A VPN connection that allows you to connect two Local
Area Networks (LANs) is called a site-to-site VPN. You can configure
route-based VPNs to connect Palo Alto Networks firewalls located
at two sites or to connect a Palo Alto Networks firewall with a
third-party security device at another location. The firewall can
also interoperate with third-party policy-based VPN devices; the
Palo Alto Networks firewall supports route-based VPN.
The Palo Alto Networks firewall sets up a route-based VPN, where
the firewall makes a routing decision based on the destination IP
address. If traffic is routed to a specific destination through
a VPN tunnel, then it is handled as VPN traffic.
The IP Security (IPSec) set of protocols is used to set up a
secure tunnel for the VPN traffic, and the information in the TCP/IP
packet is secured (and encrypted if the tunnel type is ESP). The
IP packet (header and payload) is embedded in another IP payload,
and a new header is applied and then sent through the IPSec tunnel.
The source IP address in the new header is that of the local VPN
peer and the destination IP address is that of the VPN peer on the
far end of the tunnel. When the packet reaches the remote VPN peer
(the firewall at the far end of the tunnel), the outer header is
removed and the original packet is sent to its destination.
In order to set up the VPN tunnel, first the peers need to be
authenticated. After successful authentication, the peers negotiate
the encryption mechanism and algorithms to secure the communication.
The Internet Key Exchange (IKE) process is used to authenticate
the VPN peers, and IPSec Security Associations (SAs) are defined
at each end of the tunnel to secure the VPN communication. IKE uses
digital certificates or preshared keys, and the Diffie Hellman keys
to set up the SAs for the IPSec tunnel. The SAs specify all of the
parameters that are required for secure transmission— including
the security parameter index (SPI), security protocol, cryptographic
keys, and the destination IP address—encryption, data authentication,
data integrity, and endpoint authentication.
The following figure shows a VPN tunnel between two sites. When
a client that is secured by VPN Peer A needs content from a server
located at the other site, VPN Peer A initiates a connection request
to VPN Peer B. If the security policy permits the connection, VPN
Peer A uses the IKE Crypto profile parameters (IKE phase 1) to establish
a secure connection and authenticate VPN Peer B. Then, VPN Peer
A establishes the VPN tunnel using the IPSec Crypto profile, which
defines the IKE phase 2 parameters to allow the secure transfer
of data between the two sites.