Basic IPSec VPN Configuration with PAN-OS
HTML-код
- Опубликовано: 12 фев 2019
- In this video, we walk you through the steps to create an IPSec VPN that originates from one of our physical or virtualized next-generation firewalls that is terminating on any hardware, software or cloud-based IPSec VPN compatible device.
Information needed:
- Deciding which cyphers - you will need an IKE Crypto set of cyphers and an IPSec set of cyphers. There must be matching cyphers on the local and the remote.
- Collecting IP information (Remote Peer IP & Local Peer IP) - The remote peer IP is the remote or far end IP address where the IKE session will terminate. Conversely the local peer IP is the IP address of where the IKE session will terminate on the local device.
- Select a shared key - The shared key will be a string that both local and remote sites will use to validate the IKE session.
Basic Steps:
1) Check or create a usable IKE Crypto Profile
2) Create an IKE Gateway
3) Create a security Zone for the tunnel interface
4) Create a Tunnel Interface
5) Check or create a usable IPSec Crypto Profile
6) Create an IPSec Tunnel
After going through the steps, we will provide a demonstration on how to create an IPSec VPN.
For more information about IPSec VPN configuration, please review the following resources:
(Discussion with Solution) How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?
live.paloaltonetworks.com/t5/...
HOW TO CONFIGURE IPSEC VPN (Knowledge Base)
knowledgebase.paloaltonetwork...
IPSec VPN Tunnel Management (TechDocs
docs.paloaltonetworks.com/pan...
Great demo! Helps a lot!
Where do you add the local and remote networks for phase 2?
Damn this guy is genius. thanks a lot.
Have you create security policy for tunnel
Where did you get the tunnel interface IP from? Is it just randomly assigned so that the VR can have an interface where the unecrypted traffic is delivered?
Nicely explain
Thanks for liking
hello, Routing on 10.10.10.1 is required?
Where did that 10.10.10.x IP came from at 10:45 in video?
Hi PA,
On which basis, you've given tunnel ip as 10.10.10.2 🤔
It's just an example. This IP address will be used to route traffic to the tunnel and to monitor the status of the tunnel.
@@itmachinist it's just an example. its wrong IP I think he should have mentioned there 10.0.2.0/24
Are static routes needed pointing to the tunnel interface for the remote subnets
Yes, that's required. also need to create 2 policy for IPSEC Traffic and Traffic from Local to remote.
ciphers or cyphers? Spelling. 7:55 NAT transversal or NAT Traversal?
why the MTU size 1427?
Ok, i have question. I want to make connection whit a app. Global protect from anywhere with my local domain network, this is not this tutorial??
Can you help me, please?
I feel like this is either outdated or not entirely accurate. A tunnel interface IP isn't a requirement to establish and route a tunnel. You would use an IP for dynamic routing or monitoring.
Exactly. I’ve seen it being used only on AWS tunnels and not any other firewall.
What about the security policies? You skipped segments that were needed.
Hi, thanks for pointing that out. For sake of time the security policies were already put in place. Also in this video they were already setup but you can see in this video what it looks like: ruclips.net/video/5xgYhXlnGUw/видео.html
Palo made this way overcomplicated
Reading what you see on the screen isn't helpful. Need context on what these settings are, particularly around interfaces. Your official documentation is equally bad.
all over the place ! not structured
Why don't you make one with aaaaall STRUCTURED. Let us see how good that is and all the negative people like you commenting on that instead of appreciating.