Scribd Logo
Upload

Welcome to Scribd!

  • PAN9 EDU210 Lab 11

    Uploaded by

    Genestapower
    39 views20 pages
    This document provides instructions for configuring a site-to-site VPN between a Palo Alto Networks firewall and a remote location. The objectives are to create a tunnel interface, configure an IKE gateway with authentication and encryption settings, create an IPSec crypto profile, and configure an IPsec tunnel. This will allow the branches to securely communicate with the corporate offices over the VPN.

    Original Description:

    Original Title

    PAN9_EDU210_Lab_11

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for configuring a site-to-site VPN between a Palo Alto Networks firewall and a remote location. The objectives are to create a tunnel interface, configure an IKE gateway with authentication and encryption settings, create an IPSec crypto profile, and configure an IPsec tunnel. This will allow the branches to securely communicate with the corporate offices over the VPN.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    39 views20 pages

    PAN9 EDU210 Lab 11

    Uploaded by

    Genestapower
    This document provides instructions for configuring a site-to-site VPN between a Palo Alto Networks firewall and a remote location. The objectives are to create a tunnel interface, configure an IKE gateway with authentication and encryption settings, create an IPSec crypto profile, and configure an IPsec tunnel. This will allow the branches to securely communicate with the corporate offices over the VPN.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 20

    PALO ALTO NETWORKS EDU-210

    Lab 11: Site-to-Site VPN

    Document Version: 2019-11-12

    Copyright © 2019 Network Development Group, Inc.


    www.netdevgroup.com

    NETLAB Academy Edition, NETLAB Professional Edition, and NETLAB+ are registered trademarks of Network Development Group, Inc.

    Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
    Lab 11: Site-to-Site VPN

    Contents
    Introduction ........................................................................................................................ 3
    Objectives............................................................................................................................ 3
    Lab Topology ....................................................................................................................... 4
    Theoretical Lab Topology .................................................................................................... 4
    Lab Settings ......................................................................................................................... 5
    1 Site-to-Site VPN........................................................................................................... 6
    1.0 Load Lab Configuration ........................................................................................ 6
    1.1 Configure the Tunnel Interface ............................................................................ 8
    1.2 Configure the IKE Gateway ................................................................................ 10
    1.3 Create an IPSec Crypto Profile ........................................................................... 13
    1.4 Configure the IPsec Tunnel ................................................................................ 14
    1.5 Test Connectivity ................................................................................................ 17

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 2


    Lab 11: Site-to-Site VPN

    Introduction

    With the success of the Palo Alto Networks firewall at the corporate offices, the Board
    has approved the security team to establish Palo Alto Networks firewalls in our other
    locations and offices. To allow those branches to securely communicate with the
    corporate offices, we will implement site-to-site ipsec vpn tunnels and policies.

    Objectives

    • Create and configure a tunnel interface to use in the site-to-site VPN connection
    • Configure the IKE gateway and IKE Crypto Profile
    • Configure the IPSec Crypto Profile and IPsec tunnel
    • Test connectivity

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 3


    Lab 11: Site-to-Site VPN

    Lab Topology

    Theoretical Lab Topology

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 4


    Lab 11: Site-to-Site VPN

    Lab Settings

    The information in the table below will be needed in order to complete the lab. The
    task sections below provide details on the use of this information.

    Virtual Machine IP Address Account Password


    (if needed) (if needed)

    192.168.1.20 lab-user Pal0Alt0


    Client

    Firewall 192.168.1.254 admin admin

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 5


    Lab 11: Site-to-Site VPN

    1 Site-to-Site VPN

    1.0 Load Lab Configuration

    1. Launch the Client virtual machine to access the graphical login screen.

    To launch the console window for a virtual machine, you may access by
    either clicking on the machine’s graphic image from the topology page
    or by clicking on the machine’s respective tab from the navigation bar.

    2. Click within the splash screen to bring up the login screen. Log in as lab-user using
    the password Pal0Alt0.

    3. Launch the Chrome browser and connect to https://192.168.1.254.


    4. If a security warning appears, click Advanced and proceed by clicking on Proceed to
    192.168.1.254 (unsafe).
    5. Log in to the Palo Alto Networks firewall using the following:

    Parameter Value
    Name admin

    Password admin

    6. In the web interface, navigate to Device > Setup > Operations.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 6


    Lab 11: Site-to-Site VPN

    7. Click Load named configuration snapshot:

    8. Click the drop-down list next to the Name text box and select edu-210-lab-011. Click
    OK.

    9. Click Close.

    The following instructions are the steps to execute a “Commit All” as


    you will perform many times throughout these labs.

    10. Click the Commit link at the top-right of the web interface.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 7


    Lab 11: Site-to-Site VPN

    11. Click Commit and wait until the commit process is complete.

    12. Once completed successfully, click Close to continue.

    13. Leave the firewall web interface open to continue with the next task.

    1.1 Configure the Tunnel Interface

    1. In the web interface, navigate to Network > Interfaces > Tunnel.

    2. Click Add to configure a tunnel interface.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 8


    Lab 11: Site-to-Site VPN

    3. In the Tunnel Interface window, configure the following.

    Parameter Value
    Interface Name Type 12
    Comment Type Tunnel to DMZ
    Virtual Router Select lab-vr from the drop-down list
    Security Zone Create and assign a new Layer 3 zone named VPN

    4. In the Tunnel Interface window, click the IPv4 tab and configure the following.

    Parameter Value
    IP Click Add and type 172.16.2.10/24

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 9


    Lab 11: Site-to-Site VPN

    5. In the Tunnel Interface window, click the Advanced tab and configure the following.
    Once finished, click OK.

    Parameter Value
    Management Profile Select ping from the drop-down list

    6. Leave the firewall web interface open to continue with the next task.

    1.2 Configure the IKE Gateway

    1. In the web interface, navigate to Network > Network Profiles > IKE Gateways.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 10


    Lab 11: Site-to-Site VPN

    2. Click Add to create the IKE gateway.

    3. In the IKE Gateway window, configure the following.

    Parameter Value
    Name Type dmz-ike-gateway
    Version Verify that IKEv1 only mode is selected
    Interface Select ethernet1/3 from the drop-down list
    Local IP Address Select 192.168.50.1/24 from the drop-down list
    Peer IP Address Type Verify that the IP radio button is selected
    Peer Address Type 192.168.50.10
    Pre-shared Key Type paloalto

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 11


    Lab 11: Site-to-Site VPN

    4. In the IKE Gateway window, click the Advanced Options tab. On the IKEv1 subtab,
    configure the following.

    Parameter Value
    IKE Crypto Profile Select New IKE Crypto Profile

    5. Notice the IKE Crypto Profile window appears. Configure the following. Once
    finished, click OK.

    Parameter Value
    Name Type AES256-DH2-SHA2
    DH Group Click Add and select Group 2 from the drop-down list
    Authentication Click Add and select sha256 from the drop-down list
    Encryption Click Add and select aes-256-cbc from the drop-down
    list

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 12


    Lab 11: Site-to-Site VPN

    6. Back on the IKE Gateway window, click OK.


    7. Leave the firewall web interface open to continue with the next task

    1.3 Create an IPSec Crypto Profile

    1. In the web interface, navigate to Network > Network Profiles > IPSec Crypto.

    2. Click Add to open the IPSec Crypto Profile configuration window.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 13


    Lab 11: Site-to-Site VPN

    3. In the IPSec Crypto Profile window, configure the following. Once finished, click OK.

    Parameter Value
    Name Type AES256-SHA256
    IPSec Protocol Verify that ESP is selected
    Encryption Click Add and select aes-256-cbc from the drop-down
    list
    Authentication Click Add and select sha256 from the drop-down list
    DH Groups Verify that group2 is selected

    4. Leave the firewall web interface open to continue with the next task.

    1.4 Configure the IPsec Tunnel

    1. In the web interface, navigate to Network > IPSec Tunnels.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 14


    Lab 11: Site-to-Site VPN

    2. Click Add to define the IPsec tunnel.

    3. In the IPSec Tunnel window, while on the General tab, configure the following.

    Parameter Value
    Name Type dmz-tunnel
    Tunnel Interface Select tunnel.12 from the drop-down list
    Type Verify that the Auto Key radio button is selected
    Address Type Verify that the IPv4 radio button is selected
    IKE Gateway Select dmz-ike-gateway from the drop-down list
    IPSec Crypto Profile Select AES256-SHA256 from the drop-down list
    Show Advanced Options Select the checkbox
    Tunnel Monitor Select the checkbox
    Destination IP Type 172.16.2.11
    Profile Verify that None is selected

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 15


    Lab 11: Site-to-Site VPN

    4. In the IPSec Tunnel window, click the Proxy IDs tab and then click Add.

    5. In the Proxy ID window, configure the following. Once finished, click OK.

    Parameter Value
    Proxy ID Type dmz-tunnel-network
    Local Type 172.16.2.0/24
    Remote Type 172.16.2.0/24
    Protocol Verify that Any is selected

    6. Back on the IPSec Tunnel window, click OK.


    7. Verify that a new IPSec tunnel should appear in the list.

    8. Commit all changes.


    9. Leave the firewall web interface open to continue with the next task.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 16


    Lab 11: Site-to-Site VPN

    1.5 Test Connectivity

    1. After committing changes, refresh the IPSec Tunnels page. The Status column
    indicator should now be green, which means that the VPN tunnel is connected.

    2. Navigate to Monitor > Logs > System.

    3. Review the VPN log entries.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 17


    Lab 11: Site-to-Site VPN

    If you see messages related to “pre-shared key mismatch”, go back to


    your IKE Gateways web interface under Network Profiles, click on
    dmz-ike-gateway, and re-type paloalto in both Pre-shared Key text
    fields. Click OK and commit all changes.

    4. On the Windows desktop, double-click the PuTTY icon.


    5. In the PuTTY Configuration window, double-click firewall-management.

    6. Log in as admin with admin as the password.

    7. After the VPN tunnel is connected, type the following CLI commands and observe
    the output.

    admin@firewall-a> show vpn ike-sa

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 18


    Lab 11: Site-to-Site VPN

    admin@firewall-a> show vpn ipsec-sa tunnel dmz-tunnel:dmz-tunnel-network

    admin@firewall-a> show vpn flow name dmz-tunnel:dmz-tunnel-network

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 19


    Lab 11: Site-to-Site VPN

    admin@firewall-a> show running tunnel flow

    8. The lab is now complete; you may end the reservation.

    11/12/2019 Copyright © 2019 Network Development Group, Inc. www.netdevgroup.com Page 20

    You might also like