IPsec tunnel Nodegrid to PaloAlto with IKEv2 only

Setup Overview

This documents outlines how a Nodegrid system can establish a IPSec tunnel to a PaloAlto firewall in tunnel mode. This guide was verified with PaloAlto version 8.0 and Nodegrid version 4.1.6. The guide uses a set of sample IP addresses which need to be replaced with actual IP addresses in the actual setup.

Aim of this guide is to establish a IPSec tunnel using IKEv2 only. The Nodegrid will receive a dynamic WAN IP address. The following list contains the values which have been used and which should be adjusted as needed. The IKE settings have been selected so that both sites can support them. They can be adjusted but care should be taken that both units can support the individual setting.

PaloAlto

Validated on: PaloAlto version 8.0

WAN IP: 192.168.2.241

PaloAlto Router IP: 192.168.200.1/24

PaloAlto Internal Subnet: 192.168.200.0/24

Identifier: FQDN (email): HUB@POC.LAB

Nodegrid

Validated on: Nodegrid version 4.1.6

WAN IP: Dynamic

LAN IP: 192.169.0.1/24

Internal Subnet: 192.169.0.0/24

Identifier: FQDN (email): NGIKE@POC.LAB

PaloAlto configuration

Create Crypto Profiles

On the PaloAlto existing profiles can be used but for visibility do we recommend to create new profiles. The actual profile names can be changed as needed. Two profiles need to be created

• IKE Crypto in Network -> Network Profiles -> IKE Crypto
  
• IPSec Crypto in Network -> Network Profiles -> IPSec Crypto
  

IKE Crypto Profile

1. set network ike crypto-profiles ike-crypto-profiles NG-IKE hash sha512
   set network ike crypto-profiles ike-crypto-profiles NG-IKE dh-group group20
   set network ike crypto-profiles ike-crypto-profiles NG-IKE encryption aes-256-cbc
   set network ike crypto-profiles ike-crypto-profiles NG-IKE lifetime hours 8

IPSec Crypto Profile

1. set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec esp authentication sha512
   set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec esp encryption aes-256-cbc
   set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec lifetime hours 1
   set network ike crypto-profiles ipsec-crypto-profiles NG-IPSec dh-group group20

Create Interfaces

On the Palo Alto multiple Interfaces need to be created, they need to be created in the following order

• Tunnel Interface in Network -> Interfaces -> Tunnel
  
• IKE Gateway in Network -> Network Profiles -> IKE Gateway
  
• IPSec Tunnel in Network -> IPSec Tunnel
  

Tunnel Interface

1. set network interface tunnel units tunnel.3 ip 192.169.0.1/24 
   set network interface tunnel units tunnel.3 interface-management-profile PING

IKE Gateways

1. set network ike gateway ZPE-IKE authentication pre-shared-key key -AQ==q53f7nsC....==
   set network ike gateway ZPE-IKE protocol ikev1 dpd enable yes
   set network ike gateway ZPE-IKE protocol ikev2 dpd enable yes
   set network ike gateway ZPE-IKE protocol ikev2 ike-crypto-profile NG-IKE
   set network ike gateway ZPE-IKE protocol version ikev2
   set network ike gateway ZPE-IKE local-address ip 192.168.10.241/24
   set network ike gateway ZPE-IKE local-address interface ethernet1/1
   set network ike gateway ZPE-IKE protocol-common nat-traversal enable yes
   set network ike gateway ZPE-IKE protocol-common fragmentation enable no
   set network ike gateway ZPE-IKE protocol-common passive-mode yes
   set network ike gateway ZPE-IKE peer-address dynamic
   set network ike gateway ZPE-IKE local-id id HUB@POC.LAB
   set network ike gateway ZPE-IKE local-id type ufqdn
   set network ike gateway ZPE-IKE peer-id id NGIKE@POC.LAB
   set network ike gateway ZPE-IKE peer-id type ufqdn

IPSec Tunnels

1. set network tunnel ipsec NGIKE auto-key ike-gateway ZPE-IKE 
   set network tunnel ipsec NGIKE auto-key ipsec-crypto-profile NG-IPSec
   set network tunnel ipsec NGIKE auto-key proxy-id NGIKE protocol any 
   set network tunnel ipsec NGIKE auto-key proxy-id NGIKE local 192.168.200.0/24
   set network tunnel ipsec NGIKE auto-key proxy-id NGIKE remote 192.169.0.0/24
   set network tunnel ipsec NGIKE tunnel-monitor enable no
   set network tunnel ipsec NGIKE tunnel-interface tunnel.3

Nodegrid Setup

On the Nodegrid the IPSec tunnel gets setup as normal. Below is an example output for a ipsec configuration file located in /etc/ipsec/ipsec.d/

The below example will automatically start the tunnel, when the service is started and it will create a network interface called vti1 which will be used for the IPSec tunnel

IPSec connection file

1. conn NG-PA-IKE2
        auto=start
        authby=secret
        
        leftid=NGIKE@POC.LAB
        left=%defaultroute
        leftsourceip=192.169.0.1
        leftsubnet=192.169.0.1/24
        
        rightid=HUB@POC.LAB
        right=192.168.10.241
        rightsourceip=192.168.200.1
        rightsubnet=192.168.200.0/24
   
        mark=6/0xffffffff
        vti-interface=vti1
        vti-routing=yes
   
        type=tunnel
        mtu=1400
        initial_contact=no
        keyingtries=%forever
        keyexchange=ike
        nat_keepalive=yes
        aggressive=no
        ike=aes256-sha2_512;dh20
        ikelifetime=480m
        fragmentation=yes
        dpdaction=hold
        dpdtimeout=5
        dpddelay=1
        pfs=yes
        ikev2=insist
        phase2=esp
        phase2alg=aes256-sha2_512;dh20