Palo Alto PCNSA – Chapter 10 – Site-to-site-VPN part 1

1. 10.7 Site-to-site VPN

In this video we are covering Pcnsa 210 and this is our Chapter Ten, side to side VPN. Now this is the 7th video of Chapter Ten, which is 10. 7 side to side VPN overview. Now Palo Alto Networks operating system software implements root based IPsec VPNs. This is opposed to policy based design. In a root based VPN, the determining factor of which traffic will be tunneled is the final destination of that traffic. Now the word VPN, I’m just going to explain a little bit about VPN just in case some of you are rusty and you don’t really remember the idea what VPN was about and so on. Okay? So I’m going to try and do it very quick so I’m not going to spend too much time here.

Like imagine that we have Site A, Site A and then we have another site here which is Site B, right? And because we cannot want Site A or Site B to connect to the Internet and like regular users, they wouldn’t have gone to the Internet and access the Internet. They sell something, buy something or whatever, we can have a public connection to the Internet for Site A and Site B. Now the Site A and Site B are not connected with each other. They’re just connected to the Internet. Like my home, your home, we all connect to the Internet. And whatever we do in the internet now there’s going to come a need when we want to connect Site A and Site B to each other for maybe backups, whatever direct Redundancy or something like that.

We cannot connect them. We can either do this, use the public Internet to connect the Site A and Site B and that will be used in VPN. Or we can have a dedicated a private link between Site A and Site B. This is a private connection. Now the one at the top, this is a public connection. So we can either connect them through a public network or through the private network. Now the connection between you and the Internet is you’re going through this land that you’re not owning. And because you’re going through this area that you’re not in charge of, you need to pay someone.

And that means that you’re connecting to the wide area network. If we connect into the wide area network, it means that you have to pay someone. And like I said to you, there’s two ways you can connect to the wide area network. You can either connect through a private connection, private, the one underneath, or we can have a public connection in the private. There’s few options you can have. For example, a dedicated link and this is going to be the most expensive cated link, dedicated link, which is your lease lines, lease line. And in the lease line, for example, you can choose the speed.

For example, t one, e one, t three, e three, and so on. Right now this is going to be the most expensive, but that’s your private connection. Or we can have in the private connection, we can have, for example, switched in the switch. Do you have two options? We have a circuit switch, which is the cheapest app is the slowest. And for example, here we have an ISDN or PSDN, public switched telephone network, which is very slow, but they work, but it’s a private connection. Or we can have a packet switch, which is very popular, most popular connection for private lines is packet switched.

And here we can have, for example, MPLS, we can have ATM, we can have a Metro, Ethernet and so on. This is going to be the most expensive. But that’s the line here, right? That site is a private, this site is public. Now companies, they want to connect site A to site B. Maybe they don’t want to use a private because there’s extra payment that needs to do, extra money they need to spend. So they say, okay, well is there a way we can connect through site A with site B without actually going to this extra another connection? Well, yes, there is, because we have a public line. And public line is a broadband. And to connect to broadband, we have three choices.

We can connect through the cable, we can connect through the wireless, or we can connect through DSL.But the broadband technology allows you to create a virtual private network. So virtually we create in this VPN and that means, okay, well, we get rid of this private connection and within our public connection, the one on the top, we can create like a tunnel and we create this VPN virtual private network in that tunnel. And then in that tunnel, well, it’s not a tunnel, it’s not real tunnel. It’s just that your data is encrypted and integrity is there. So we make sure that data will get from A to B in one piece without being changed in the middle from the manner in the middle, for example.

Okay, that’s the idea of VPN. So VPN we are using a public network to create this virtually private network and our data is secure. Okay, excellent. I hope that didn’t take too much time. But Palo Alto is using a root based IPsec VPNs, which is better and easier to expand. For example, the VPNs are used with the tunnel. So you need to create these tunnel interfaces so they are represented by the tunnel logical interface. And this tunnel interface, it is placed within the zone and the routing table will choose the tunnel settings. Now, Palo Alto Networks operating system does support two versions of Internet Key Exchange. Which are internet Key Exchange version one and Ikey V two or just Ikea IQ two.

Now internet Key Exchange phase one. So there’s two phases to create an IPsec tunnel. On the phase one, we just identifying the peers, so making sure that they are who they say they are. And usually this identification happens within just IP address. Ike phase one provides authentication of the endpoints of the tunnel and creates a secure channel for the next phase of the VPN. And we have to exchange or they will exchange the peers that will exchange this five pieces of information. Now to remember, remember the word Haggle. So they go through the Haggle. So first Haggle first is H, which is hash an algorithm that gives you the integrity. The data has not changed from the source to destination. Then we have a for authentication between each other.

Then we have to choose a group diffie Hellman group lifetime. How long this before we need to redo it again? And then we have e for encryption that’s your symmetric key algorithm diffie Hellman will do asymmetric while this is a symmetric key algorithm, encryption gives you confidentiality. So we have integrity and confidentiality there. So they have to go through the Haggle hashing algorithm authentication method, defy element, key exchange lifetime and symmetric key algorithm. In the phase two this is where it actually is done for the data. So the phase one is just the peers negotiating with each other. The phase two is actually when we send user data.

So Ike phase one was concerned with authenticating the endpoints. The phase two is concerned with data traffic that crosses the tunnel and they have to go through the same five step, five pieces of information. The Haggle bit hashin IPsec type diffie Hellman lifetime and symmetric key algorithm. So root based side to side VPN. A single VPN tunnel might be sufficient for connecting between a single central site and remote site. Connection between a central site and multiple remote sites requires VPN tunnels for each central remote site pair. Each tunnel interface can have a maximum of ten IPsec tunnels which allows for the creation of IPsec tunnels for individual networks that are all associated with the same tunnel interface of the firewall.

So for example, you have the headquarters who’s going to have ten remote sites. You don’t have to create ten tunnel interfaces, you can have all of them all in one tunnel interface which supports ten IPsec tunnels. So to create a VPN tunnel components interaction there is three basic requirements. First we need to create phase one, which is your tunnel interface, then phase two which is the IPsec tunnel. And we need a static route between the endpoints. So one endpoint has to know how to get to the other endpoints. But if it’s public IP address that’s not going.

2. 10.8 Configuring site-to-site tunnels

In this video we are covering Pcnsa to ten and this is our chapter Ten site to site VPN. Now this is the 8th video of chapter ten which is 10. 8 configuring site to site tunnels. Now this is a topology that I will be using to demonstrate for you how to configure side to side tunnel and we have two sites, we have well in firewall A has got his own site with the IP address and we have a firewall B with the imagine site B. So site A and site B. Now I have two firewalls, I’m managing them from my management machine and when I manage firewall A I’ve used this IP address 192-168-1254 and when I manage firewall B I will use this IP address.

Now these are virtual firewalls here and the IP address of the public address of firewall A is this and the firewall B, well is this 230-1134? I will be using tunnel interfaces obviously because we need it for VPN connection and I will give an IP address because I want to monitor this connection that it’s working. Yeah so I will be using tunnel 55. You can use any numbers, it doesn’t have to be 55 and it doesn’t have to match. You can use whatever you want, you pick whatever you want. But the IP addresses, they have to be in the same subnet for it to work. Let me access my firewall so I can show you what I have. I have firewall A which is this one here, firewall A and I’m controlling with address two five four so you can see it from my lab.

So firewall A with two five four and I have firewall B which is I’m controlling with address two five three. So two five three firewall B. Now they don’t have any configuration as a VPN for site to site VPN. So we’re going to start from scratch and we’re going to do it on the both firewalls. Hopefully it’s not going to take too long for this video. So anyway the first thing that you need to do to configure VPN, you need to navigate to the network area and interfaces. We need to configure a virtual interface, virtual tunnel interface, everything.

All the configuration for IPsec VPN that we’re going to do is going to be in this area in the network right then we need to configure interfaces and if I just scroll little bit down I need to configure. So for us to configure the VPN IPsec tunnels we need to configure Ike crypto I key gateways then I configure IPsec crypto and then IPsec tunnels after I configured in the top of the tunnel. So let’s go and configure the tunnel interface. So I will go to network interfaces tunnel and I’m going to add the new one. Now this has to be a logical layer three interface and you can see the tunnel interfaces have read only so you can’t change the name.

We give a number. So 55, for example, like I said, do whatever you want. You can give any number you want there on the comments, I’m going to leave it alone. But in production, obviously you will write something in there. And then in the configuration I will use the virtual router. I will use it as VR, lab VR and the security zone, I’m going to create a brand new security zone called VPN. Just type VPN there. So VPN. Okay. And that’s it. Now we don’t really need to give an IP address, IPV four address. But if we want to monitor yes, we have to give it, or if you for example, we require dynamic routine, then we have to give an IP address either IPV four, IPV six.

I’m going to use IPV four. And for this tunnel interface, if you look at the lab, for example, it’s going to be 170, 216, twelve, one, that’s my IP address. 170, 216, twelve, 1424 and that’s it. And I’m going to do the same configuration in the wall, similar with different IP address and Firewall B. So go to Firewall B and under network interfaces tunnel and then I’ll add the new one. So the name is not going to change. And I’ll put 55 again, they don’t have the match here. You can pick any number you want. And the virtual router is going to have his own virtual router, which is Lab VR. And the security zone. Again, I’m going to create a brand new one. So this is going to be VPN zone and click OK.

Now here I need to configure an IP address for monitoring as well, which is, if you look, the IP address is one, 7216, twelve, two. So one, 7216, twelve, two, four. Now the interface, the tunnel interfaces are done. So the next thing we need to configure is either well, we got to configure Ike crypto. Now here in Ike crypto, click add and now the crypto profile has to match the Diffie Hellman group. The authentication encryption, like integrity and confidentiality, they have to match. You can put as many as you want, but I’m going to just use one on each. Let me just give a name. So this is going to be Firewall, Firewall A and we’re going to be using Diffi Hellman group Two.

And we’re going to be using shaw, two, five, six. And shaw two, five, six. And we’re going to be using AES, AES two Five six as well for encryption. So this is going to be what they have to match on the other side. So I’ll add this group two, authentication shot two Five six and encryption AES two Five Six. Right? And I’m going to do the same on the Firewall B. So I’ll copy that name just so I don’t have to write it again. And if I go to Fireball B and scroll down to Ike crypto, I’ll add the new one. I can use the default one but the new one. And I’ll just change the name here to B. And again here is going to be group two, authentication two five six and encryption two five six, AES two five six.

And for the lifetime we’re going to leave it for 8 hours. We can go down to as low as three minutes to change all these to go through the process again, but 8 hours is fine. And click OK, now we have on both Firewalls, we have the Ike crypto, internet key Exchange crypto configured next I’m going to configure that is Ike gateways. So if I click on the Ikea gateways and I’ll add the new one there, give it a name. So this is going to be Firewall A, Ike gateway and for this we can use version one or version two, but I’m going to use a version one only mod and address type is going to be IPV four and interface for this is going to be Ethernet one one. So ethernet one.

One. If we look at the lab topology, that’s Ethernet one one and that’s the IP address of Firewall A. So Firewall A, that’s the IP address here and we can use the peer IP address either fully qualified domain name or dynamic. So just put an IP address because I know the peers IP address is 40 at the end. So two or 3011 340. And we’re going to use well for authentication you can use pre shared key or certificates. Well, I’m going to use a pre shared key and I’m going to type Palo Alto here and then we can have a local identification and peer identification for example. But I’m going to leave them to none. And under the advanced options we can enable passive mode.

Well if you enable passive mode, the Firewall is not going to initiate the configuration, it’s just going to wait for the other side to initiate it. Enable Nat reversal. This prevents intermediary devices from applying Nat to VPN communication exchange mode. We have auto main and aggressive. Main is going to go through proposals and agreement while Aggressive is going to squeeze all the packets into one and just send them. But we’re going to leave auto to whatever yet the site says. But they’re going to use main to start with. And the crypto profile that we just created, it is underneath here. We have to put it so Firewall A, that’s my crypto profile. I’m not going to enable fragmentation. Okay, so this is done on this side.

So I need to do the same on firewall b. So if I go to Firewall B and then go to Ike gateways and under name, I should have copied the name so Firewall B and this is I key gateway and mode. You’re going to be one again, ethernet one one is the interface and local IP address for this is going to be 40 and the neighbors is 230-1132. That’s the IP address and the preshade key, Palo Alto. They need to preheat the key, the same key on both sides. Advanced options. And again in here I’m just going to choose the crypto profile. This was firewall. B’s done. So we have ike gateways on both firewall A and firewall B. The next is IPsec IPsec cryptography we need to configure and here is the same again we have to go through the five information.

You remember the haggle? So this is going to be a Firewall A IPSec IPsec crypto and let me just copy this name so I can easily write it on the other side. The protocol, the IPsec protocol encapsulation security payload or just authentication header. So we’re going to use ESP and you know the difference between ESP just going to encapsulate everything. Ah, it’s going to encapsulate the header anyway, these are the extra information about VPN. So encryption we’re going to use AES two, five six and authentication we’re going to use Shaw two five six. Group difficulty element group is group two. You see here they don’t expect you to explain VPN. You should already know what is ESP and ah and so on they just explain how is to configure it.

Okay, then we’re going to do the same thing. We’re going to do it on Firewall B. So if I go to IPC crypto and add a new one and I’ll give it a name, just change this to B and the encryption is going to be two five six. Again this has to match here. So same encryption, same hashing, authentication shot two, five, six and done both sides. Now the next thing we need to do is actually go and configure the IPsec tunnel. So IPsec tunnel and click add in here we put everything together, everything that we configured under network profiles, we need to add them here. So I’m just going to say here firewall a IPsec tunnel and I’m going to copy this so I can write them the other side. Tunnel Interface well the tunnel interface is tunnel 55 that we just created.

The gateway is the one that we created and the IPC crypto profile is the one that we just created. So we just put them all together and then if we click show advanced options I can use my tunnel monitor. The destination tunnel IP address is one 7216 twelve two and on the proxy ID so I can have a look what kind of like information or what is the inside network? So this is but inside inside networks and the local inside network is 192168 dot one, dot zero 424 remote inside network was anything with 1010 10 424. So here we tell them what’s inside networks and click OK, what is the other side expecting? What kind of networks? So firewall b the same configuration.

Now I need to go to IPsec tunnels and I’m going to add a new one there. And the name, well I just changed it to be here. And the interface, the tunnel interface is the 55, the Ike gateway, the one that I created it and the crypto profile the one that we created it. And on the show advanced options we can monitor the tunnel and the neighbor’s tunnel address is one 7216 twelve one. And in the proxy IDs again I’m going to add the new one again, give it name inside ID. For example here the local ID is ten one. Neighbors inside network is zero 1921-681-0424. Okay we’re all done here. Now all we have need to do is committed on both sides and we really should have the interface status should be green.

The Ike phase one should be green and the IPsec tunnel phase two should be green here as well. Okay so I’m going to commit it on both sides. Commit here, firewall A and then go to firewall B and committed here as well. Okay now the commit has completed successfully and I’ve got some warnings about no valid threat license on this firewall but it’s fine, nothing to do with the IPsec tunnel so it’s good. And we have all greens. We have green on interface status, green on the phase one, green on phase two. So if I click on the tunnel information I will see that we have a tunnel information with the site. So B has got tunnel correctly and A is completed here. Let’s need a refresh. There we go. So I’ll.