PAN9 EDU210 Lab 11
PAN9 EDU210 Lab 11
PAN9 EDU210 Lab 11
NETLAB Academy Edition, NETLAB Professional Edition, and NETLAB+ are registered trademarks of Network Development Group, Inc.
Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Lab 11: Site-to-Site VPN
Contents
Introduction ........................................................................................................................ 3
Objectives............................................................................................................................ 3
Lab Topology ....................................................................................................................... 4
Theoretical Lab Topology .................................................................................................... 4
Lab Settings ......................................................................................................................... 5
1 Site-to-Site VPN........................................................................................................... 6
1.0 Load Lab Configuration ........................................................................................ 6
1.1 Configure the Tunnel Interface ............................................................................ 8
1.2 Configure the IKE Gateway ................................................................................ 10
1.3 Create an IPSec Crypto Profile ........................................................................... 13
1.4 Configure the IPsec Tunnel ................................................................................ 14
1.5 Test Connectivity ................................................................................................ 17
Introduction
With the success of the Palo Alto Networks firewall at the corporate offices, the Board
has approved the security team to establish Palo Alto Networks firewalls in our other
locations and offices. To allow those branches to securely communicate with the
corporate offices, we will implement site-to-site ipsec vpn tunnels and policies.
Objectives
• Create and configure a tunnel interface to use in the site-to-site VPN connection
• Configure the IKE gateway and IKE Crypto Profile
• Configure the IPSec Crypto Profile and IPsec tunnel
• Test connectivity
Lab Topology
Lab Settings
The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.
1 Site-to-Site VPN
1. Launch the Client virtual machine to access the graphical login screen.
To launch the console window for a virtual machine, you may access by
either clicking on the machine’s graphic image from the topology page
or by clicking on the machine’s respective tab from the navigation bar.
2. Click within the splash screen to bring up the login screen. Log in as lab-user using
the password Pal0Alt0.
Parameter Value
Name admin
Password admin
8. Click the drop-down list next to the Name text box and select edu-210-lab-011. Click
OK.
9. Click Close.
10. Click the Commit link at the top-right of the web interface.
11. Click Commit and wait until the commit process is complete.
13. Leave the firewall web interface open to continue with the next task.
Parameter Value
Interface Name Type 12
Comment Type Tunnel to DMZ
Virtual Router Select lab-vr from the drop-down list
Security Zone Create and assign a new Layer 3 zone named VPN
4. In the Tunnel Interface window, click the IPv4 tab and configure the following.
Parameter Value
IP Click Add and type 172.16.2.10/24
5. In the Tunnel Interface window, click the Advanced tab and configure the following.
Once finished, click OK.
Parameter Value
Management Profile Select ping from the drop-down list
6. Leave the firewall web interface open to continue with the next task.
1. In the web interface, navigate to Network > Network Profiles > IKE Gateways.
Parameter Value
Name Type dmz-ike-gateway
Version Verify that IKEv1 only mode is selected
Interface Select ethernet1/3 from the drop-down list
Local IP Address Select 192.168.50.1/24 from the drop-down list
Peer IP Address Type Verify that the IP radio button is selected
Peer Address Type 192.168.50.10
Pre-shared Key Type paloalto
4. In the IKE Gateway window, click the Advanced Options tab. On the IKEv1 subtab,
configure the following.
Parameter Value
IKE Crypto Profile Select New IKE Crypto Profile
5. Notice the IKE Crypto Profile window appears. Configure the following. Once
finished, click OK.
Parameter Value
Name Type AES256-DH2-SHA2
DH Group Click Add and select Group 2 from the drop-down list
Authentication Click Add and select sha256 from the drop-down list
Encryption Click Add and select aes-256-cbc from the drop-down
list
1. In the web interface, navigate to Network > Network Profiles > IPSec Crypto.
3. In the IPSec Crypto Profile window, configure the following. Once finished, click OK.
Parameter Value
Name Type AES256-SHA256
IPSec Protocol Verify that ESP is selected
Encryption Click Add and select aes-256-cbc from the drop-down
list
Authentication Click Add and select sha256 from the drop-down list
DH Groups Verify that group2 is selected
4. Leave the firewall web interface open to continue with the next task.
3. In the IPSec Tunnel window, while on the General tab, configure the following.
Parameter Value
Name Type dmz-tunnel
Tunnel Interface Select tunnel.12 from the drop-down list
Type Verify that the Auto Key radio button is selected
Address Type Verify that the IPv4 radio button is selected
IKE Gateway Select dmz-ike-gateway from the drop-down list
IPSec Crypto Profile Select AES256-SHA256 from the drop-down list
Show Advanced Options Select the checkbox
Tunnel Monitor Select the checkbox
Destination IP Type 172.16.2.11
Profile Verify that None is selected
4. In the IPSec Tunnel window, click the Proxy IDs tab and then click Add.
5. In the Proxy ID window, configure the following. Once finished, click OK.
Parameter Value
Proxy ID Type dmz-tunnel-network
Local Type 172.16.2.0/24
Remote Type 172.16.2.0/24
Protocol Verify that Any is selected
1. After committing changes, refresh the IPSec Tunnels page. The Status column
indicator should now be green, which means that the VPN tunnel is connected.
7. After the VPN tunnel is connected, type the following CLI commands and observe
the output.