Chapter 3. Advanced Networking

3.3 Site-to-Site VPN

Learning Objectives

  • Configure site-to-site VPN
  • Configure static routing

Prerequisites:

  • Create Zones on both firewalls
  • Create a tunnel interface on both firewalls
  • Create a policy to allow VPN to Inside on both firewalls
  • Create a policy to allow Inside to VPN on both firewalls
  • Interface configuration
  • Knowledge of previous labs

Scenario: This one is a bit tricky since you will be managing both devices. A site-to-site VPN is what your company would set up if you had offices in other locations without being directly connected to each other. But in this lab, we’ll just take it easy and assume that they have a direct connection to each other. So, we are going to configure site-to-site VPN between two Palo Alto firewalls. Then, you should be able to ping from client-1 to client-2.

Main scenario
Figure 3.54: Main scenario
Table 3.8: Addressing Table
Device Configuration
Site-1 management: 192.168.0.1/24
Ethernet1/1: 10.0.0.1/24
Ethernet1/2: 1.1.1.1/24
Site-2 management: 192.168.0.2/24
Ethernet1/1: 172.16.10.1/24
Ethernet1/2: 1.1.1.2/24
Site1-Client eth0: 10.0.0.2/24 GW: 10.0.0.1
Site2-Client eth0: 172.16.10.2/24 GW: 172.16.10.1
Management1 eth0: 192.168.0.3/24
Table 3.9: Zone Configuration for Site1
Zone Interface
Inside Ethernet1/1
VPN Ethernet1/2, tunnel.1
Table 3.10: Zone Configuration for Site2
Zone Interface
Inside Ethernet1/1
VPN Ethernet1/2, tunnel.1

Create an IKE Gateway

Under Network > Network Profiles > IKE Gateways, click Add.

Add an IKE Gateways
Figure 3.55: Add an IKE Gateway

On the Site1 firewall, configure these settings:

Table 3.11: Site1 IKE Gateway Configuration
Parameter Value
Interface Ethernet1/2
Local IP Address 1.1.1.1/24
Peer IP Address Type IP
Peer Address 1.1.1.2
Pre-shared Key Password Here
Confirm Pre-shared key Confirm Password Here
Site1 Firewall- IKE Gateway Configuration
Figure 3.56: Site1 Firewall: IKE Gateway Configuration

Then press OK.

On the Site2 firewall, configure these settings:

Table 3.12: Site2 IKE Gateway Configuration
Parameters Value
Interface Ethernet1/2
Local IP Address 1.1.1.2/24
Peer IP Address Type IP
Peer Address 1.1.1.1
Pre-shared Key Same Password as before here
Confirm Pre-shared key Confirm same password as before here
Site2 Firewall- IKE Gateway Configuration
Figure 3.57: Site2 Firewall: IKE Gateway Configuration

Then press OK.

Create an IPsec Tunnel

Under Network > IPsec Tunnel, click Add.

Site1 Firewall- Add an IPSEC Tunnels
Figure 3.58: Site1 Firewall: Add an IPsec Tunnel

On both firewalls, configure these settings:

Table 3.13: IPsec Tunnel Configuration
Parameters Value
Tunnel Interface tunnel.1
IKE Gateway The one you created on the respective firewall
Site1 and Site 2 Firewall- IPSEC Tunnel Configuration
Figure 3.59: Site1 and Site2 Firewall: IPsec Tunnel Configuration

Create Static Routes

Under Network > Virtual Routers, click default.

Virtual Routers Configuration
Figure 3.60: Virtual Routers Configuration

Under the static routes tab, click Add.

Add a Static Route in the Site1
Figure 3.61: Add a Static Route in the Site1

On the Site1 firewall, configure these settings:

Table 3.14: Site1 Static Route Configuration
Parameters Value
Destination 172.16.10.0/24
Interface tunnel.1
Next Hop None
Static Route Configuration in the Site 1
Figure 3.62: Static Route Configuration in the Site1

On the Site2 firewall, configure these settings:

Table 3.15: Site2 Static Route Configuration
Parameters Value
Destination 10.0.0.0/24
Interface tunnel.1
Next Hop None
Static Route Configuration in the Site 2
Figure 3.63: Static Route Configuration in the Site 2

Then press OK.

Test the Site-to-Site

On any client device, try and ping the other client on the other site.

Verify your configuration
Figure 3.64: Verify your configuration

If you can ping the other client in the other site, everything worked!

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.