Configure IPSec VPN Tunnels (Site-to-Site)
Focus
Focus
Network Security

Configure IPSec VPN Tunnels (Site-to-Site)

Table of Contents

Configure IPSec VPN Tunnels (Site-to-Site)

Learn how to configure a site-to-site IPSec VPN tunnel.
Where Can I Use This?What Do I Need?
  • Prisma Access
  • PAN-OS
No license required
To set up site-to-site VPN:
  • Make sure that your Ethernet interfaces, virtual routers, and zones are configured properly. For more information, see Configure Interfaces and Zones.
  • Create your tunnel interfaces. Ideally, put the tunnel interfaces in a separate zone, so that tunneled traffic can use different policy rules.
  • Set up static routes or assign routing protocols to redirect traffic to the VPN tunnels. To support dynamic routing (OSPF, BGP, RIP are supported), you must assign an IP address to the tunnel interface.
  • Define IKE gateways for establishing communication between the peers across each end of the VPN tunnel; also define the cryptographic profile that specifies the protocols and algorithms for identification, authentication, and encryption to be used for setting up VPN tunnels in IKEv1 Phase 1. See Set Up an IKE Gateway and Define IKE Crypto Profiles.
  • Configure the parameters that are needed to establish the IPSec connection for transfer of data across the VPN tunnel; See Set Up an IPSec Tunnel. For IKEv1 Phase-2, see Define IPSec Crypto Profiles.
  • (Optional) Specify how the firewall will monitor the IPSec tunnels. See Monitor Your IPSec VPN Tunnel .
  • Define Security policies to filter and inspect the traffic.
    If there’s a deny rule at the end of the security rulebase, intrazone traffic is blocked unless otherwise allowed. Rules to allow IKE and IPSec applications must be explicitly included above the deny rule.
    If your VPN traffic is passing through (not originating or terminating on) a PA-7000 Series or PA-5200 Series firewall, configure a bidirectional Security policy rule to allow the ESP or AH traffic in both directions.
When these tasks are complete, the tunnel is ready for use. Traffic destined for the zones/addresses defined in a policy rule is automatically routed properly based on the destination route in the routing table, and handled as VPN traffic. For a few examples on site-to-site VPN, see Site-to-Site VPN .