This article is a continuation dedicated to the features of setting up equipment Palo Alto Networks . Here we want to talk about setting IPSec Site-to-Site VPN on equipment Palo Alto Networks and about a possible configuration option for connecting several Internet providers.
For the demonstration, a standard scheme for connecting the head office to the branch will be used. In order to provide a fault-tolerant Internet connection, the head office uses the simultaneous connection of two providers: ISP-1 and ISP-2. The branch has a connection to only one provider, ISP-3. Two tunnels are built between firewalls PA-1 and PA-2. The tunnels are in operation. Active Standby, Tunnel-1 is up, Tunnel-2 will start forwarding traffic when Tunnel-1 fails. Tunnel-1 uses a connection to ISP-1, Tunnel-2 uses a connection to ISP-2. All IP addresses are randomly generated for demonstration purposes and are not related to reality.
To build Site-to-Site VPN will be used IPSec - a set of protocols for ensuring the protection of data transmitted over the IP protocol. IPSec will work using security protocol ESP (Encapsulating Security Payload), which will ensure the encryption of transmitted data.
Π IPSec is included IKE (Internet Key Exchange) is a protocol responsible for negotiating SA (security associations), security parameters that are used to protect transmitted data. PAN firewalls support IKEv1 ΠΈ IKEv2.
Π IKEv1 VPN connection is built in two stages: IKEv1 Phase 1 (IKE tunnel) and IKEv1 Phase 2 (IPSec tunnel), thus, two tunnels are created, one of which serves to exchange service information between firewalls, the second - to transfer traffic. IN IKEv1 Phase 1 There are two modes of operation - main mode and aggressive mode. Aggressive mode uses fewer messages and is faster, but does not support Peer Identity Protection.
IKEv2 replaced IKEv1, and compared to IKEv1 its main advantage is lower bandwidth requirements and faster SA negotiation. IN IKEv2 fewer overhead messages are used (4 in total), the EAP, MOBIKE protocol is supported, and a mechanism for checking the availability of the peer with which the tunnel is created is added - liveness check, which replaces Dead Peer Detection in IKEv1. If the check fails, then IKEv2 can reset the tunnel and then automatically restore at the first opportunity. You can learn more about the differences .
If the tunnel is built between firewalls from different manufacturers, then there may be bugs in the implementation IKEv2, and for compatibility with such equipment it is possible to use IKEv1. In other cases it is better to use IKEv2.
Setup steps:
β’ Setting up two ISPs in ActiveStandby mode
There are several ways to implement this feature. One of them is to use the mechanism Path Monitoring, which became available starting from the version PAN OS 8.0.0. This example uses version 8.0.16. This feature is similar to IP SLA in Cisco routers. The static default route parameter is configured to send ping packets to a specific IP address from a specific source address. In this case, the ethernet1/1 interface pings the default gateway once per second. If there is no response for three pings in a row, then the route is considered dead and removed from the routing table. The same route is configured towards the second Internet provider, but with a larger metric (it is a backup). Once the first route is removed from the table, the firewall will start sending traffic along the second route β Fail Over. When the first provider starts responding to pings, its route will return to the table and replace the second one due to a better metric β Fail Back... Process Fail Over takes a few seconds depending on the configured intervals, but in any case, the process is not instantaneous, and traffic is lost during this time. Fail Back passes without loss of traffic. There is an opportunity to do Fail Over faster with BFDif your ISP allows you to do so. BFD supported from model PA-3000 Series ΠΈ VM-100. As a ping address, it is better to specify not the provider's gateway, but a public, always available Internet address.
β’ Creating a tunnel interface
Traffic inside the tunnel is transmitted through special virtual interfaces. Each of them must be configured with an IP address from the transit network. In this example, Tunnel-1 will use subnet 172.16.1.0/30, and Tunnel-2 will use subnet 172.16.2.0/30.
The tunnel interface is created in the section Network -> Interfaces -> Tunnel. You must specify the virtual router and security zone, as well as an IP address from the corresponding transport network. The interface number can be anything.
In section Advanced you can specify Management Profilewhich will allow ping to the given interface, this can be useful for testing.
β’ Configuring the IKE Profile
IKE Profile responsible for the first stage of creating a VPN connection, tunnel parameters are specified here IKE Phase 1. The profile is created in the section Network -> Network Profiles -> IKE Crypto. You must specify the encryption algorithm, hashing, Diffie-Hellman group and key lifetime. In general, the more complex the algorithms, the worse the performance, they should be chosen based on specific security requirements. However, it is strongly discouraged to use a Diffie-Hellman group below 14 to protect sensitive information. This is due to a protocol vulnerability, which can only be leveled by using a modulus size of 2048 bits or higher, or elliptic cryptography algorithms that are used in groups 19, 20, 21, 24. These algorithms have better performance compared to traditional cryptography. . And .
β’ IPSec Profile Setting
The second step in creating a VPN connection is an IPSec tunnel. The SA parameters for it are configured in Network -> Network Profiles -> IPSec Crypto Profile. Here you need to specify the IPSec protocol - AH or ESP, as well as the parameters SA - hashing algorithms, encryption, Diffie-Hellman groups and key lifetime. The SA settings in the IKE Crypto Profile and IPSec Crypto Profile may not match.
β’ Configuring the IKE Gateway
IKE Gateway is an object denoting the router or firewall with which the VPN tunnel is being built. For each tunnel, you need to create your own IKE Gateway. In this case, two tunnels are created, one through each ISP. The corresponding outgoing interface and its ip-address, the peer's ip-address, and the shared key are specified. As an alternative to a pre-shared key, you can use certificates.
This is where the previously created IKE Crypto Profile. Parameters of the second object IKE Gateway are the same except for the IP addresses. If the Palo Alto Networks firewall is located behind a NAT router, then you need to enable the mechanism NAT Traversal.
β’ Setting up IPSec Tunnel
IPSec Tunnel is an object that specifies the IPSec parameters of the tunnel, as the name suggests. Here you need to specify the tunnel interface and previously created objects IKE Gateway, IPSec Crypto Profile. To ensure automatic switching of routing to the backup tunnel, you need to enable Tunnel Monitor. This is a mechanism that checks if a peer is alive using ICMP traffic. As the destination address, you need to specify the IP address of the tunnel interface of the peer with which the tunnel is being built. The profile specifies timers and action on loss of connection. Wait Recovery - wait until the connection is restored, Fail Over β send traffic along a different route, if any. Setting up the second tunnel is completely similar, the second tunnel interface and IKE Gateway are indicated.
β’ Routing setup
This example uses static routing. On the PA-1 firewall, in addition to the two default routes, you need to specify two routes to the 10.10.10.0/24 subnet in the branch. One route uses Tunnel-1, the other uses Tunnel-2. The route through Tunnel-1 is the main one because it has a lower metric. Mechanism Path Monitoring not used for these routes. Responsible for switching Tunnel Monitor.
The same routes for the 192.168.30.0/24 subnet must be configured on PA-2.
β’ Setting up network rules
There are three rules for the tunnel to work:
- For work Path Monitor allow ICMP on external interfaces.
- For IPSec allow apps ike ΠΈ ipsec on external interfaces.
- Allow traffic between internal subnets and tunnel interfaces.
Conclusion
This article discusses the option of setting up a fault-tolerant Internet connection and Site-to-Site VPN. We hope that the information was useful, and the reader got an idea about the technologies used in Palo Alto Networks. If you have questions about setting up and wishes on the topics of future articles - write them in the comments, we will be happy to answer.
Source: habr.com