How to Configure Palo Alto to Cisco Site-to-Site IPSec VPN?
A tutorial only for educational purposes
Are you planning to use your newly bought Palo Alto Next-Generation Firewall to build an IPSec VPN tunnel with your current Cisco routers? You have come to the right place!
Today I am going to show you steps how to do it. In this tutorial we will use Cisco's CLI and the Palo Alto's Web-GUI. Let's start this!
Here's what I recommend before digging into this tutorial to have a better appreciation of the configuration:
IPSec VPN overview
Cisco IPSec VPN configuration knowledge
Palo Alto Next-Generation Firewall familiarity
We will use the below setup.
NOTE: You can get your PA-VM 30-day trial in their site.
Initial Task: Setup the Palo Alto Next-Generation Firewall
An optional task for our other readers who are new to the firewall. The tutorial can be accessed here. It contains quick steps to make the firewall's Web-GUI reachable through the network.
Main Tasks:
Configure both devices' Public IP addresses
Configure IPSec VPN on Cisco router
ISAKMP and IPSec attributes
IPSec VPN tunnel
Configure IPSec VPN on Palo Alto Next-Generation Firewall
Create a Tunnel interface
IKE Crypto and Gateway
IPSec Profile
IPSec VPN Tunnel
Verification
Task 1: Configure both devices' Public IP addresses
Cisco configuration:
I used a sub-interface in configuring the Public IP address. Make sure to cast a no shutdown command to the physical interface for the sub-interface to be up. A ping test showing that the gateway is reachable.
NOTE: You will need a default-route to access the public network. The command ip route 0.0.0.0 0.0.0.0 <nexthop-ip or egress-interface> can be used to define it.
Palo Alto configuration:
On NETWORK > Interfaces, select your preferred interface. Here, we selected ethernet1/1 and added a sub-interface.
In the Layer 3 Subinterface pop-up Config tab, we assigned the interface to our Virtual Router (VRF in Cisco) and Security Zone. IPv4 tab lets us assign the Public IP address.
In Advanced tab, I selected a Management profile to allow the sub-interface to be ping-ed for verification purposes. Click OK once done. Commit changes for now.
We can see that the gateway IP address is reachable. We can now proceed to the next task.
Task 2: Configure IPSec VPN on Cisco router
1. ISAKMP and IPSec attributes
ISAKMP instance (101) is created and defined attributes needed for Phase 1 negotiation. In the last line of the configuration is the pre-shared key (PSK) used by both Cisco router and Palo Alto firewall ISAKMP/IKE profiles in authenticating a secure connection. The IP address 91.0.0.2 is the remote-peer address (Palo Alto's Public IP address).
Next, we configured attributes for Phase 2 negotiation. Here, the transform-set is being applied in our IPSec profile.
2. IPSec VPN tunnel
Tunnel interface was created with its Public IP address as the source and Palo Alto's Public IP address as the destination. We can see that our IPSec profile is applied in the interface, and the tunnel mode is set as well.
Task 3: Configure IPSec VPN on Palo Alto Next-Generation Firewall
IPSec is now enabled in our Cisco router, and waiting for its peer to respond to negotiation traffic. Let us now configure our Palo Alto device.
1. Create a Tunnel interface
In NETWORK > Interfaces, go to the Tunnel tab and click Add to create a new tunnel interface.
In the Config tab, we assigned it to our VR-MAIN virtual router and VPN-1 security zone. We used the IP address 10.10.10.1/30 which is in the same network as Tunnel101 in our Cisco router. Ping is also allowed in our interface. Click OK once done.
2. IKE Crypto and Gateway
In NETWORK > IKE Crypto, click Add to define attributes for Phase 1 negotiation.
As you can observe in the setting above, it is same as in our ISAKMP 101 instance. We set the Timers > Key Lifetime to 1 Day as we are matching Cisco's default.
Go to NETWORK > IKE Gateways and click Add. The IKE version we are configuring is IKEv1. The interface ethernet1/1.91 is selected as it has our Public IP address. You might observe that the above setting is similar to our configuration "crypto isakmp key..." in Cisco router. 57.0.0.2 is our router's Public IP address with the same pre-shared key: "company1"
Ignore other options at this time and go to the Advanced Options tab. Select the IKE profile we created and click OK once done.
3. IPSec Profile
Above defines our IPSec profile. It is similar to our "crypto ipsec..." Cisco router configuration earlier. Do not forget to change the DH Group option to "no pfs." Click OK once done.
4. IPSec VPN Tunnel
We are now going to pull everything we did in NETWORK > IPSec Tunnels. Click Add. Name a name, select our Tunnel interface, IKE Gateway, and IPSec Crypto Profile. Other settings can be ignored at this time. Click OK once done. Commit changes.
Task 4: Verification
NOTE: Do not forget to define a default-route in both devices to allow public network reachability.
Cisco Verification
Using the show crypto isakmp sa command we can see that we've successfully established ISAKMP negotiation. The state should be QM_IDLE.
The command show ip interface brief <interface> output shows our Tunnel interface is up/up state, which is a good indicator that IPSec negotiation is good. But there's only a way to test if it actually work: A Ping Test.
Through a Tunnel-to-Tunnel ping test, we can verify that our configuration is working!
Palo Alto Verification
In NETWORK > IPSec Tunnels, we can see that the status color is green, means both ISAKMP and IPSec negotiation has successfully established.
Awesome! The Tunnel-to-Tunnel ping test from Palo Alto to Cisco is working. You can now save the configuration.
Conclusion
In this tutorial, we configured Palo Alto to Cisco Router Site-to-Site IPSec VPN. Our configuration passed Tunnel-to-Tunnel Ping Test, an indicator that we are on the right track.
Any questions or suggestions? Comment it and I would be very happy to discuss that!