How to Configure Palo Alto to Cisco Site-to-Site IPSec VPN?

How to Configure Palo Alto to Cisco Site-to-Site IPSec VPN?

A tutorial only for educational purposes

·

5 min read


Are you planning to use your newly bought Palo Alto Next-Generation Firewall to build an IPSec VPN tunnel with your current Cisco routers? You have come to the right place!

Today I am going to show you steps how to do it. In this tutorial we will use Cisco's CLI and the Palo Alto's Web-GUI. Let's start this!

Here's what I recommend before digging into this tutorial to have a better appreciation of the configuration:

  1. IPSec VPN overview

  2. Cisco IPSec VPN configuration knowledge

  3. Palo Alto Next-Generation Firewall familiarity

We will use the below setup.

NOTE: You can get your PA-VM 30-day trial in their site.


Initial Task: Setup the Palo Alto Next-Generation Firewall

An optional task for our other readers who are new to the firewall. The tutorial can be accessed here. It contains quick steps to make the firewall's Web-GUI reachable through the network.

Main Tasks:

  1. Configure both devices' Public IP addresses

  2. Configure IPSec VPN on Cisco router

    1. ISAKMP and IPSec attributes

    2. IPSec VPN tunnel

  3. Configure IPSec VPN on Palo Alto Next-Generation Firewall

    1. Create a Tunnel interface

    2. IKE Crypto and Gateway

    3. IPSec Profile

    4. IPSec VPN Tunnel

  4. Verification


Task 1: Configure both devices' Public IP addresses

Cisco configuration:

I used a sub-interface in configuring the Public IP address. Make sure to cast a no shutdown command to the physical interface for the sub-interface to be up. A ping test showing that the gateway is reachable.

NOTE: You will need a default-route to access the public network. The command ip route 0.0.0.0 0.0.0.0 <nexthop-ip or egress-interface> can be used to define it.

Palo Alto configuration:

On NETWORK > Interfaces, select your preferred interface. Here, we selected ethernet1/1 and added a sub-interface.

In the Layer 3 Subinterface pop-up Config tab, we assigned the interface to our Virtual Router (VRF in Cisco) and Security Zone. IPv4 tab lets us assign the Public IP address.

In Advanced tab, I selected a Management profile to allow the sub-interface to be ping-ed for verification purposes. Click OK once done. Commit changes for now.

We can see that the gateway IP address is reachable. We can now proceed to the next task.

Task 2: Configure IPSec VPN on Cisco router

1. ISAKMP and IPSec attributes

ISAKMP instance (101) is created and defined attributes needed for Phase 1 negotiation. In the last line of the configuration is the pre-shared key (PSK) used by both Cisco router and Palo Alto firewall ISAKMP/IKE profiles in authenticating a secure connection. The IP address 91.0.0.2 is the remote-peer address (Palo Alto's Public IP address).

Next, we configured attributes for Phase 2 negotiation. Here, the transform-set is being applied in our IPSec profile.

2. IPSec VPN tunnel

Tunnel interface was created with its Public IP address as the source and Palo Alto's Public IP address as the destination. We can see that our IPSec profile is applied in the interface, and the tunnel mode is set as well.

Task 3: Configure IPSec VPN on Palo Alto Next-Generation Firewall

IPSec is now enabled in our Cisco router, and waiting for its peer to respond to negotiation traffic. Let us now configure our Palo Alto device.

1. Create a Tunnel interface

In NETWORK > Interfaces, go to the Tunnel tab and click Add to create a new tunnel interface.

In the Config tab, we assigned it to our VR-MAIN virtual router and VPN-1 security zone. We used the IP address 10.10.10.1/30 which is in the same network as Tunnel101 in our Cisco router. Ping is also allowed in our interface. Click OK once done.

2. IKE Crypto and Gateway

In NETWORK > IKE Crypto, click Add to define attributes for Phase 1 negotiation.

As you can observe in the setting above, it is same as in our ISAKMP 101 instance. We set the Timers > Key Lifetime to 1 Day as we are matching Cisco's default.

Go to NETWORK > IKE Gateways and click Add. The IKE version we are configuring is IKEv1. The interface ethernet1/1.91 is selected as it has our Public IP address. You might observe that the above setting is similar to our configuration "crypto isakmp key..." in Cisco router. 57.0.0.2 is our router's Public IP address with the same pre-shared key: "company1"

Ignore other options at this time and go to the Advanced Options tab. Select the IKE profile we created and click OK once done.

3. IPSec Profile

Above defines our IPSec profile. It is similar to our "crypto ipsec..." Cisco router configuration earlier. Do not forget to change the DH Group option to "no pfs." Click OK once done.

4. IPSec VPN Tunnel

We are now going to pull everything we did in NETWORK > IPSec Tunnels. Click Add. Name a name, select our Tunnel interface, IKE Gateway, and IPSec Crypto Profile. Other settings can be ignored at this time. Click OK once done. Commit changes.

Task 4: Verification

NOTE: Do not forget to define a default-route in both devices to allow public network reachability.

Cisco Verification

Using the show crypto isakmp sa command we can see that we've successfully established ISAKMP negotiation. The state should be QM_IDLE.

The command show ip interface brief <interface> output shows our Tunnel interface is up/up state, which is a good indicator that IPSec negotiation is good. But there's only a way to test if it actually work: A Ping Test.

Through a Tunnel-to-Tunnel ping test, we can verify that our configuration is working!

Palo Alto Verification

In NETWORK > IPSec Tunnels, we can see that the status color is green, means both ISAKMP and IPSec negotiation has successfully established.

Awesome! The Tunnel-to-Tunnel ping test from Palo Alto to Cisco is working. You can now save the configuration.


Conclusion

In this tutorial, we configured Palo Alto to Cisco Router Site-to-Site IPSec VPN. Our configuration passed Tunnel-to-Tunnel Ping Test, an indicator that we are on the right track.

Any questions or suggestions? Comment it and I would be very happy to discuss that!


Did you find this article valuable?

Support Sammyski by becoming a sponsor. Any amount is appreciated!