type:
    A standard VPN has two endpoints—one endpoint is on the Prisma SD-WAN ION device and the other endpoint is on the remote peer. You can configure a combination of IPsec and GRE tunnels from an interface on the ION device to a standard VPN endpoint. However, there cannot be two tunnels of the same type to the same endpoint from the same interface.
    When you connect a
    Prisma SD-WAN
     branch with a non-
    Prisma SD-WAN
     branch through a private WAN and you select direct private WAN as a viable route, traffic flows seamlessly between these sites without any additional configuration. When using an internet WAN, you can manually configure an IPSec or GRE tunnel to enable direct traffic flow between
    Prisma SD-WAN
     branch sites and non-
    Prisma SD-WAN
     sites. For a streamlined autoconfiguration of IPSec or GRE tunnels, explore the available options provided by CloudBlade. For more details, refer to CloudBlade Integrations.

    Create an IPsec Profile

    To create and configure an IPsec VPN connection between a branch device and a cloud security service endpoint, you must configure both endpoints with the same crypto settings. Since crypto settings required to connect to the cloud security service are likely to be the same across all ION devices, an IPsec profile can be configured once and reused across all ION devices.
    Before you configure the IPsec profile on
    Prisma SD-WAN
    , make sure you have the IPsec protocols and authentication details required to connect to the cloud security service endpoint or consult your cloud security service provider’s documentation for relevant details.
    1. Select
      Manage
      Resources
      Configuration Profiles
       and then select
      IPsec
      .
    2. To add a new IPsec Profile, click
      Add IPsec Profile
      .
      If there are previously created IPsec profiles, these will display.
    3. On the
      Info
       screen, enter a name for the IPsec Profile and
      (optional)
       enter a description and tags.
    4. Click
      Next
       and proceed to define the IKE Group.
      1. For the
        Key Exchange
         field, select
        IKEv1
         or
        IKEv2
        .
      2. Enter a life time for the IKE Group from the
        Lifetime
         drop-down if required.
        The default lifetime of an IKE Group is 24 hours. The tunnel will have to be re-established after the life time expires.
      3. Enter the port number of the communication port in the Port field.
        The default port is 500. The port number configured in the IKE group has to be the same as the port number configured in the standard VPN endpoint IKE group.
      4. Select the mode of operation from the
        Mode
         drop-down.
        The mode for IKEv1 can be Main or Aggressive. Choose the aggressive mode if the source interface or endpoint is behind NAT or there are multiple tunnels to the same remote endpoint.
        The mode for IKEv2 is ReAuth. If selected, then a new tunnel has to be re-negotiated when the lifetime is reached.
      5. On the
        Proposals
         screen, select a
        DH Group
        ,
        Encryption
         and
        Hash
        .
        Proposals is a list of crypto parameters to be used to secure the IKE and ESP sessions between the ION device and the endpoint.
        The set of parameters selected in the
        Proposals
         screen have to be identical to the set of parameters selected for the standard VPN endpoint. You can add a proposal by clicking
        Add Proposal
        . Up to 8 proposals can be added. While establishing the IPsec tunnel, the system checks for a proposal match with the standard VPN endpoint.
      6. Select if Dead Peer Detection (DPD) is to be enabled from the
        DPD
         tab.
        If enabled, enter the DPD delay and DPD timeout in seconds for IKEv1. If DPD fails within the configured timeout period, a new tunnel is attempted. For IKEv2, there is no DPD timeout; instead a series of 5 retransmissions is used.
    5. Click
      Next
       and proceed to define the
      ESP Group
      .
      1. Enter a life time for the ESP Group from the Lifetime drop-down if required.
        The default lifetime of an ESP Group is 24 hours.
      2. Choose the type of encapsulation from the Encapsulation drop-down.
        You can choose Auto or Force UDP. The type of encapsulation selected has to match the encapsulation configured at the standard VPN endpoint.
      3. Configure parameters in the
        Proposal
         tab, and then click
        Next
        .
    6. On the
      Authentication
       screen, select the authentication type as either
      PSK
       or
      Certificates
       from the
      Type
       drop-down.
      • For PSK authentication:
        1. Enter a secret in the
          Secret
           field.
          This field is mandatory.
        2. For the Local ID Type, choose between Interface IP Address, Hostname or Custom.
        3. Enter an optional ID for the standard VPN endpoint in the
          Remote ID
           field.
      • For Certificate authentication:
        1. For the
          Certificate
           field, upload the certificate by clicking
          Import File
          .
        2. Similarly upload a CA certificate in the
          Local CA Certificate
           field and a private key file in the
          Private Key
           field.
        3. (Optional)
           You can choose to upload the standard VPN endpoint CA certificate in the
          Remote CA Certificate
           field.
    7. Click
      Next
       to proceed to the
      Summary
       screen.
    8. Review the parameters selected and click
      Save and Exit
      .
      All new customer tenants should have the default IPsec profiles allocated which match the best practices of some of our cloud partners. These default profiles can be copied and manipulated to meet the needs specific to standard VPN services. If these default profiles are not present on your tenant, open a support case to have them allocated.

    Configure Generic Routing Encapsulation (GRE) Tunnels

    Prisma SD-WAN
     supports Generic Routing Encapsulation (GRE) tunnels from branch or data center sites to standard VPN endpoints to integrate with cloud security services. Due to the insecure nature of GRE, as a best practice we strongly recommend applying a Zone Based Firewall Policy to any traffic using GRE for transport over an insecure transport, such as the Internet. Additionally, you should also consider implementing Source Network Address Translation (NAT) for any traffic going through a GRE tunnel to obscure the Internal IP addressing scheme. Exposure of the internal addressing scheme along with unencrypted data over GRE can significantly increase attack vectors at a site.
    1. Select
      Workflows
      Devices
      Claimed Devices
      .
    2. From the ellipsis menu, select
      Configure the device
      .
    3. Select
      Interfaces
       and click the
      +
       add icon to create a new interface as
      Standard VPN
      .
    4. On the
      Configure Interface: New Standard VPN
       screen, set up the
      Main Configuration
       for the new interface.
      1. For
        Admin Up
        , select
        Yes
        .
        GRE tunnels are stateless by design, the GRE tunnel is established when the standard VPN interface is created, and the parent interface is up.
        When Keep-Alive is disabled, the standard VPN interface immediately enters the Up state when:
        • The standard VPN interface is created.
        • The parent interface is up.
        • The
          Admin Up
           is set to
          Yes
          .
        The standard VPN interface may later be moved to the down state due to the failure of a liveliness probe if one or more were configured on the standard VPN endpoint associated with this interface. We strongly recommend to have GRE keep-alive enabled or have a liveliness probe configured on the standard VPN endpoint such that a failure can be detected and avoid traffic being black-holed.
      2. (Optional)
         Enter a
        Name
        ,
        Description
        , and
        Tags
        .
      3. Select
        GRE
         as the
        Standard VPN Type
        .
        The
        Interface Type
         must display as
        Standard VPN
        .
      4. Select a
        Parent Interface
         to establish the GRE tunnel.
        For a branch ION device any of, the following ports can be used as a parent interface:
        • Internet L3 Port
        • Private WAN L3 Port
        • Virtual Interface (private and public)
        • PPPoE interface
        • Bypass Pair - Internet and Private WAN ports
        • Sub-Interfaces - Internet and Private WAN ports
        For a data center ION device, any of the following ports can be used as a parent interface:
        • Any
          Connect to Internet
           port
        • Any
          Connect to Peer Network
           port
        The following interfaces, which don’t have an IP address can’t be used as a parent interface:
        • A Private Layer 2 port of a bypass pair
        • A Loopback interface
      5. Toggle
        Scope
         to
        Local
         or
        Global
        .
      6. For
        VRF
        , select
        Global
         or any other custom VRF listed. VRF Global is enabled only when the associated device supports VRF.
        Currently, VRF supports LAN.
      7. Enter an
        Inner Tunnel IP Address
         or
        Mask
        .
        The address is the address of the innermost envelope's payload. When the standard VPN peer receives the IP packet from the tunnel interface, the outer IP header and GRE header are removed. The packet is then routed based on the Inner Tunnel IP Address.
      8. (Optional)
         Enter values for
        Checksum
         and
        Keep Alive
        .
        The default value for Keep-Alive Interval is 10 seconds, which implies that a Keep-Alive is sent every 10 seconds. The default value for Keep-Alive Retry Count is 3, which means that the device tries sending a keep alive three times before declaring the interface to be down.
        • If you configure Keep-Alive on the ION device, the standard VPN peer device should be capable of replying to the Keep-Alive. If the ION device does not receive a response from the peer device within the configured Keep-Alive Retry Count, it will result in the interface being marked as down.
        • If devices act as remote service endpoints, they don't support
          Prisma SD-WAN
           GRE Keep-alives. In such cases, you may need to use service endpoint liveliness probes.
        • If the
          Prisma SD-WAN
           Data Center devices do not support service endpoint configuration, the liveliness probes cannot be configured and multiple remotes, and remote selection cannot be used.
        • If NAT performs between the local and remote endpoints of the GRE Tunnel, this may disrupt the use of GRE Keep-Alives.
        • If Checksum is configured on the ION device, the standard VPN peer device should also respond with a checksum in its GRE header. If the standard VPN peer device doesn’t support Checksum, the packet drops as a Frame Error.
      9. Select a
        Standard VPN Endpoint
         from the
        Endpoint
         field.
        The GRE tunnel can only be created if the standard VPN interface has an endpoint or Peer IP configured. The Peer IP must be available either through the endpoint or the Peer IP field.
        An endpoint must be configured when the ION device is being used at a branch site. This enables the endpoint to be used in path policies to direct traffic. Endpoints can, but aren’t required to, specify IP addresses or host names of the possible peer device(s).
        The Peer IP overrides any IP addresses provided by the endpoint. If the ION device is being used at a Data Center site, the Peer IP has to be provided.
      10. Click
        Create Standard VPN
        .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.