Chapter 3. Advanced Networking
3.3 Site-to-Site VPN
Learning Objectives
- Configure site-to-site VPN
- Configure static routing
Prerequisites:
- Create Zones on both firewalls
- Create a tunnel interface on both firewalls
- Create a policy to allow VPN to Inside on both firewalls
- Create a policy to allow Inside to VPN on both firewalls
- Interface configuration
- Knowledge of previous labs
Scenario: This one is a bit tricky since you will be managing both devices. A site-to-site VPN is what your company would set up if you had offices in other locations without being directly connected to each other. But in this lab, we’ll just take it easy and assume that they have a direct connection to each other. So, we are going to configure site-to-site VPN between two Palo Alto firewalls. Then, you should be able to ping from client-1 to client-2.
Device | Configuration |
---|---|
Site-1 | management: 192.168.0.1/24 Ethernet1/1: 10.0.0.1/24 Ethernet1/2: 1.1.1.1/24 |
Site-2 | management: 192.168.0.2/24 Ethernet1/1: 172.16.10.1/24 Ethernet1/2: 1.1.1.2/24 |
Site1-Client | eth0: 10.0.0.2/24 GW: 10.0.0.1 |
Site2-Client | eth0: 172.16.10.2/24 GW: 172.16.10.1 |
Management1 | eth0: 192.168.0.3/24 |
Zone | Interface |
---|---|
Inside | Ethernet1/1 |
VPN | Ethernet1/2, tunnel.1 |
Zone | Interface |
---|---|
Inside | Ethernet1/1 |
VPN | Ethernet1/2, tunnel.1 |
Create an IKE Gateway
Under Network > Network Profiles > IKE Gateways, click Add.
On the Site1 firewall, configure these settings:
Parameter | Value |
---|---|
Interface | Ethernet1/2 |
Local IP Address | 1.1.1.1/24 |
Peer IP Address Type | IP |
Peer Address | 1.1.1.2 |
Pre-shared Key | Password Here |
Confirm Pre-shared key | Confirm Password Here |
Then press OK.
On the Site2 firewall, configure these settings:
Parameters | Value |
---|---|
Interface | Ethernet1/2 |
Local IP Address | 1.1.1.2/24 |
Peer IP Address Type | IP |
Peer Address | 1.1.1.1 |
Pre-shared Key | Same Password as before here |
Confirm Pre-shared key | Confirm same password as before here |
Then press OK.
Create an IPsec Tunnel
Under Network > IPsec Tunnel, click Add.
On both firewalls, configure these settings:
Parameters | Value |
---|---|
Tunnel Interface | tunnel.1 |
IKE Gateway | The one you created on the respective firewall |
Create Static Routes
Under Network > Virtual Routers, click default.
Under the static routes tab, click Add.
On the Site1 firewall, configure these settings:
Parameters | Value |
---|---|
Destination | 172.16.10.0/24 |
Interface | tunnel.1 |
Next Hop | None |
On the Site2 firewall, configure these settings:
Parameters | Value |
---|---|
Destination | 10.0.0.0/24 |
Interface | tunnel.1 |
Next Hop | None |
Then press OK.
Test the Site-to-Site
On any client device, try and ping the other client on the other site.
If you can ping the other client in the other site, everything worked!