IPSec Site-to-Site between a Palo Alto firewall and Cisco Router

2014.09.26

Palo Alto side:

1. create a tunnel interface:

Network Tab > Interfaces > Tunnels
new tunnel: name it, assign it to a Virtual Router(cisco parlance: VRF) and Security Zone

2. create IKE phase 1: (cisco calls it isakemp)

Network > Network Profiles > IKE Crypto
create a new profile, name it: assign a DH Group, authentication, encryption and lifetime (DH group 2, sha1, aes128, 1 day)

3. create IKE phase 2: (cisco: “transform set”)

Network > Network Profiles > IPSec Crypto
Create a new profile
DH group (pfs/no-pfs)
encryption
authentication

4. specify peer:

Network > Network Profiles > IKE Gateway
name it, interface, peer type, peer IP, pre-shared key, exchange mode, define which IKE Crypto profile (phase2)

5. Add an IPSec Tunnel:

Network > IPSec Tunnels

General Tab:
Add tunnel, name it, choose which tunnel interface to use
Autokey (since they’re defined in your gateway/phase1/phase2
Choose gateway
choose IPSec Crypto Profile (phase2)

Proxy ID tab:
add the IP address/network

Cisco router side:

1. Configure Phase-1 (“isakmp”)

# conf t
(config)# crypto isakmp policy 1
(config-isakmp)# authentication pre-share
(config-isakmp)# encrypt aes128
(config-isakmp)# hash sha1
(config-isakmp)# group 2
(config-isakmp)# lifetime 86400
(config-isakmp)# exit
(config)# crypto isamp key <<key>> address <<peer address>>

Change <<key>> to your preshared key and <<peer address>> to the other system’s IP address (e.g. the public address on the interface of the palo alto FW)

NB: note that ISAKMP Phase 1 policy is defined globally. So if you have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.

2. configure phase-2 (“transform-set”, ACLs, crypto map)

2a. set an ACL to match the traffic that will be encrypted in the tunnel:

The format is:
(access-list ### permit ip <<source-network>> <<source-netmask>> <<destination-network>> <<destination-netmask>>)
example:

(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

NB: If you’re NAT’ing outbound traffic, you need to disable NAT for the traffic that you want encrypted through the tunnel; deny via ACL, like so:

(config)# ip nat inside source list 100 interface fastethernet0/2 overload
(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any

The deny applies specifically to traffic from 10./8 to 192.168.1./24 and then permits 10./8 going anywhere else.

2b. set the transform set (aka phase 2)

(config)# crypto ipsec transform-set IPSECSET esp-sha-hmac esp-aes
(cfg-crypto-trans)# exit

2c. set the crypto map to tie the elements together:

(config)# crypto map IPSECMAP 1 ipsec-isakmp
(config-crypto-map)# set transform-set IPSECSET
(config-crypto-map)# set peer <<peer address>>
(config-crypto-map)# match address 100
(config-crypto-map)# exit

3. Apply the crypto map to your outbound interface:

(config)# interface FastEthernet0/2
(if-config)# crypto map IPSECMAP

And you’re done.

useful commands:

show crypto isakmp policy
show crypto isakmp
show crypto isakmp detail
show crypto ipsec transform-set — shows you phase 2
show crypto map — shows complete crypto map
show crypto ipsec sa — shows how many packets encrypted/decryted/going through the tunnel

Categories : HowTo