Use Predefined IPSec Templates to Onboard Service and Remote Network Connections

GlobalProtect cloud service includes predefined IPSec templates for common third-party IPSec and SD-WAN devices. These profiles expedite and simplify the onboarding of service connections and remote network connections that use one of these devices to terminate the connection.
Sharing a common template also allows you to Onboard Multiple Remote Network Connections of the Same Type with commonly-shared cryptos, pre-shared keys, and Peer identifiers.

Template Names and Types

GlobalProtect cloud service provides you with the following predefined templates that you can use to set up IPSec tunnels between your on-premise device and GlobalProtect cloud service:
  • IPSec Tunnels (NetworkIPSec Tunnels) under Remote_Network_Template and Service_Conn_Template.
  • IKE Gateways (NetworkNetwork ProfilesIKE Gateways) under Remote_Network_Template and Service_Conn_Template.
  • IPSec Crypto Profiles (NetworkNetwork ProfilesIPSec Crypto) under Remote_Network_Template and Service_Conn_Template.
  • IKE Crypto Profiles (NetworkNetwork ProfilesIKE Crypto) under Remote_Network_Template and Service_Conn_Template.
Currently, templates for the following vendors are available:
In addition to the following templates, we provide a Generic template that you can use with any on-premise device that is not listed here.
  • Cisco appliances:
    • Cisco Integrated Services Routers (ISRs)
    • Cisco Adaptive Security Appliances (ASAs)
  • Citrix
  • CloudGenix
  • Riverbed
  • Silver Peak
Use the following workflows to onboard service connections or remote network connections using the predefined IPSec templates.

Onboard a Service Connection or Remote Network Connection Using Predefined Templates

To onboard a service connection or remote network connection using the templates provided by GlobalProtect cloud service, complete the following task.
  1. In Panorama, perform configuration so that the templates display in Panorama.
    When you upgrade the Cloud Services plugin, the new templates do not automatically display. Complete this step once after upgrading to have the templates permanently display. New installations perform this initial configuration as part of their first-time setup and this extra step is not required.
    You can also complete this step if you delete these templates and need to retrieve them.
    • For service connections, select PanoramaCloud ServicesConfigurationService Setup, click the gear icon in the Settings area to open the Settings, then click OK.
    • For remote network connections, select PanoramaCloud ServicesConfigurationRemote Networks, click the gear icon in the Settings area to open the Settings, then click OK.
  2. Select Network, then select the correct Template (either Remote_Network_Template if you are creating a remote network connection or Service_Conn_Template if you are creating a service connection).
  3. Determine the type of device that is used to terminate the service connection or remote network connection, and find a template to use with that device.
    If your SD-WAN or IPSec device is not on the list, use the generic profiles.
  4. Select NetworkNetwork ProfilesIKE Gateways and make the following changes to the IKE gateway profile for your device:
    You can use the IPSec crypto and IKE crypto profiles with no changes; however, you must make specific changes to the IKE gateway profile to match the network settings.
    • (Optional) If you know the public IP address of the on-premise device that will be used to set up the IPSec tunnel with GlobalProtect cloud service, set a static IP address by specifying a Peer IP Address Type of IP and enter the Peer Address for the IPSec tunnel.
    • If using a pre-shared key for the IPSec tunnel, specify a Pre-shared Key.
    • Specify a Peer Identification of either IP Address or User FQDN.
      Be sure that you match the settings you specify here when you configure the device used to terminate the other side of the IPSec tunnel.
    generic-template-ike-gateway-specs.png
  5. Onboard the Create a Service Connection or remote network connection, specifying the IPSec tunnel configuration that matches the device on the other side of the IPSec tunnel.
  6. (Optional) If you need to add a backup tunnel (Secondary WAN) for a service connection or remote connection, perform the following additional configuration steps.
    1. Create a new IKE Gateway for the backup tunnel, copying the settings from the predefined template you want to duplicate.
      The following example creates a backup tunnel configuration for generic networking devices.
      generic-template-ike-gateway-backup.png
    2. Under Advanced Options, specify the IKE Crypto Profile for the predefined template you want to use.
      generic-template-ike-gateway-crypto-default.png
    3. Create a new IPSec Tunnel, specifying the new IKE gateway you created, but copying all the other settings from the default template.
      generic-template-ike-gateway-backup-ipsec-tunnel.png
    4. When you onboard the service connection or remote network connection, Enable Secondary WAN and specify the tunnel you created for the backup WAN.
      generic-template-remote-network-backup-wan.png
  7. Complete the configuration of the service connection or remote network connection by matching the cryptos, pre-shared key, and Peer identifiers on the device that is used to terminate the other side of the IPSec tunnel.
  8. (Optional) If you need to onboard multiple remote network connections that use the same types of networking devices, Export the configuration of the remote network, edit the settings, then Import that configuration.

Onboard Multiple Remote Network Connections of the Same Type

To streamline the process to Configure the GlobalProtect Cloud Service for Remote Networks, you can onboard a single remote network connection that uses a networking device that is common to your network deployment, then Export those settings to a Comma Separated Value (CSV) text file. The CSV file includes the values of IPSec tunnel and IKE gateway settings for the network you selected for export. After you export the common configuration settings, you can edit these settings and make them unique for each new remote network you want to onboard, retain the settings that are common to each device, then Import that configuration.
For more information, including a description of all editable fields in the CSV table, see Onboard Remote Networks with Configuration Import.

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

This section provides you with the supported cryptographic profiles for many common SD-WAN devices. If you are configuring an SD-WAN device, use these profiles as a guideline as to what you can configure for the remote network in GlobalProtect cloud service.

Supported IKE and IPSec Cryptographic Profiles for Viptela SD-WAN Devices

The following table documents the IKE/IPSec crypto settings that are supported with the GlobalProtect cloud service and Viptela SD-WAN devices.
A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it is not supported. Default and Recommended settings are noted in the table.
Crypto ProfilesGlobalProtect Cloud ServiceViptela SD-WAN
Tunnel TypeIPSec Tunnel
check-mark.png
check-mark.png
GRE Tunnel
check-mark.png
RoutingStatic Routes
check-mark.png
check-mark.png
Dynamic Routing (BGP)
check-mark.png
Dynamic Routing (OSPF)
IKE VersionsIKE v1
check-mark.png
check-mark.png
IKE v2
check-mark.png
check-mark.png
IPSec Phase 1 DH-GroupGroup 1
check-mark.png
Group 2
check-mark.png
(Default)
check-mark.png
Group 5
check-mark.png
Group 14
check-mark.png
check-mark.png
Group 15
check-mark.png
Group 16
check-mark.png
(Default)
Group 19
check-mark.png
Group 20
check-mark.png
(Recommended)
IPSec Phase 1 AuthMD5
check-mark.png
SHA1
check-mark.png
(Default)
check-mark.png
SHA256
check-mark.png
SHA384
check-mark.png
SHA512
check-mark.png
(Recommended)
IPSec Phase 1 EncryptionDES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
check-mark.png
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
(Recommended)
check-mark.png
(Default)
IPSec Phase 1 Key Lifetime Default
check-mark.png
(8 Hours)
check-mark.png
(4 Hours)
IPSec Phase 1 Peer AuthenticationPre-Shared Key
check-mark.png
check-mark.png
Certificate
check-mark.png
IKE Peer IdentificationFQDN
check-mark.png
check-mark.png
IP Address
check-mark.png
check-mark.png
(Default)
User FQDN
check-mark.png
check-mark.png
IKE PeerAs Static Peer
check-mark.png
check-mark.png
As Dynamic Peer
check-mark.png
OptionsNAT Traversal
check-mark.png
check-mark.png
Passive Mode
check-mark.png
Ability to Negotiate TunnelPer Subnet Pair
check-mark.png
Per Pair of Hosts
check-mark.png
Per Gateway Pair
check-mark.png
check-mark.png
IPSec Phase 2 DH-GroupGroup 1
check-mark.png
Group 2
check-mark.png
(Default)
check-mark.png
(Default)
Group 5
check-mark.png
Group 14
check-mark.png
Group 15
check-mark.png
Group 16
check-mark.png
(Default)
Group 19
check-mark.png
Group 20
check-mark.png
(Recommended)
No PFS
check-mark.png
check-mark.png
IPSec Phase 2 AuthMD5
check-mark.png
SHA1
check-mark.png
(Default)
check-mark.png
(Default)
SHA256
check-mark.png
SHA384
check-mark.png
SHA512
check-mark.png
(Recommended)
None
check-mark.png
IPSec Phase 2 EncryptionDES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
check-mark.png
AES-128-CCM
check-mark.png
AES-128-GCM
check-mark.png
AES-256-GCM
check-mark.png
(Recommended)
check-mark.png
(Default)
NULL
check-mark.png
check-mark.png
IPSec ProtocolESP
check-mark.png
check-mark.png
AH
check-mark.png
IPSec Phase 2 Key Lifetime Default
check-mark.png
1 Hour
check-mark.png
1 Hour
Tunnel Monitoring FallbackDead Peer Detection (DPD)
check-mark.png
check-mark.png
ICMP
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture TypeWith Regional Hub/Gateway/Data CenterNA
check-mark.png
No Regional Hub/Gateway/Data CenterNA
check-mark.png

Related Documentation