Basic IPSec VPN Configuration with PAN-OS
ฝัง
- เผยแพร่เมื่อ 30 ก.ย. 2024
- In this video, we walk you through the steps to create an IPSec VPN that originates from one of our physical or virtualized next-generation firewalls that is terminating on any hardware, software or cloud-based IPSec VPN compatible device.
Information needed:
- Deciding which cyphers - you will need an IKE Crypto set of cyphers and an IPSec set of cyphers. There must be matching cyphers on the local and the remote.
- Collecting IP information (Remote Peer IP & Local Peer IP) - The remote peer IP is the remote or far end IP address where the IKE session will terminate. Conversely the local peer IP is the IP address of where the IKE session will terminate on the local device.
- Select a shared key - The shared key will be a string that both local and remote sites will use to validate the IKE session.
Basic Steps:
1) Check or create a usable IKE Crypto Profile
2) Create an IKE Gateway
3) Create a security Zone for the tunnel interface
4) Create a Tunnel Interface
5) Check or create a usable IPSec Crypto Profile
6) Create an IPSec Tunnel
After going through the steps, we will provide a demonstration on how to create an IPSec VPN.
For more information about IPSec VPN configuration, please review the following resources:
(Discussion with Solution) How to create IPSec VPN tunnel between two Palo Alto 200 firewalls?
live.paloalton...
HOW TO CONFIGURE IPSEC VPN (Knowledge Base)
knowledgebase....
IPSec VPN Tunnel Management (TechDocs
docs.paloalton...
![Palo Alto VPN - Site to Site step by step configuration [2024]](http://i.ytimg.com/vi/GPANrMczTz4/mqdefault.jpg)
Reading what you see on the screen isn't helpful. Need context on what these settings are, particularly around interfaces. Your official documentation is equally bad.
Hi PA,
On which basis, you've given tunnel ip as 10.10.10.2 🤔
It's just an example. This IP address will be used to route traffic to the tunnel and to monitor the status of the tunnel.
@@itmachinist it's just an example. its wrong IP I think he should have mentioned there 10.0.2.0/24
Palo made this way overcomplicated
Where do you add the local and remote networks for phase 2?
ciphers or cyphers? Spelling. 7:55 NAT transversal or NAT Traversal?
Ok, i have question. I want to make connection whit a app. Global protect from anywhere with my local domain network, this is not this tutorial??
Can you help me, please?
I feel like this is either outdated or not entirely accurate. A tunnel interface IP isn't a requirement to establish and route a tunnel. You would use an IP for dynamic routing or monitoring.
Exactly. I’ve seen it being used only on AWS tunnels and not any other firewall.
hello, Routing on 10.10.10.1 is required?
Where did you get the tunnel interface IP from? Is it just randomly assigned so that the VR can have an interface where the unecrypted traffic is delivered?
Where did that 10.10.10.x IP came from at 10:45 in video?
Have you create security policy for tunnel
why the MTU size 1427?
What about the security policies? You skipped segments that were needed.
Hi, thanks for pointing that out. For sake of time the security policies were already put in place. Also in this video they were already setup but you can see in this video what it looks like: th-cam.com/video/5xgYhXlnGUw/w-d-xo.html
Are static routes needed pointing to the tunnel interface for the remote subnets
Yes, that's required. also need to create 2 policy for IPSEC Traffic and Traffic from Local to remote.
Nicely explain
Thanks for liking
Damn this guy is genius. thanks a lot.
all over the place ! not structured
Why don't you make one with aaaaall STRUCTURED. Let us see how good that is and all the negative people like you commenting on that instead of appreciating.
Great demo! Helps a lot!