IPsec tunnel Nodegrid to PaloAlto with IKEv2 only

IPsec tunnel Nodegrid to PaloAlto with IKEv2 only

IPsec tunnel Nodegrid to PaloAlto with IKEv2 only

Setup Overview



This documents outlines how a Nodegrid system can establish a IPSec tunnel to a PaloAlto firewall in tunnel mode. This guide was verified with PaloAlto version 8.0 and Nodegrid version 4.1.6. The guide uses a set of sample IP addresses which need to be replaced with actual IP addresses in the actual setup.

Aim of this guide is to establish a IPSec tunnel using IKEv2 only. The Nodegrid will receive a dynamic WAN IP address. The following list contains the values which have been used and which should be adjusted as needed. The IKE settings have been selected so that both sites can support them. They can be adjusted but care should be taken that both units can support the individual setting.



PaloAlto

Validated on: PaloAlto version 8.0

WAN IP: 192.168.2.241

PaloAlto Router IP: 192.168.200.1/24

PaloAlto Internal Subnet: 192.168.200.0/24

Identifier: FQDN (email): HUB@POC.LAB



Nodegrid

Validated on: Nodegrid version 4.1.6

WAN IP: Dynamic

LAN IP: 192.169.0.1/24

Internal Subnet: 192.169.0.0/24

Identifier: FQDN (email): NGIKE@POC.LAB

PaloAlto configuration

Create Crypto Profiles

On the PaloAlto existing profiles can be used but for visibility do we recommend to create new profiles. The actual profile names can be changed as needed. Two profiles need to be created

  • IKE Crypto in Network -> Network Profiles -> IKE Crypto
  • IPSec Crypto in Network -> Network Profiles -> IPSec Crypto

IKE Crypto Profile

  1. set network ike crypto-profiles ike-crypto-profiles NG-IKE hash sha512
    set network ike crypto-profiles ike-crypto-profiles NG-IKE dh-group group20
    set network ike crypto-profiles ike-crypto-profiles NG-IKE encryption aes-256-cbc
    set network ike crypto-profiles ike-crypto-profiles NG-IKE lifetime hours 8



IPSec Crypto Profile

  1. set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec esp authentication sha512
    set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec esp encryption aes-256-cbc
    set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec lifetime hours 1
    set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec dh-group group20



Create Interfaces

On the Palo Alto multiple Interfaces need to be created, they need to be created in the following order

  • Tunnel Interface in Network -> Interfaces -> Tunnel
  • IKE Gateway in Network -> Network Profiles -> IKE Gateway
  • IPSec Tunnel in Network -> IPSec Tunnel

Tunnel Interface

  1. set network interface tunnel units tunnel.3 ip 192.169.0.1/24 
    set network interface tunnel units tunnel.3 interface-management-profile PING





IKE Gateways

  1. set network ike gateway ZPE-IKE authentication pre-shared-key key -AQ==q53f7nsC....==
    set network ike gateway ZPE-IKE protocol ikev1 dpd enable yes
    set network ike gateway ZPE-IKE protocol ikev2 dpd enable yes
    set network ike gateway ZPE-IKE protocol ikev2 ike-crypto-profile NG-IKE
    set network ike gateway ZPE-IKE protocol version ikev2
    set network ike gateway ZPE-IKE local-address ip 192.168.10.241/24
    set network ike gateway ZPE-IKE local-address interface ethernet1/1
    set network ike gateway ZPE-IKE protocol-common nat-traversal enable yes
    set network ike gateway ZPE-IKE protocol-common fragmentation enable no
    set network ike gateway ZPE-IKE protocol-common passive-mode yes
    set network ike gateway ZPE-IKE peer-address dynamic
    set network ike gateway ZPE-IKE local-id id HUB@POC.LAB
    set network ike gateway ZPE-IKE local-id type ufqdn
    set network ike gateway ZPE-IKE peer-id id NGIKE@POC.LAB
    set network ike gateway ZPE-IKE peer-id type ufqdn






IPSec Tunnels

  1. set network tunnel ipsec NGIKE auto-key ike-gateway ZPE-IKE 
    set network tunnel ipsec NGIKE auto-key ipsec-crypto-profile NG-IPSec
    set network tunnel ipsec NGIKE auto-key proxy-id NGIKE protocol any 
    set network tunnel ipsec NGIKE auto-key proxy-id NGIKE local 192.168.200.0/24
    set network tunnel ipsec NGIKE auto-key proxy-id NGIKE remote 192.169.0.0/24
    set network tunnel ipsec NGIKE tunnel-monitor enable no
    set network tunnel ipsec NGIKE tunnel-interface tunnel.3






Nodegrid Setup

On the Nodegrid the IPSec tunnel gets setup as normal. Below is an example output for a ipsec configuration file located in /etc/ipsec/ipsec.d/

The below example will automatically start the tunnel, when the service is started and it will create a network interface called vti1 which will be used for the IPSec tunnel

IPSec connection file

  1. conn NG-PA-IKE2
         auto=start
         authby=secret
         
         leftid=NGIKE@POC.LAB
         left=%defaultroute
         leftsourceip=192.169.0.1
         leftsubnet=192.169.0.1/24
         
         rightid=HUB@POC.LAB
         right=192.168.10.241
         rightsourceip=192.168.200.1
         rightsubnet=192.168.200.0/24

         mark=6/0xffffffff
         vti-interface=vti1
         vti-routing=yes

         type=tunnel
         mtu=1400
         initial_contact=no
         keyingtries=%forever
         keyexchange=ike
         nat_keepalive=yes
         aggressive=no
         ike=aes256-sha2_512;dh20
         ikelifetime=480m
         fragmentation=yes
         dpdaction=hold
         dpdtimeout=5
         dpddelay=1
         pfs=yes
         ikev2=insist
         phase2=esp
         phase2alg=aes256-sha2_512;dh20





    • Related Articles

    • IPsec tunnel to AWS VPC with Certificates

      IPsec tunnel to AWS VPC with Certificates tested on: 5.2.1, 6.0.5 AWS VPC configuration Create Certificates AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the ...
    • How to Troubleshoot IPSec Issues

      Version 0.1 (02 May 2018) Troubleshooting IPSec connections Enable Logging In case IPSec log files are required to troubleshoot connection issues or for other reasons, it can be enabled in the ipsec.conf file. Note: Logging for the IPSec service is ...
    • How to Configure IPSec Host to Host tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to established a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details ...
    • How to Configure IPSec Site to Site Tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...
    • How to Configure IPSec Host to Site Tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...