IPSec Site-to-Site between a Palo Alto firewall and Cisco Router
Palo Alto side:
1. create a tunnel interface:
Network Tab > Interfaces > Tunnels
new tunnel: name it, assign it to a Virtual Router(cisco parlance: VRF) and Security Zone
2. create IKE phase 1: (cisco calls it isakemp)
Network > Network Profiles > IKE Crypto
create a new profile, name it: assign a DH Group, authentication, encryption and lifetime (DH group 2, sha1, aes128, 1 day)
3. create IKE phase 2: (cisco: “transform set”)
Network > Network Profiles > IPSec Crypto
Create a new profile
DH group (pfs/no-pfs)
encryption
authentication
4. specify peer:
Network > Network Profiles > IKE Gateway
name it, interface, peer type, peer IP, pre-shared key, exchange mode, define which IKE Crypto profile (phase2)
5. Add an IPSec Tunnel:
Network > IPSec Tunnels
General Tab:
Add tunnel, name it, choose which tunnel interface to use
Autokey (since they’re defined in your gateway/phase1/phase2
Choose gateway
choose IPSec Crypto Profile (phase2)
Proxy ID tab:
add the IP address/network
Cisco router side:
1. Configure Phase-1 (“isakmp”)
# conf t
(config)# crypto isakmp policy 1
(config-isakmp)# authentication pre-share
(config-isakmp)# encrypt aes128
(config-isakmp)# hash sha1
(config-isakmp)# group 2
(config-isakmp)# lifetime 86400
(config-isakmp)# exit
(config)# crypto isamp key <<key>> address <<peer address>>
Change <<key>> to your preshared key and <<peer address>> to the other system’s IP address (e.g. the public address on the interface of the palo alto FW)
NB: note that ISAKMP Phase 1 policy is defined globally. So if you have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.
2. configure phase-2 (“transform-set”, ACLs, crypto map)
2a. set an ACL to match the traffic that will be encrypted in the tunnel:
The format is:
(access-list ### permit ip <<source-network>> <<source-netmask>> <<destination-network>> <<destination-netmask>>)
example:
(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
NB: If you’re NAT’ing outbound traffic, you need to disable NAT for the traffic that you want encrypted through the tunnel; deny via ACL, like so:
(config)# ip nat inside source list 100 interface fastethernet0/2 overload
(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any
The deny applies specifically to traffic from 10./8 to 192.168.1./24 and then permits 10./8 going anywhere else.
2b. set the transform set (aka phase 2)
(config)# crypto ipsec transform-set IPSECSET esp-sha-hmac esp-aes
(cfg-crypto-trans)# exit
2c. set the crypto map to tie the elements together:
(config)# crypto map IPSECMAP 1 ipsec-isakmp
(config-crypto-map)# set transform-set IPSECSET
(config-crypto-map)# set peer <<peer address>>
(config-crypto-map)# match address 100
(config-crypto-map)# exit
3. Apply the crypto map to your outbound interface:
(config)# interface FastEthernet0/2
(if-config)# crypto map IPSECMAP
And you’re done.
useful commands:
show crypto isakmp policy
show crypto isakmp
show crypto isakmp detail
show crypto ipsec transform-set — shows you phase 2
show crypto map — shows complete crypto map
show crypto ipsec sa — shows how many packets encrypted/decryted/going through the tunnel