PCNSE Study Notes: Site to Site VPN

Copy of Copy of PCNSE_ Study Notes (9)
  • Overview
    • PanOS does IPSec tunnels as route-based tunnels
    • Support for connecting to 3rd party IPSec devices
    • The tunnel is represented by a logical tunnel interface
    • The tunnel interface is placed in a zone
    • When traffic is sent to the tunnel, the VPN is connected and traffic sent across
  • IKEv1 vs IKEv2
    • IKEv1 is the most common version used
    • IKEv2 is primarily used to meet NDPP (network device protection profile), Suite B support and/or MS Azure compliance
    • IKEv2 preferred mode provides a fail back to IKEv1 after 5 retries (about 30 seconds)
  • IKE Phase 1
    • Identifies the endpoints of the VPN
    • Uses Peer IDs to identify the devices
      • Usually the public IP’s of each end
      • Can also be an FQDN or other string of data
    • Three Settings/modes: Agressive, Main, Auto
    • 5 pieces of info are exchanged during Phase 1:
      • Authentication Method
      • DH Key Exchange
      • Symmetric Key Algorithm bulk data encryption
      • Hashing algorithm
      • Lifetime
  • Ike Phase 2
    • Creates the tunnel that will encapsulate traffic
    • Each side of the tunnel has a proxy ID to identify traffic
      • There is support for multiple proxy ID’s
      • Proxy ID’s are also known as ‘Encryption Domain’ with other vendors
    • Proxy ID’s can be specific or 0.0.0.0/0
    • 5 Pieces of information are passed during phase 2:
      • IPsec type/mode
      • DH additional exchange if specified
      • PFS
      • Symmetric key algorithm/Hashing Algorithm
      • Lifetime before Rekey
  • Route Based site-to-site VPN
    • VPN setup depends on the need and requirements of each site and the company configuration
    • Each tunnel interface will support up to ten (10) IPSec tunnels

Configuring site-to-site tunnels

  • Phase 1 IKE Gateway Configuration
    • Create the IKE Gateway under Network > Network Profiles > IKE Gateways
    • Simple tunnels (PAN to PAN) only require the interface, IP and PSK are needed.
    • If the firewall uses a dynamic IP address (PPPoE DSL for example), leave the local IP address field blank.
    • Certificate PKI authentication is supported, with the following Limitations:
      • Maximum level of cert chain is 5
      • CRL over LDAP is not supported
      • Supported ID Types include: FQDN, IP Address, KeyID (Binary format ID Hex string),Email/User FQDN
      • If none is specified, local IP is used.
  • Phase 1 IKE Gateway Advanced Options
    • Configured under Network > Network Profiles > Ike Gateways > Advanced Options
    • Enable Passive Mode – will not initiate connections, only receive incoming requests
    • Enable NAT traversal – UDP encapsulation used on IKE and UDP protocols, allows them to pass through intermediate NAT devices (upstream routers for example)
    • Exchange Mode Options
      • Auto (default) allows both Main and Aggresive
      • Main: Used for fixed IP tunnels where the IP’s on each end will not change
      • Aggressive: Used when one endpoint has an IP address that may change, such as and ISP that provides a DHCP Address
      • Both sides must have the same mode set
    • Ike Crypto Profile
      • By default, the crypto profile is set to AES-128-CBC, 3DES, SHA1
      • A custome IKE crypto profile can be created under Network > Network Profiles > IKE Crypto
    • Enable Fragmentation
      • Allows the local gateway to receive fragmented IKE packets – max is 576 bytes
    • Dead Peer Detection
      • Identifies and confirms that the remote peer is alive and responding by sending a request to confirm, and receiving a response. If no response, the tunnel is torn down.
  • Phase 1 IKE Cryptographic Profiles
    • Both peers must match a cryptography for the tunnel to be established.
    • Specify the DH group for Asymetric Key Exchange
    • Multiple encryption types can be set to help match with a peer
    • Multiple Authentication types can be set
  • Phase 2 IPSec Cryptographic Profiles
    • Configured under Network > Network Profiles > IPSec Crypto
    • Set the IPSec Protocol (ESP or AH)
    • Encryption type (must match remote peer)
    • Authentication (MD5, SHA1, SHA256, SHA384, SHA512)
    • Set the DH Group
    • Set Lifetime
    • (Optional) Set the lifesize, which will re-establish the tunnel after a certain amount of traffic has passed and the tunnel will rekey. This is to help prevent session data decryption of sniffed packets if one key has been captured.
  • VPN Tunnel Interface
    • Configured under Network > Interfaces > Tunnel tab
    • Each Tunnel interface represents an individual tunnel connection
    • Must be added to a security zone and a VR
    • Does not require an IP address, but is needed if traffic will be participating in Dynamic routing protocols (ospf, BGP) or if the tunnel monitor is enabled.
  • Phase 2 IPsec Tunnel
    • Configured under Network > IPSec Tunnel
    • Name the Tunnel with a clear identifier
    • Specify the IKE Gateway and IPSec Crypto Profile (also called ‘phase 2 proposal’)
    • ‘Show Advanced Options’ checkbox will show further configuration items:
      • Enable Replay protection – adds sequence numbers to packets so that a replay of captured packets to an IPSec device are discarded if not the expected packet numbers
      • Tunnel Monitor – Only available if the Tunnel interface has an IP address. Sends Ping traffic to a specified IP across the tunnel to validate the route/path is valid.
      • Monitor profile can be configured configured to send pings over the tunnel in an attempt to restore the session, or to fail over to another routing path.
      • Monitor profiles can configured under Network > Network Profiles > Monitor
    • The Proxy ID tab on the IPSec configuration page can be used to specify a local and remote proxy ID if needed, and a specific protocol of allowed traffic can be set if needed (TCP, UDP, Non-IP protocol number, or Any). By default, the proxy ID is 0.0.0.0/0
  • Static Route for VPN
    • Configured under Network > Virtual Routers > Add > Static Routes > IPv4
    • Add the Static route remote destination network, specifying the tunnel interface of the VPN
    • Next-Hop not required, but can be specified if needed
    • Any admin distance or metric adjustments
    • This step is not required if Dynamic routing will be used through the tunnel.
  • Validating Connectivity
    • Under Network > IPSec Tunnels
    • The status will show green if the tunnel has established and is active.
    • Clicking on ‘Tunnel Info’ will provide details about the tunnel.

IPSec Troubleshooting

  • First step is to double-check all the settings in the IKE and IPSec sections. Talk to a rubber duckie!
  • Check under Network > IPSec Tunnels
    • Tunnel Status red indicates that IPSec Phase 2 is not available or expired.
    • Ike Gateway Status green indicates Phase 1 is established, red indicates it has failed.
    • Note that Tunnels are only up/established when traffic is needed to cross them (except when Monitoring is used, this will keep the tunnel active).
    • The test VPN command can be used to test a VPN:
      • Ike Phase 1 test: test vpn ike-sa gateway (name)
      • Show VPN ike-sa gateway (name) to check status
      • IPSec Phase 2 test: test vpn ipsec-sa tunnel (name)
      • Show VPN ipsec-sa tunnel (name) to check status
      • To validate traffic flow, use the ‘show vpn flow’ command.
  • Troubleshooting from the responder is easier to track down issues
    • VPN error messages can include:
    • Wrong IP – Incorrect IP in P1 config or cannot communicate/route to the IP
    • No matching P1/P2 proposal – double check IKE/IPSec and encryption settings
    • Mismatched Peer ID – Able to communicate, but Peer ID’s do not match
    • PFS group mismatch – Check/update PFS DH Group
    • Mismatched Proxy ID – generally caused by a mismatch from Policy Based VPN’s
    • The System Log will log attempts and this can be used to troubleshoot the errors

Source: User submitted post