Paloalto

Available in Classic.

This section describes how to configure resources on a customer VPN gateway to create an IPsec VPN Tunnel. If your VPN gateway equipment is from Paloalto, please refer to the following.

Interface IP setting

The following describes how to set an interface IP.

• IP interface setting

  set network interface ethernet 1/1 layer3 ip <public IP>
  set network interface ethernet 1/2 layer3 ip <internal private IP>
  

• IP interface Allocation

  • trust zone

    set zone trust network layer3 ethernet1/2
    

  • untrust zone

    set zone untrust network layer3 ethernet1/1
    

• Tunnel interface setting

  set network interface tunnel units tunnel.1
  

• Create zone

  set zone <zone name> network layer3 tunnel.1
  

• Zone policy setting

  set rulebase security rules <policy name> from <zone name>
  set rulebase security rules <policy name> to trust
  set rulebase security rules <policy name> source any
  set rulebase security rules <policy name> destination any
  set rulebase security rules <policy name> service any
  set rulebase security rules <policy name> application any
  set rulebase security rules <policy name> action allow
  set rulebase security rules <policy name> log-end yes
  

Routing setting

Set external routing, internal routing, and peer tunnel private routing respectively.

• Interface declaration for routing

  set network virtual-router default interface [ ethernet1/1 ethernet1/2 tunnel.1 ]
  

• External routing setting

  set network virtual-router default routing-table ip static-route default nexthop ip-address <VPN gateway public IP>
  set network virtual-router default routing-table ip static-route default interface ethernet 1/1
  set network virtual-router default routing-table ip static-route default metric 10
  set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0
  set network virtual-router default routing-table ip static-route default route-table unicast
  

• Internal routing setting

  set network virtual-router default routing-table ip static-route <local private IP name> metric 10
  set network virtual-router default routing-table ip static-route <local private IP name> destination <local network private IP destination>
  set network virtual-router default routing-table ip static-route <local private IP name> nexthop ip-address <remote network private IP>
  set network virtual-router default routing-table ip static-route <local private IP name> route-table unicast
  

• Peer tunnel private routing (proxy-ID) setting

  set network virtual-router default routing-table ip static-route <IPsec name> interface tunnel.1
  set network virtual-router default routing-table ip static-route <IPsec name> metric 10
  set network virtual-router default routing-table ip static-route <IPsec name> destination <Peer internal band>
  set network virtual-router default routing-table ip static-route <IPsec name> route-table unicast
  

IKE setting

To set up IKE, you need to configure IKEv1 and IKEv2.

IKEv1 configuration

The following describes how to configure an IKEv1.

set network ike crypto-profiles ike-crypto-profiles <IKEv1 name> hash sha1
set network ike crypto-profiles ike-crypto-profiles <IKEv1 name> dh-group group2
set network ike crypto-profiles ike-crypto-profiles <IKEv1 name> encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles <IKEv1 name> lifetime seconds 28800

set network ike gateway <VPN gateway name> authentication pre-shared-key key 1234567890
set network ike gateway <VPN gateway name> protocol ikev1 dpd enable yes
set network ike gateway <VPN gateway name> protocol ikev1 ike-crypto-profile <IKEv1 name>
set network ike gateway <VPN gateway name> protocol ikev2 dpd enable yes
set network ike gateway <VPN gateway name> protocol version ikev1
set network ike gateway <VPN gateway name> local-address ip <local public IP>
set network ike gateway <VPN gateway name> local-address interface ethernet1/1
set network ike gateway <VPN gateway name> protocol-common nat-traversal enable no
set network ike gateway <VPN gateway name> protocol-common fragmentation enable no
set network ike gateway <VPN gateway name> peer-address ip <Peer IP>

• D-H Group: 2
• Encryption algorithm: aes-128
• Hash Algorithm: sha1
• lifetime: 28800

IKEv2 configuration

The following describes how to configure an IKEv2.

set network ike crypto-profiles ipsec-crypto-profiles <IKEv2 name> esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles <IKEv2 name> esp encryption aes-128-cbc
set network ike crypto-profiles ipsec-crypto-profiles <IKEv2 name> lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles <IKEv2 name> dh-group no-pfs

set network tunnel ipsec <VPN tunnel name> auto-key ike-gateway <VPN gateway name>
set network tunnel ipsec <VPN tunnel name> auto-key proxy-id <proxy-ID> protocol any
set network tunnel ipsec <VPN tunnel name> auto-key proxy-id <proxy-ID> local <local inside band>
set network tunnel ipsec <VPN tunnel name> auto-key proxy-id <proxy-ID> remote <Peer internal band>
set network tunnel ipsec <VPN tunnel name> auto-key ipsec-crypto-profile <IKEv2 name>
set network tunnel ipsec <VPN tunnel name> tunnel-monitor enable no
set network tunnel ipsec <VPN tunnel name> tunnel-interface tunnel.1

• Protocol: esp
• Encryption algorithm: aes-128
• Hash Algorithm: sha-1
• lifetime: 3600

Create tunnel

The following describes how to create tunnel.

• Tunnel creation (phase-1)

  test vpn ike-sa gateway <VPN gateway name>
  

• Tunnel creation (phase-2)

  test vpn ipsec-sa tunnel <VPN tunnel name>:<proxy-ID>
  

Check IKE tunnel

After finishing all the process, you can check the IKE tunnel status. Here's how to check.

show vpn flow name <IPsec name>:<proxy-ID>

Change settings

The following describes how to change settings by entering the Config mode:

• Enter config mode

  hostname> configure
  Entering configuration mode
  [edit] 
  

• Setup completed

  hostname# commit