Network Security
PAN-OS 10.1 and Later
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Set Up an IPSec Tunnel (Tunnel Mode) (PAN-OS 10.1 and Later)
PAN-OS
10.1 and Later)Step-by-step procedure to configure IPSec tunnel in tunnel mode which is the default
mode.
- Selectand thenNetworkIPSec TunnelsAdda new tunnel configuration.
- On theGeneraltab, enter aNamefor the tunnel.
- Select theTunnel interfaceon which to set up the IPSec tunnel.To create a new tunnel interface:
- Select. (You can also selectTunnel InterfaceNew Tunnel Interfaceand clickNetworkInterfacesTunnelAdd.)
- In theInterface Namefield, specify a numeric suffix, such as.2.
- On theConfigtab, select theSecurity Zonelist to define the zone as follows:
Use your trust zone as the termination point for the tunnel—Select the zone. Associating the tunnel interface with the same zone (and virtual router) as the external-facing interface on which the packets enter the firewall mitigates the need to create inter-zone routing.Or:Create a separate zone for VPN tunnel termination(Recommended)—SelectNew Zone, define aNamefor the new zone (for example vpn-corp), and clickOK.- ForVirtual Router, selectdefault.
- (Optional) If you want to assign an IPv4 address to the tunnel interface, select theIPv4tab, andAddthe IP address and network mask, for example 10.31.32.1/32.
- ClickOK.
- (Optional) Enable IPv6 on the tunnel interface.
- Select the IPv6 tab on.NetworkInterfacesTunnelIPv6
- SelectEnable IPv6 on the interface.This option allows you to route IPv6 traffic over an IPv4 IPSec tunnel and will provide confidentiality between IPv6 networks. The IPv6 traffic is encapsulated by IPv4 and then ESP. To route IPv6 traffic to the tunnel, you can use a static route to the tunnel, or use OSPFv3, or use a policy-based forwarding (PBF) rule.
- Enter the 64-bit extended uniqueInterface IDin hexadecimal format, for example, 00:26:08:FF:FE:DE:4E:29. By default, the firewall will use the EUI-64 generated from the physical interface’s MAC address.
- To assign an IPv6Addressto the tunnel interface,Addthe IPv6 address and prefix length, for example 2001:400:f00::1/64. If Prefix isn’t selected, the IPv6 address assigned to the interface will be wholly specified in the address text box.
- SelectUse interface ID as host portionto assign an IPv6 address to the interface that will use the interface ID as the host portion of the address.
- SelectAnycastto include routing through the nearest node.
- Set up key exchange.On theGeneraltab, configure one of the following types of key exchange:Set up Auto Key exchange
- Select the IKE Gateway. To set up an IKE gateway, see Set Up an IKE Gateway.
- (Optional) Select the default IPSec Crypto profile. To create a new IPSec Profile, see Define IPSec Crypto Profiles.
Set up Manual Key exchange- Specify theLocal SPIfor the local firewall. SPI is a 32-bit hexadecimal index that is added to the header for IPSec tunneling to assist in differentiating between IPSec traffic flows; it’s used to create the SA required for establishing a VPN tunnel.
- Select theInterfacethat will be the tunnel endpoint, and optionally select the IP address for the local interface that is the endpoint of the tunnel.
- Select the protocol to be used—AHorESP.
- For AH, select theAuthenticationmethod and enter aKeyand thenConfirm Key.
- For ESP, select theAuthenticationmethod and enter aKeyand thenConfirm Key. Then, select theEncryptionmethod and enter aKeyand thenConfirm Key, if needed.
- Specify theRemote SPIfor the remote peer.
- Enter theRemote Address, the IP address of the remote peer.
- Protect against a replay attack.Anti-replay is a sub-protocol of IPSec and is part of the Internet Engineering Task Force (IETF) Request for Comments (RFC) 6479. The anti-replay protocol is used to prevent hackers from injecting or making changes in packets that travel from a source to a destination and uses a unidirectional security association in order to establish a secure connection between two nodes in the network.After a secure connection is established, the anti-replay protocol uses packet sequence numbers to defeat replay attacks. When the source sends a message, it adds a sequence number to its packet; the sequence number starts at 0 and is incremented by 1 for each subsequent packet. The destination maintains the sequence of numbers in asliding windowformat, maintains a record of the sequence numbers of validated received packets, and rejects all packets that have a sequence number that is lower than the lowest in the sliding window (packets that are too old) or packets that already appear in the sliding window (duplicate or replayed packets). Accepted packets, after they’re validated, update the sliding window, displacing the lowest sequence number out of the window if it was already full.
- On the General tab, selectShow Advanced Optionsand selectEnable Replay Protectionto detect and neutralize against replay attacks.
- Select theAnti Replay Windowto use. You can select an anti-replay window size of 64, 128, 256, 512, 1024, 2048, or 4096. The default is 1024.
- (Optional) Preserve the Type of Service header for the priority or treatment of IP packets.In the Show Advanced Options section, selectCopy TOS Header. This copies the Type of Service (ToS) header from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original ToS information.If there are multiple sessions inside the tunnel (each with a different ToS value), copying the ToS header can cause the IPSec packets to arrive out of order.
- By default, IPSec tunnels come up inTunnelmode if you don’t configure IPSec mode. You can also selectIPSec ModeasTunnelin theShow Advanced Optionssection to establish an IPSec in tunnel mode.
- (Optional) SelectAdd GRE Encapsulationto enable GRE over IPSec.Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic. For example, some implementations require multicast traffic to be encapsulated before IPSec encrypts it. Add GRE Encapsulation when the GRE packet encapsulated in IPSec has the same source IP address and destination IP address as the encapsulating IPSec tunnel.
- Enable Tunnel Monitoring.You must assign an IP address to the tunnel interface for monitoring.To alert the device administrator to tunnel failures and to provide an automatic failover to another tunnel interface:
- SelectTunnel Monitor.
- Specify aDestination IPaddress on the other side of the tunnel to determine if the tunnel is working properly.
- Select aProfileto determine the action upon tunnel failure. To create a new profile, see Define a Tunnel Monitoring Profile.
- Create a Proxy ID to identify the VPN peers.This step is required only if the VPN peer uses a policy-based VPN.
- Selectand clickNetworkIPSec TunnelsAdd.
- Select theProxy IDstab.
- Select theIPv4orIPv6tab.
- ClickAddand enter theProxy IDname.
- Enter theLocalIP address or subnet for the VPN gateway.
- Enter theRemoteaddress for the VPN gateway.
- Select theProtocol:
- Number—Specify the protocol number (used for interoperability with third-party devices).
- Any—Allows TCP and/or UDP traffic.
- TCP—Specify the local port and remote port numbers.
- UDP—Specify the local port and remote port numbers.
- ClickOK.
- Commit your changes.ClickOKandCommit.