Site-to-Site VPNstraining.networkexpert.ca/wp-content/uploads/2018/05/... · 2020. 10. 9. ·...
Transcript of Site-to-Site VPNstraining.networkexpert.ca/wp-content/uploads/2018/05/... · 2020. 10. 9. ·...
-
Site-to-Site VPNsEDU-210
PAN-OS® 8.0
Courseware Version A
-
2 | ©2017, Palo Alto Networks, Inc.
Agenda Site-to-site VPN
Configuring site-to-site tunnels
IPsec troubleshooting
-
3 | ©2017, Palo Alto Networks, Inc.
Site-to-Site VPN
-
4 | ©2017, Palo Alto Networks, Inc.
Site-to-Site Overview PAN-OS® software implements route-based
IPsec VPNs.
The tunnel is represented by a logical tunnelinterface.
The tunnel interface is placed within a zone.
The routing table chooses the tunnel settings.
Multiple versions of Internet Key Exchange(IKE) are supported:• IKEv1• IKEv2
-
5 | ©2017, Palo Alto Networks, Inc.
IKE Phase 1 IKE Phase 1 identifies the endpoints of the VPN.
IKE Phase 1 uses peer IDs to identify the devices:• For devices with known addresses, the peer ID usually is the IP address.• A peer ID also can be a domain name or other string.
Three settings (modes): Aggressive, Main, Auto
Peer: 24.1.1.12 Peer: 161.10.12.34Key Exchange
-
6 | ©2017, Palo Alto Networks, Inc.
IKE Phase 2 Each side of the tunnel has a proxy ID to identify traffic:
• Support for multiple proxy IDs
Networks are identified by proxy ID and can be either:• Masked network (e.g., 10.2.0.0/24)• Any network (0.0.0.0/0)
LAN 1: 192.168.10.0/24 LAN 2: 10.2.0.0/24Tunnel
-
7 | ©2017, Palo Alto Networks, Inc.
Route-Based Site-to-Site VPN
10.2.0.0/24192.168.10.0/24
Ethernet 1/324.1.1.12
Ethernet 1/8161.10.12.64
IPsec Tunnel
Tunnel.1
Routing Table10.2.0.0/24 >
Tunnel.1
-
8 | ©2017, Palo Alto Networks, Inc.
VPN Tunnel Component Interaction
IKE CryptoProfile
IKEGateway
PhysicalConnection
IPSEC CryptoProfile
EncryptedTunnelZone
Tunnel
Firewall - Site 1
To Firewall - Site 2
Zone
EthPort
Phase 1
Phase 2To Firewall ‒ Site 2
EncryptedTunnel
VirtualRouter
IKE CryptoProfile
IKEGateway
Phase 1
IPSec CryptoProfile
Zone
Tunnel
Phase 2
1.Configure phase 1 objects2.Configure phase 2 objects3.Configure routing and security
rules
-
9 | ©2017, Palo Alto Networks, Inc.
Configuring Site-to-Site Tunnels
-
10 | ©2017, Palo Alto Networks, Inc.
Phase 1 Object: IKE Gateway – GeneralNetwork > Network Profiles > IKE Gateways
-
11 | ©2017, Palo Alto Networks, Inc.
Phase 1 Object: IKE Gateway – Advanced OptionsNetwork > Network Profiles > IKE Gateways > Advanced Options
When in passive modethe firewall will not initiate
When in passive modethe firewall will not initiate
-
12 | ©2017, Palo Alto Networks, Inc.
Phase 1 Object: IKE Cryptographic ProfilesNetwork > Network Profiles > IKE Crypto
Asymmetric key exchange:DH Group 1, 2, 5, 14, no-pfsAsymmetric key exchange:
DH Group 1, 2, 5, 14, no-pfs
-
13 | ©2017, Palo Alto Networks, Inc.
Phase 2 Object: IPsec Cryptographic Profiles
Network > Network Profiles > IPSec Crypto
-
14 | ©2017, Palo Alto Networks, Inc.
VPN Tunnel InterfaceNetwork > Interfaces > Tunnel Tab
Add interface to VR andzone, as with any Layer 3
interface
Add interface to VR andzone, as with any Layer 3
interface
IP address needed if thedynamic routing protocol ortunnel monitor is enabled
IP address needed if thedynamic routing protocol ortunnel monitor is enabled
TunnelidentifierTunnel
identifier
-
15 | ©2017, Palo Alto Networks, Inc.
Phase 2 Object: IPsec TunnelNetwork > IPSec Tunnel
Phase 2 proposalPhase 2 proposal
To confirm route validity (if tunnelinterface has been configured
with an IP address)
To confirm route validity (if tunnelinterface has been configured
with an IP address)
Must check to beable to see
Advanced Options
-
16 | ©2017, Palo Alto Networks, Inc.
Phase 2 Object: IPsec Tunnel (Cont.)Network > IPSec Tunnel > Proxy IDs
Override defaultProxy ID
Override defaultProxy ID
-
17 | ©2017, Palo Alto Networks, Inc.
Static Route for VPNNetwork > Virtual Routers > Add > Static Routes > IPv4
Static routes must usetunnel interfaces
Static routes must usetunnel interfaces
Next Hop is not requiredNext Hop is not required
-
18 | ©2017, Palo Alto Networks, Inc.
IPsec Tunnel Status – Check Connectivity
Network > IPSec Tunnels
-
19 | ©2017, Palo Alto Networks, Inc.
IPsec Troubleshooting
-
20 | ©2017, Palo Alto Networks, Inc.
IPsec Tunnel Status – Check Connectivity
Network > IPSec Tunnels
Investigate the following links: Tunnel Info IKE Info Show Routes
-
21 | ©2017, Palo Alto Networks, Inc.
VPN Error Messages
Issue Initiator Error Responder ErrorWrong IP/no connection P1 - Timeout P1 – Timeout
No matching P1 proposal P1 - Timeout No suitable proposal (P1)
Mismatched peer ID P1 - Timeout Peer identifier does not match
No matching P2 proposal No proposal chosen No suitable proposal (P2)
PFS group mismatch P2 - Timeout PFS group mismatch
Mismatched proxy ID P2 - Timeout Cannot find matching phase-2tunnel
-
22 | ©2017, Palo Alto Networks, Inc.
Reading VPN Error Messages (System Log)peer identifier (type fqdn [bad.peer]) does not match remoteRemote2.
IKE phase-2 negotiation failed when processing proxy ID.cannot find matching phase-2 tunnel for received proxy ID.received local id: 192.168.41.1/24 type IPv4_subnet protocol0 port 0, received remote id: 192.168.42.1/24 typeIPv4_subnet protocol 0 port 0.
Name of Local Phase 1 IKE Gateway Object
Remote Sides Phase 1 Peer Configuration
The “Remote Proxy ID” from the other sideThe “Local Proxy ID” from the other side
-
23 | ©2017, Palo Alto Networks, Inc.
Questions?
-
24 | ©2017, Palo Alto Networks, Inc.
Site-to-Site VPN Lab (Pages 120-124 in the Lab Guide) Create a Site-to-Site VPN Tunnel
Assign the Tunnel to a VPN Zone
Create a Security Policy Rule to Allow Traffic from the Partner’s Trust Network
Ping to Activate VPN
-
Secures the NetworkSecures the Network