Palo Alto IPsec VPN

Configuration

1. Tunnel interface

if no dynamic routing is required, tunnel interface can have no IP address

2. (Optional) IKE Crypto profile, PA comes with default IKE Crypto files.

4. (Optional) IPSec Crypto profile, PA comes with default IPSec Crypto files.

5. IKE gateways
Specify peer IP address, IKE version, VPN physical interface/IP, pre-shared key, IKE identity (default non is IP address), and IKE Crypto Profile.

6. IPSec tunnel
Specify tunnel interface, IKE gateway, IPSec Crypto Profile and Proxy IDs

7. Route
route remote subnet to tunnel interface

8. Security Policy
consider to add bidirectional Security policies for VPN traffic and encryption domain traffic .

rule for VPN traffic is not required if it covers by the intrazone-default rule.
rule for encryption domain traffic is also not required if tunnel interface is in Trust zone and covers by the intrazone-default rule.

Verify - CLI

show vpn tunnel
has Phase II info: proposal, proxy-id, Gateway Name etc., no SPI info.

show vpn ike-sa
show vpn ike-sa gateway ?
show vpn ike-sa gateway [match]
has Phase I info: proposal, peer public IP, tunnel ID (TnID), IPSec tunnel name, Gateway Name etc...

Another example, note gateway name, IPsec tunnel name and proxy-ID name in red. Also note the tunnelID (TnID)

admin@PA1026> show vpn ike-sa gateway ASAv
There is no IKEv1 phase-1 SA found.
There is no IKEv1 phase-2 SA found.

IKEv2 SAs
Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST
---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --
1 192.168.2.201 ASAv Init 1 PSK/DH14/A256/SHA256 Dec.15 13:53:24 Dec.15 21:53:24 0 2 Established
IKEv2 IPSec Child SAs
Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST
------------ ---- ------ -- ------ ---- ------- -------- ----- --
ASAv 2 VPN-ASA:DMZ-LAN 1 1 Init ADF3366D C7279586 00000001 Mature
ASAv 1 VPN-ASA:LAN-LAN 5 1 Init A0A67AC7 E9988448 00000005 Mature
Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.

admin@PA1026>

show vpn ipsec-sa
show vpn ipsec-sa tunnel ?
has Phase II info: Proposal, peer public IP, tunnel and gateway name and SPI, no proxy-ID info.

show vpn flow name ?
show vpn flow tunnel-id

has all detail info, including VPN interface name and traffic sent/received from the tunnel.

admin@PA440-2(active)> show vpn flow
> name Show for given VPN tunnel
> tunnel-id Show specific tunnel information
| Pipe through a command
<Enter> Finish input
admin@PA440-2(active)> show vpn flow tunnel-id 1
tunnel VPN-FG70F
id: 1
type: IPSec
gateway id: 2
local ip: 192.168.2.36
peer ip: 192.168.2.33
inner interface: tunnel.1
outer interface: ethernet1/1
state: active
session: 46567
tunnel mtu: 1423
soft lifetime: 3570
hard lifetime: 3600
lifetime remain: 3397 sec
lifesize remain: N/A
latest rekey: 203 seconds ago
monitor: off
monitor packets seen: 0
monitor packets reply:0
en/decap context: 35
local spi: 9754FDBF
remote spi: E243630A
key type: auto key
protocol: ESP
auth algorithm: SHA256
enc algorithm: AES256
traffic selector:
protocol: 0
local ip range: 0.0.0.0 - 255.255.255.255
local port range: 0 - 65535
remote ip range: 0.0.0.0 - 255.255.255.255
remote port range: 0 - 65535
anti replay check: yes
anti replay window: 1024
copy tos: no
enable gre encap: no
initiator: no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 0
receive sequence: 0
encap packets: 0
decap packets: 0
encap bytes: 0
decap bytes: 0
encap IPv4 packets: 0
decap IPv4 packets: 0
encap IPv4 bytes: 0
decap IPv4 bytes: 0
encap IPv6 packets: 0
decap IPv6 packets: 0
encap IPv6 bytes: 0
decap IPv6 bytes: 0
key acquire requests: 0
owner state: 0
owner cpuid: s1.0dp0
ownership: 1
admin@PA440-2(active)>

admin@PA440-2(active)> show vpn flow tunnel-id 1 | match cap\|ip
show vpn flow tunnel-id 1 | match ip\|packets

local ip: 192.168.2.36
peer ip: 192.168.2.33
en/decap context: 35
local ip range: 0.0.0.0 - 255.255.255.255
remote ip range: 0.0.0.0 - 255.255.255.255
enable gre encap: no
encap packets: 0
decap packets: 0
encap bytes: 0
decap bytes: 0
encap IPv4 packets: 0
decap IPv4 packets: 0
encap IPv4 bytes: 0
decap IPv4 bytes: 0
encap IPv6 packets: 0
decap IPv6 packets: 0
encap IPv6 bytes: 0
decap IPv6 bytes: 0
ownership: 1
admin@PA440-2(active)>

Verify - GUI

Network>IPSec Tunnels, click "Tunnel Info" to see more info.

Bring up tunnel from PA FW

test vpn ike-sa gateway xxxx

test vpn ipsec-sa tunnel

clear vpn ike-sa gateway ?
clear vpn ipsec-sa tunnel ?

admin@PA-VM-916> show vpn flow tunnel-id 1 | match packets\|ip

local ip: 192.168.2.42

peer ip: 192.168.2.41

monitor packets seen: 0

monitor packets reply:0

local ip range: 10.1.0.0 - 10.1.0.255

remote ip range: 10.100.8.0 - 10.100.8.255

replay packets: 0

packets received

encap packets: 226

decap packets: 61137

ownership: 1

Proxy ID:

When proxy ID is configured on PA, VPN comes up doesn't matter ASA is policy-based or routed-based.

When proxy ID is NOT configured on PA, VPN only comes up when ASA is routed-based VPN.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

=============

System logs

subtype eq vpn

CLI to check management-plane VPN related log:

less mp-log ikemgr.log <<Phase1

use "/" to search, n" to next
less mp-log tund.log << Phase2

grep pattern "142.115.26.122" mp-log ikemgr.log

tail lines 200 mp-log ikemgr.log

================CLI Configuration=============

Enter config mode and create the Tunnel Interface.

configure
set network interface tunnel units tunnel.1

Assign the Tunnel Interface to a new zone called "vpn_zone".

set zone vpn_zone network layer3 tunnel.1

Assign the Tunnel Interface to the default Virtual Router.

set network virtual-router default interface tunnel.1

Create a Static Route for the VPN traffic.

set network virtual-router default routing-table ip static-route vpn interface tunnel.1 destination 192.168.2.0/24

Create an IKE Crypto Profile.

set network ike crypto-profiles ike-crypto-profiles ike_profile hash sha1 dh-group group14 encryption aes-256-cbc lifetime seconds 28800

Create an IPSec Crypto Profile.

set network ike crypto-profiles ipsec-crypto-profiles ipsec_profile esp authentication sha1 encryption aes-256-cbc
set network ike crypto-profiles ipsec-crypto-profiles ipsec_profile lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles ipsec_profile dh-group group14

Create an IKE Gateway.

set network ike gateway ike_gateway authentication pre-shared-key key [key]
set network ike gateway ike_gateway protocol ikev1 ike-crypto-profile ike_profile
set network ike gateway ike_gateway local-address interface ethernet1/1 ip 1.1.1.1/24
set network ike gateway ike_gateway peer-address ip 2.2.2.2

Create firewall rules for the VPN traffic.

set rulebase security rules vpn_inbound to any from any source 192.168.2.0/24 destination 192.168.1.0/24 source-user any category any application any service any hip-profiles any action allow
set rulebase security rules vpn_outbound to any from any source 192.168.1.0/24 destination 192.168.2.0/24 source-user any category any application any service any hip-profiles any action allow

Create the IPSec Tunnel and commit the changes.

set network tunnel ipsec vpn_to_nsx_edge auto-key ike-gateway ike_gateway
set network tunnel ipsec vpn_to_nsx_edge auto-key proxy-id subnets local 192.168.1.0/24 remote 192.168.2.0/24 protocol any
set network tunnel ipsec vpn_to_nsx_edge auto-key ipsec-crypto-profile ipsec_profile
set network tunnel ipsec vpn_to_nsx_edge tunnel-interface tunnel.1 tunnel-monitor enable no
set network tunnel ipsec vpn_to_nsx_edge disabled no
commit

===========Tunnel Monitoring=============

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK

Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSec tunnel in question by sending a PING down the tunnel to the configured destination.

Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes.

Tunnel monitor requires VPN tunnel interface has IP configured.

The firewall will try to negotiate new IPSec keys to accelerate the recovery.

When monitor is down, it seems doesn't bring down tunnel, instead, it re-key a new phase2 tunnel. user may see cross tunnel connection stability issue (system log has lots phase2 rekey

use "show vpn flow " to see monitor status.

=======DPD============

Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.

DPD is used to detect if the peer device still has a valid IKE-SA. Periodically, it will send a “ISAKMP R-U-THERE” packet to the peer, which will respond back with an “ISAKMP R-U-THERE-ACK” acknowledgement.

The DPD is "not persistent" and is only triggered by a Phase 2 rekey. This means if Phase 2 is up, Palo Alto Networks will not check to see if IKE-SA is active

=============

VPN Tunnel Monitor

This is ICMP monitor which initiates from tunnel interface.

local tunnel interface has IP 169.254.254.254

admin@PA-VM> show vpn flow name VPN--ASAv-3 | match monitor

monitor: on

monitor status: up

monitor dest: 169.254.254.253

monitor interval: 3 seconds

monitor threshold: 5 probe losses

monitor bitmap: 11111

monitor packets sent: 89

monitor packets recv: 89

monitor packets seen: 0

monitor packets reply:0

admin@PA-VM>

Net Worker World

Search This Blog

Palo Alto IPsec VPN

VPN Tunnel Monitor

Comments

Post a Comment