1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. VPNs
    5. Set Up an IPSec Tunnel
    Previous
    Next
    The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.
    If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID are source ip: 0.0.0.0/0, destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged with the peer, it results in a failure to set up the VPN connection.
    Set Up an IPSec Tunnel
    Select Network > IPSec Tunnels and then Add a new tunnel configuration.
    On the General tab, enter a Name for the new tunnel.
    Select the Tunnel interface that will be used to set up the IPSec tunnel. To create a new tunnel interface: Select Tunnel Interface > New Tunnel Interface. (You can also select Network > Interfaces > Tunnel and click Add.) In the Interface Name field, specify a numeric suffix, such as .2. On the Config tab, select the Security Zone drop-down to define the zone as follows: • To use your trust zone as the termination point for the tunnel, select the zone from the drop-down. Associating the tunnel interface with the same zone (and virtual router) as the external-facing interface on which the packets enter the firewall, mitigates the need to create inter-zone routing. • ( Recommended ) To create a separate zone for VPN tunnel termination, select New Zone. Define a Name for new zone (for example vpn-corp), and click OK. In the Virtual Router drop-down, select default. ( Optional ) If you want to assign an IPv4 address to the tunnel interface, select the IPv4 tab, and Add the IP address and network mask, for example 10.31.32.1/32. To save the interface configuration, click OK.
    ( Optional ) Enable IPv6 on the tunnel interface. Select the IPv6 tab on Network > Interfaces > Tunnel > IPv6. Select the check box to Enable IPv6 on the interface. This option allows you to route IPv6 traffic over an IPv4 IPSec tunnel and will provide confidentiality between IPv6 networks. The IPv6 traffic is encapsulated by IPv4 and then ESP. To route IPv6 traffic to the tunnel, you can use a static route to the tunnel, or use OSPFv3, or use a Policy-Based Forwarding (PBF) rule to direct traffic to the tunnel. Enter the 64-bit extended unique Interface ID in hexadecimal format, for example, 00:26:08:FF:FE:DE:4E:29. By default, the firewall will use the EUI-64 generated from the physical interface’s MAC address. To assign an IPv6 Address to the tunnel interface, Add the IPv6 address and prefix length, for example 2001:400:f00::1/64. If Prefix is not selected, the IPv6 address assigned to the interface will be wholly specified in the address text box. Select Use interface ID as host portion to assign an IPv6 address to the interface that will use the interface ID as the host portion of the address. Select Anycast to include routing through the nearest node.
    Set up key exchange. Configure one of the following types of key exchange: Set up Auto Key exchange Select the IKE Gateway. To set up an IKE gateway, see Set Up an IKE Gateway. ( Optional ) Select the default IPSec Crypto Profile. To create a new IPSec Profile, see Define IPSec Crypto Profiles. Set up Manual Key exchange Specify the SPI for the local firewall. SPI is a 32-bit hexadecimal index that is added to the header for IPSec tunneling to assist in differentiating between IPSec traffic flows; it is used to create the SA required for establishing a VPN tunnel. Select the Interface that will be the tunnel endpoint, and optionally select the IP address for the local interface that is the endpoint of the tunnel. Select the protocol to be used— AH or ESP. For AH, select the Authentication method from the drop-down and enter a Key and then Confirm Key. For ESP, select the Authentication method from the drop-down and enter a Key and then Confirm Key. Then, select the Encryption method and enter a Key and then Confirm Key, if needed. Specify the SPI for the remote peer. Enter the Remote Address, the IP address of the remote peer.
    Protect against a replay attack. A replay attack occurs when a packet is maliciously intercepted and retransmitted by the interceptor. Select the Show Advanced Options check box, select Enable Replay Protection to detect and neutralize against replay attacks.
    ( Optional ) Preserve the Type of Service header for the priority or treatment of IP packets. In the Show Advanced Options section, select Copy TOS Header. This copies the Type of Service (TOS) header from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information. If there are multiple sessions inside the tunnel (each with a different TOS value), copying the TOS header can cause the IPSec packets to arrive out of order.
    Enable Tunnel Monitoring. You must assign an IP address to the tunnel interface for monitoring. To alert the device administrator to tunnel failures and to provide automatic failover to another tunnel interface: Specify a Destination IP address on the other side of the tunnel to determine if the tunnel is working properly. Select a Profile to determine the action on tunnel failure. To create a new profile, see Define a Tunnel Monitoring Profile.
    Create a Proxy ID to identify the VPN peers. This step is required only if the VPN peer uses policy-based VP). Select Network > IPSec Tunnels and click Add. Select the Proxy IDs tab. Select the IPv4 or IPv6 tab. Click Add and enter the Proxy ID name. Enter the Local IP address or subnet for the VPN gateway. Enter the Remote address for the VPN gateway. Select the Protocol from the drop-down: Number —Specify the protocol number (used for interoperability with third-party devices). Any —Allows TCP and/or UDP traffic. TCP —Specify the Local Port and Remote Port numbers. UDP —Specify the Local Port and Remote Port numbers. Click OK.
    Save your changes. Click OK and Commit.
    Previous
    Next

    Related Documentation

    Network > IPSec Tunnels

    Network > IPSec Tunnels Select Network > IPSec Tunnels to establish and manage IPSec VPN tunnels between firewalls. This is the Phase 2 portion of ...

    Site-to-Site VPN Concepts

    Site-to-Site VPN Concepts A VPN connection provides secure access to information between two or more sites. In order to provide secure access to resources and ...

    Network > GlobalProtect > Gateways

    Network > GlobalProtect > Gateways Select Network > GlobalProtect > Gateways to configure a GlobalProtect gateway. A gateway can provide VPN connections for GlobalProtect agents ...

    Site-to-Site VPN Overview

    Site-to-Site VPN Overview A VPN connection that allows you to connect two Local Area Networks (LANs) is called a site-to-site VPN. You can configure route-based ...

    Set Up Tunnel Monitoring

    Set Up Tunnel Monitoring To provide uninterrupted VPN service, you can use the Dead Peer Detection capability along with the tunnel monitoring capability on the ...

    Site-to-Site VPN with Static Routing

    Site-to-Site VPN with Static Routing The following example shows a VPN connection between two sites that use static routes. Without dynamic routing, the tunnel interfaces ...

    Site-to-Site VPN with Static and Dynamic Routing

    Site-to-Site VPN with Static and Dynamic Routing In this example, one site uses static routes and the other site uses OSPF. When the routing protocol ...

    Site-to-Site VPN with OSPF

    Site-to-Site VPN with OSPF In this example, each site uses OSPF for dynamic routing of traffic. The tunnel IP address on each VPN peer is ...

    Create Interfaces and Zones for the LSVPN

    Create Interfaces and Zones for the LSVPN You must configure the following interfaces and zones for your LSVPN infrastructure: GlobalProtect portal —Requires a Layer 3 ...

    Configure GlobalProtect Gateways for LSVPN

    Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo