IPsec VPN Configuration Example: Palo Alto Networks Appliance


IPsec VPN Configuration Example: Palo Alto Networks Appliance

This example illustrates how to configure two IPSec VPN tunnels from a Palo Alto Networks appliance to two Zscaler Enforcement Nodes (ZENs): a primary tunnel from the PA-200 appliance to a ZEN in one data center, and a secondary tunnel from the PA-200 appliance to a ZEN in another data center.

Zscaler IPSec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPSec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.

In this example, the IP address of the primary ZEN is 95.172.74.5, and the IP address of the secondary ZEN is 199.168.151.112. You can learn how to locate the ZEN IP addresses for your organization in the Prerequisites section below.

Organizations typically forward all traffic destined for any port to the Zscaler service. Alternatively, you can limit the traffic that you forward to the service to HTTP and HTTPS traffic (traffic destined for port 80 and port 443). Regardless, tunneling provides visibility into the internal IP addresses, which can be used for the Zscaler security policies and logging.

Prerequisites

Before you start configuring the Zscaler service and the firewall, ensure that you have the following information for setting up the tunnels:

Ensure that the locations of the ZEN Virtual IP addresses correspond to the locations of the ZEN IP addresses.

If you are unable to ping both ZEN IP addresses, please contact Zscaler Support.

Configuring the Zscaler Service

To configure the IPSec VPN Tunnels in the Zscaler admin portal, do the following tasks:

  1. Adding the VPN Credential

Note the IP address or FQDN and the pre-shared key (PSK) of the added VPN credentials. You need this information when linking the VPN credentials to a location and creating the IKE gateways.

  1. Linking the VPN Credentials to a Location

Configuring the IPSec VPN Tunnels on PA-200

This section describes how to configure two IPSec VPN tunnel interfaces on a PA-200 firewall running version 4.1.16. Refer to Palo Alto Networks documentation for additional information about the web interface.

The following image shows the lab setup.

lapsetup new.png

The ethernet1/2 interface represents the internal corporate network. All traffic from the corporate network will egress through this interface. The ethernet1/4 interface is the external interface. Traffic destined for any external network goes out through this interface. Ensure that the internal network is in the trust security zone and that the external network is in the untrust security zone. Also, ensure that these two interfaces are in the same default virtual router service.

To configure the IPSec VPN Tunnels on PA-200, do the following tasks:

  1. Configuring the Tunnel Interfaces
  2. Creating the IKE Crypto Profile
  3. Creating the IKE Gateway
  4. Creating the IPSec Crypto Profile
  5. Creating the Tunnel Monitor Profile
  6. Creating the IPSec VPN Tunnels
  7. Defining the Policy Based Forwarding Rule

Troubleshooting

Following are some sample commands that you can use to monitor and troubleshoot the VPNs. Make an SSH connection to the PA-200 and log in to the CLI to execute the commands.

Configure two tunnel interfaces on the external interface (ethernet1/4). Ensure both tunnels are configured in the untrust security zone. In this example, the primary tunnel interface is named tunnel.1 with a source IP address 10.96.19.91. The secondary tunnel interface is named tunnel.2 with a source IP address 10.96.19.92.

To configure the primary tunnel interface:

  1. In the Palo Alto Networks web interface, go to Network > Interfaces. 
  2. Click the Tunnel tab.
  3. Click Add.
    See image.
  4. In the Tunnel Interface window, do the following:
    See image.
    • Interface Name: Enter a name for the tunnel interface, such as tunnel.1.
    • Netflow Profile: Choose the appropriate NetFlow profile. In this example, it's None.
    • Comment: (Optional) Enter additional notes or information.
    • IP: Palo Alto Networks uses ICMP probes for tunnel and policy based forward monitoring. Enter the source IP address from which the ICMP monitoring probes will be initiated. The source IP address can be any IP address that does not coincide with an existing subnet. In this example, the IP is 10.96.19.91. 
    • Management Profile: Choose the appropriate management profile.
    • MTU: Enter the optimal MTU for your tunnel. In this example, it's 1400.
    • Assign Interface To:
      • Virtual Router: Choose default.
      • Security Zone: Choose untrust.
  5. Click OK.
  6. Click Save and then OK.
    See image.
  7. Click Commit and then OK.
    See image.
  8. Repeat this procedure to configure the secondary tunnel interface (tunnel.2) using the source IP address 10.96.19.92.

You need these two tunnel interfaces for step 3 of the F. Creating the IPSec VPN Tunnels task and step 6 of the G. Defining the Policy Based Forwarding Rule task below.

Create an IKE crypto profile that specifies the security settings for the IKE phase 1 negotiations.

To create an IKE crypto profile:

  1. In the Palo Alto Networks web interface, go to Network.
  2. Expand Network Profiles.
    See image.
  3. Select IKE Crypto.
    See image.
  4. Click Add.
    See image.
  5. In the IKE Crypto Profile window, do the following:
    See image.
    • Name: Enter a name for the IKE crypto profile, such as Zscaler.
    • DH Group: Click Add, and choose group2.
    • Encryption: Click Add, and choose aes128.
    • Authentication: Click Add, and choose sha1.
    • Lifetime: Set it to 24 hours.
  6. Click OK.

You need this IKE crypto profile for step 5 of the C. Creating the IKE Gateway task below.

Create two IKE gateways, one for each Zscaler IPSec VPN node. In this example, the primary gateway created is named ZscalerPT with the ZEN IP addresses 165.225.80.35. The secondary gateway is named ZscalerBT with the ZEN IP address 185.46.212.35.

To create the primary IKE gateway:

  1. In the Palo Alto Networks web interface, go to Network.
  2. Expand Network Profiles.
    See image.
  3. Click IKE Gateways.
    See image.
  4. Click Add.
    See image.
  5. In the IKE Gateway window, do the following:
    See image.
    • Name: Enter a name for the IKE gateway, such as "ZscalerPT".
    • Interface: Choose the external interface ethernet 1/4.
    • Local IP Address: Choose None.
    • Peer IP Type: Choose Static.
    • Peer IP Address: Enter the ZEN IP address for the primary gateway. In this example, it's 165.225.80.35.
    • Pre-shared Key: Enter the pre-shared key of the VPN credentials you created in the Zscaler admin portal.
    • Confirm Pre-shared Key: Reenter the pre-shared key.
    • Show Advanced Phase 1 Options: Select to show the following options.
      • Local Identification: Enter the FQDN or IP address of the VPN credentials you created in the Zscaler admin portal. In this example, it's the IP address 99.41.72.25.
      • Peer Identification: Choose None.
      • Exchange Mode: Choose aggressive.
      • IKE Crypto Profile: Choose the IKE crypto profile you created in task B. Creating the IKE Crypto Profile. In this example, it's Zscaler.
      • Enable Passive Mode: Deselect.
      • Enable NAT Traversal: Select.
      • Dead Peer Detection: Select. 
        • Interval: Enter "20".
        • Retry: Enter "5".
  6. Click OK.
  7. Repeat the procedure to create the secondary IKE gateway (ZscalerBT) using the ZEN IP address 185.46.212.35.

You need these two IKE gateways for step 3 of the F. Creating the IPSec VPN Tunnels task below.

Create an IPSec crypto profile that specifies the security parameters for the IKE phase 2 negotiations.

To create an IPSec crypto profile:

  1. In the Palo Alto Networks web interface, go to Network
  2. Expand Network Profiles.
    See image.
  3. Click IPSec Crypto.
    See image.
  4. Click Add.
    See image.
  5. In the IPSec Crypto Profile window, do the following:
    See image.
    • Name: Enter a name for the IPSec crypto profile, such as Zscaler-IPSec.
    • IPSec Protocol: Ensure ESP is chosen.
    • Encryption: Click Add, and choose null for null encryption. If you want to use AES and have the subscription, you can select aes128.

Zscaler recommends using null encryption because this reduces the load on the local router/firewall for traffic destined for the Internet. If you would like to use AES, you may purchase a separate subscription.

  • Authentication: Click Add, and choose md5.
  • DH Group: Ensure group2 is chosen.
  • Lifetime: Set it to 8 Hours.
  • Lifesize: (Optional) Set the lifesize according to your incoming traffic volume.
  1. Click OK.

You need this IPSec crypto profile for step 3 of the F. Creating the IPSec VPN Tunnels task below.

A tunnel monitor profile specifies how the firewall monitors IPSec tunnels and the actions it takes if the tunnel is unavailable.

To create a tunnel monitor profile: 

  1. In the Palo Alto Networks web interface, go to Network
  2. Expand Network Profiles.
    See image.
  3. Click Monitor.
    See image.
  4. Click Add.
    See image.
  5. In the Monitor Profile window, do the following:
    See image.
    • Name: Enter for the monitor profile, such as fail-over.
    • Action: Choose fail-over.
    • Interval (sec): Enter "20".
    • Threshold: Enter "5".
  6. Click OK.

You need this IPSec crypto profile for step 3 of the F. Creating the IPSec VPN Tunnels task below.

Create two IPSec VPN tunnels to two different ZENs. In this example, the primary IPSec tunnel is configured from the primary IKE gateway (ZscalerPT), which has the ZEN IP address 165.225.80.35 and the Virtual IP address 165.225.80.34. The secondary IPSec tunnel is configured from the secondary IKE gateway (ZscalerBT), which has the ZEN IP address 185.46.212.35 and the Virtual IP address 185.46.212.34.

To create the primary IPSec VPN tunnel:

  1. In the Palo Alto Networks web interface, go to Network > IPSec Tunnels.
  2. Click Add.
    See image.
  3. In the IPSec Tunnel window, under the General tab, do the following:
    See image.
    • Name: Enter a name for the tunnel, such as ZscalerPrimaryT.
    • Tunnel Interface: Choose the primary tunnel interface you created in task A. Configuring the Tunnel Interfaces. In this example, it's tunnel.1.
    • Type: Ensure Auto Key is chosen.
    • IKE Gateway: Choose the primary IKE gateway you created in task C. Creating the IKE Gateway. In this example, it's ZscalerPT.
    • IPSec Crypto Profile: Choose the IPSec crypto profile you created in task D. Creating the IPSec Crypto Profile. In this example, it's Zscaler-IPSec.
    • Show Advanced Options: Select to show the following options.
      • Enable Replay Protection: Select.
      • Copy TOS Header: Deselect.
      • Tunnel Monitor: Select.
        • Destination IP: Enter the GRE Virtual IP address of your primary tunnel. In this example, it's 165.225.80.34.
        • Profile: Choose the tunnel monitor profile you created in task E. Creating the Tunnel Monitor Profile. In this example, it's fail-over.
  4. In the Proxy IDs tab, click Add, and do the following:
    See image.
    • Proxy ID: Enter a name for the proxy
    • Local: Enter the local IP address 0.0.0.0/0.
    • Remote: Enter the remote IP address 0.0.0.0/0.
    • Protocol: Ensure Any is chosen.
  5. Click OK.
  6. Click OK again.
  7. Click Save and the OK.
    See image.
  8. Click Commit and then OK.
    See image.
  9. Repeat the procedure to create a secondary IPSec VPN tunnel (ZscalerSecondaryT) using the secondary tunnel interface (tunnel.2), IKE gateway (ZscalerBT), and ZEN Virtual IP address (185.46.212.34).

Defining two policy based forwarding rules to route the traffic from Palo Alto Network appliance into the tunnel.

To define the primary policy based forwarding rule:

  1. In the Palo Alto Networks web interface, go to Policies Policy Based Forwarding.
  2. Click Add.
    See image.
  3. In the General tab, do the following:
    See image.
    • Name: Enter a name for the policy, such as PTpolicy.
    • Description: (Optional) Enter a description.
    • Tags: (Optional) Choose a tag. 
  4. In the Source tab, under Zone, click Add, and choose trust.
    See image.
  5. In the Destination/Application/Service tab, do the following:
    See image.
    • Destination Address: Ensure Any is selected.
    • Applications: Ensure Any is selected.
    • Service: Ensure Any is chosen. Note that if you only want to send traffic to port 80/443, click Add, and choose service-http and service-https
  6. In the Forwarding tab, do the following:
    See image.
    • Action: Choose Forward.
    • Egress Interface: Choose the primary tunnel interface you created in task A. Configuring the Tunnel Interfaces. In this example, it's tunnel.1.
    • Next Hop: Leave this field blank.
    • Monitor: Select.
      • Profile: Choose fail-over.
      • Disable this rule if nexthop/monitor ip is unreachable: Select.
      • IP address: Enter the GRE Virtual IP address of your primary tunnel. In this example, it's 165.225.80.34.
    • Schedule: Choose None.
  7. Click OK.
  8. Repeat the procedure to define the policy based forwarding rule for the secondary tunnel (BTpolicy) using the secondary tunnel interface (tunnel.2) and ZEN Virtual IP address (185.46.212.34).

Interfaces Add.png 

Tunnel Interface.png

Interfaces Save.png

Interfaces Commit.png 

Expand Network Profiles.png

Select IKE Crypto.png

IKE Crypto Add.png

IKE Crypto Profile.png

Expand Network Profiles 2.png

Select IKE Gateways.png

IKE Gateways Add.png 

IKE Gateway.png 

Expand Network Profiles 3.png

Select IPSec Crypto.png

IPSec Crypto Add.png

IPSec Crypto Profile.png 

Expand Network Profiles 4.png

Select Monitor.png

Monitor Add.png 

Monitor Profile.png

IPSec Tunnels Add.png 

IPSec Tunnel General.png

Proxy ID.png

IPSec Tunnel Save.png

IPSec Tunnel Commit.png 

Policy Based Forwarding Add.png 

Policy Based Forwarding Rule General.png 

Policy Based Forwarding Rule Source.png

Policy Based Forwarding Rule Destination-Application-Service.png

Policy Based Forwarding Forwarding.png 

admin@PA-200> show vpn ?
> flow Show dataplane IPSec-VPN tunnel information
> gateway show list of IKE gateway configuration
> ike-sa show IKE SA
> ipsec-sa show IPSec SA
> tunnel show list of auto-key IPSec tunnel configuration
admin@PA-200> show vpn flow
total tunnels configured: 2
filter - type IPSec, state any
total IPSec tunnel configured: 2
total IPSec tunnel shown: 2
id   name                    state monitor     local-ip       peer-ip              tunnel-i/f
-------------------------------------------------------------------------------------------------------------
3    ZscalerPrimaryT	     active up         0.0.0.0        165.225.80.35	   tunnel.1
4    ZscalerSecondaryT	     active up         0.0.0.0        185.46.212.35	   tunnel.2
admin@PA-200> show vpn gateway
GwID  Name               Peer Address/ID          Local Address/ID                           Protocol                     Proposals
-----------------------------------------------------------------------------------------------------------------------------------
1     ZscalerPT          165.225.80.35            99.41.72.25(ipaddr:99.41.72.25) Aggr       [PSK][DH2][AES128][SHA1]     28800-sec
2     ZscalerBT          185.46.212.35            99.41.72.25(ipaddr:99.41.72.25) Aggr       [PSK][DH2][AES128][SHA1]     28800-sec
Show IKE gateway config: Total 2 gateways found.
admin@PA-200> show vpn ike-sa
phase-1 SAs
GwID/client IP       Peer-Address           Gateway Name           Role Mode Algorithm            Established        Expiration        V    ST   Xt  Phase2
-----------------------------------------------------------------------------------------------------------------------------------------------------------
1                    165.225.80.35          ZscalerPT              Init Aggr PSK/DH2/A128/SHA1    Nov.14 10:57:54    Nov.14 18:57:54   v1   12   5   2342 
2                    185.46.212.35          ZscalerBT              Init Aggr PSK/DH2/A128/SHA1    Nov.14 11:15:05    Nov.14 19:15:05   v1   12   1   2156 
Show IKEv1 IKE SA: Total 2 gateways found. 2 ike sa found.
phase-2 SAs
GwID/client IP       Peer-Address           Gateway Name           Role Algorithm                 SPI(in)    SPI(out)   MsgID      ST  Xt
-----------------------------------------------------------------------------------------------------------------------------------------
1                    165.225.80.35          ZscalerPT              Init DH2 /tunl/ESP/NULL/MD5    A9E46021   08F92DD3   F6A1AA02   9   1 
2                    185.46.212.35          ZscalerBT              Init DH2 /tunl/ESP/NULL/MD5    CDA37FAC   0B84DBFD   4CDC542F   9   1 
Show IKEv1 phase2 SA: Total 2 gateways found. 2 ike sa found.
admin@PA-200> show vpn ipsec-sa
GwID/client IP     TnID     Peer-Address           Tunnel(Gateway)                      Algorithm       SPI(in)     SPI(out)    life(Sec/KB)
--------------------------------------------------------------------------------------------------------------------------------------------
1                  1        165.225.80.35          ZscalerPrimaryT(ZscalerPT)           ESP/NULL/MD5    EA722827    05F7782A    7199/102400
2                  2        185.46.212.35          ZscalerSecondaryT(ZscalerBT)         ESP/NULL/MD5    E9251A84    0DDF8BFA    7199/102400
Show IPSec SA: Total 2 tunnels found. 2 ipsec sa found.
TnID    Name(Gateway)                        Local Proxy IP     Ptl:Port      Remote Proxy IP    Ptl:Port                                   Proposals
-----------------------------------------------------------------------------------------------------------------------------------------------------
3          Zscaler-Tunnel(VPN-71)            0.0.0.0/0          0:0           0.0.0.0/0          0:0         ESP tunl [DH2][NULL][MD5]      7200-sec
4          Zscaler-backup-tunnel(VPN-81)     0.0.0.0/0          0:0           0.0.0.0/0          0:0         ESP tunl [DH2][NULL][MD5]      7200-sec
Show IPSec tunnel config: Total 2 tunnels found
admin@PA-200> clear vpn ike-sa
Delete IKEv1 IKE SA: Total 2 gateways found. 2 ike sa found.
admin@PA-200> clear vpn ipsec-sa
Delete IKEv1 IPSec SA: Total 2 tunnels found. 2 ipsec sa found.
admin@PA-200> show routing fib
total virtual-router shown : 1
-----------------------------------------------------------------------------------------------------
virtual-router name: Default
interfaces: ethernet1/2 ethernet1/4 tunnel.1 tunnel.2
route table:
flags: u - up, h - host, g - gateway
maximum of fib entries for device:                 1000
maximum of IPv4 fib entries for device:            1000
maximum of IPv6 fib entries for device:            1000
number of fib entries for device:                  9
maximum of fib entries for this fib:               1000
number of fib entries for this fib:                9
number of fib entries shown:                       9

id      destination           nexthop            flags    interface          mtu 
-----------------------------------------------------------------------------------------------------
20      0.0.0.0/0             0.0.0.0            u        tunnel             1300
19      10.96.19.91/32        0.0.0.0            uh       tunnel.1           1300
16      10.96.19.92/32        0.0.0.0            uh       tunnel.2           1300
2       10.84.0.0/24          0.0.0.0            u        ethernet1/2        1500
1       10.84.0.116/32        0.0.0.0            uh       ethernet1/2        1500
12      165.225.80.35/32      99.41.72.30        ug       ethernet1/4        1500
4       99.41.72.16/28        0.0.0.0            u        ethernet1/4        1500
3       99.41.72.25/32        0.0.0.0            uh       ethernet1/4        1500
18      185.46.212.35/32      99.41.72.30        ug       ethernet1/4        1500
-----------------------------------------------------------------------------------------------------