1/31/2025

Site-to-Site VPN
Configuration Lab
Connecting Remote Sites with Secure
IPSec VPN

Jacob Hanningtone Orwa Oyim

Site To Site VPN Lab Using Palo Alto 1

Table of Contents
Introduction .................................................................................................................................2
Network Topology Overview ......................................................................................................2
Network Components Overview ............................................................................................2
Site-to-Site VPN Overview ............................................................................................................4
Network Setup .............................................................................................................................5
Switch Configuration ................................................................................................................5
Switch-A ...............................................................................................................................5
Switch-B ...............................................................................................................................6
Firewall Configuration ..............................................................................................................6
Site A Firewall Configuration..................................................................................................6
Site B Firewall Configuration ............................................................................................... 20
Router Configuration .............................................................................................................. 20
Assigning IP Addresses to Interfaces.................................................................................... 21
Configure Routing ............................................................................................................... 21
Configure NAT .................................................................................................................... 21
Verify Configuration ............................................................................................................ 22
Test connectivity ................................................................................................................. 22
IPSec Site-to-Site VPN Setup ...................................................................................................... 23
Firewall Configuration ............................................................................................................ 23
Set up A VPN Tunnel Interface ............................................................................................. 23
Configure Static Routes for VPN Tunnel ............................................................................... 25
Configure Cryptographic Profiles ......................................................................................... 28
Configure IKE Gateway ........................................................................................................ 29
Set up the IPSec Tunnel ....................................................................................................... 32
Create Security Policy Rules to Allow VPN Tunnel Traffic ...................................................... 34
Test Connectivity .................................................................................................................... 36
Troubleshooting IPSec Tunnel Connectivity ............................................................................. 37

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 2

Introduction
This lab will guide you through setting up the network infrastructure, configuring firewalls,
routers, and switches, and testing VPN connectivity between two sites. Refer to the topology
below:

Network Topology Overview

This Site-to-Site VPN Lab Topology consists of two remote sites (Site A and Site B) connected via
an ISP router (Well just a simple router really). Each site has its own Palo Alto firewall, Layer 2
switch, and VLAN-segmented internal network. The goal of this topology is to establish a secure
IPSec VPN tunnel between the two sites while ensuring internal VLANs remain isolated and
securely routed through their respective firewalls.

Network Components Overview

ISP Router (WAN Backbone)
The ISP Router acts as the internet transit network between Site A and Site B. Each site connects to
the ISP router using point-to-point links:

• Site A WAN Link: 192.168.10.2/30

• Site B WAN Link: 192.168.20.2/30

Palo Alto Firewalls (Site A & Site B)

Each site uses a Palo Alto firewall as its security gateway. The firewalls operate in a Router-on-a-
Stick (FOAS - Firewall on a Stick) configuration, where a single physical interface (eth1/2) is
used for multiple VLANs via sub-interfaces.

Firewall(A) - Site A
WAN Interface (eth1/1): Connected to Gateway A (192.168.10.1/30).

LAN Interface (eth1/2): Acts as a trunk interface carrying VLAN traffic.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 3

Sub-interfaces:

• eth1/2.10 → VLAN 10 (172.20.10.1/24 - Accounts)

• eth1/2.20 → VLAN 20 (172.20.20.1/24 - HR)

• eth1/2.30 → Reserved for additional segmentation (172.20.30.1/24 - MANAGEMENT).

Firewall(B) - Site B
WAN Interface (eth1/1): Connected to Gateway B (192.168.20.1/30).

LAN Interface (eth1/2): Acts as a trunk interface carrying VLAN traffic.

Sub-interfaces:

• eth1/2.10 → VLAN 10 (172.30.10.1/24 - Accounts)

• eth1/2.20 → VLAN 20 (172.30.20.1/24 - HR)

• eth1/2.30 → Reserved for additional segmentation (172.30.30.1/24 - MANAGEMENT).

Layer 2 Switches (Site A & Site B)

Each site contains a Layer 2 switch that connects VLAN-segmented hosts to their respective
firewalls.

Switch A (Site A)
• Port e0/0 → Connected to Firewall A (eth1/2), acting as a trunk.

• Port e0/1 → Assigned to VLAN 10 (Accounts).

• Port e0/2 → Assigned to VLAN 20 (HR).

Switch B (Site B)
• Port e0/0 → Connected to Firewall B (eth1/2), acting as a trunk.

• Port e0/1 → Assigned to VLAN 10 (Accounts).

• Port e0/2 → Assigned to VLAN 20 (HR).

End-User Devices
Each site has two end-user devices representing Accounts (VLAN 10) and HR (VLAN 20) users.

Site A
• accounts-1 (PC in VLAN 10) → IP: 172.20.10.2/24

• hr-1 (PC in VLAN 20) → IP: 172.20.20.2/24

Site B
• accounts-2 (PC in VLAN 10) → IP: 172.30.10.2/24

• hr-2 (PC in VLAN 20) → IP: 172.30.20.2/24

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 4

Site-to-Site VPN Overview

A secure IPSec VPN tunnel will be configured between Firewall A and Firewall B.The VPN tunnel
will encrypt traffic between VLAN 10 and VLAN 20 at both sites. This allows:

• Accounts (VLAN 10) in Site A to securely communicate with Accounts (VLAN 10) in Site B.

• HR (VLAN 20) in Site A to securely communicate with HR (VLAN 20) in Site B.

Note:

• This lab we will not create an isolation i.e hr-1 to hr-2 only communication, rather,
ACCOUNTS and HR subnets on both sides can communicate. You can do that once you get
hang of the lab.
• For this lab, we shall ONLY limit scope to Site-to-Site VPN using Static routes.

Let’s have fun now !

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 5

Network Setup
Under this section, we shall first begin with the network setup. We shall use a bottom-up approach
in which we begin with lower layer configuration as we work up the topology.

Switch Configuration
The purpose of the switches is to allow VLAN segmentation and connect each host to the correct
VLAN. By the end of this section, we shall complete the objectives:

➢ Configure VLANS.
➢ VLAN assignment.
➢ Configure trunks on switches.
➢ Configure the SVIs on switches for connectivity test ( we shall cover this after doing the
firewall configuration)

Switch-A
Configure the VLANS:
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#name ACCOUNTS
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name HR
Switch(config-vlan)#exit
Switch(config)#vlan 30
Switch(config-vlan)#name MGMT
Switch(config-vlan)#exit

Assign VLANs to Ports:

Switch(config)#interface eth0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface eth0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#interface eth0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 30
Switch(config-if)#exit

Configure trunking for firewall connection. It is important to do the trunking to allow the vlans
(10,20 and 30) to pass through to the firewalls. This will allow the devices in those subnets to
access the DHCP server which are the sub-interfaces we will create on the firewall.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 6

Switch(config)#interface eth0/0
Switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be
configured to "trunk" mode.
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 10,20,30
Switch(config-if)#exit
Switch(config)# wr

switchport trunk encapsulation dot1q explicitly sets the trunk encapsulation type to
802.1Q, allowing the interface to be manually configured as a trunk. By default, some switches
(especially older Cisco models) have trunk encapsulation set to "Auto", which prevents them from
being manually set to trunk mode until an encapsulation type (such as dot1q) is specified.

Switch-B
Follow the same steps to configure the Switch-B, the switch site B. Do keep note of the addressing
scheme when doing this. Ensure that you save the configurations to memory when done.

Firewall Configuration
The Palo Alto Firewalls will:

• Control network traffic between VLANs.

• Secure the VPN tunnel.

• Perform NAT for internet access.

This section focuses on the networking bits (of course we are network security engineers, we have
do know this). By the end of this section, we shall complete the following objectives:

➢ Configure interfaces.
➢ Configure zones.
➢ Configure routing through virtual routers.
➢ Configure DHCP Services on the firewalls.
➢ Configure NAT policies.
➢ Configure Security Policies.
➢ Define objects.
➢ Configure management profiles.

Site A Firewall Configuration

This section assumes that you have done the initial configurations. If you are stuck, refer to these
links to help you set up.

• https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.yo
utube.com/watch%3Fv%3D7Q-
fS7uZDhQ%26pp%3DygULI21hZ3V5b3NwYW4%253D&ved=2ahUKEwjc7dinsJuLAxWc8LsI
HQG3HWIQwqsBegQIDBAF&usg=AOvVaw0iRMF8buhbg8gyG2vpBHRX

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 7

• https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/getting-started/integrate-
the-firewall-into-your-management-network/perform-initial-configuration

Configure Interfaces and Zones

1. Once logged into the dashboard (see above screenshot). Proceed to the Network tab.
2. Click on the Interface node and you shall see the list of available interfaces on The
Ethernet sub-tab.

3. Click on ethernet1/1.
4. A modal window pops up to configure the interface.
5. Set the interface type to Layer 3. This is to allow layer 3 communication (IP Addressing).

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 8

6. Under virtual router drop down field select New Virtual Router.
a. For now, just define the name. In my case, it is jacabian-lab-vrouter. You can use
any name you prefer for this step. See below screenshot.

7. Click the Security Zone drop down and select New Zone to create a new zone.
a. Name the zone you just created as “untrust”. For now, we shall not configure Zone
Protection Profiles so leave it as is. Click Ok. See below screenshot.

You will note that the Types field is greyed out. This was implied when you selected the interface
type as Layer 3 in the Ethernet configuration. In Palo, each interface MUST have a corresponding

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 9

zone type i.e. Layer 3 zone can only associate Layer 3 interface. Also, A zone can have multiple
interfaces, but an interface can ONLY belong to one single zone.

8. You will be directed back to the Ethernet Interface window. Click on the IPv4 tab to set the
IP address of the interface.

a. Set the Type field to Static. We will be using static IP address for the WAN
connection.
b. Under the IP section, click Add at the bottom of the box. Under this section:
i. You can manually type the IP address and once done click anywhere
outside of the field to save.
ii. Or you can click the New Address to create an address object. I prefer this
method because it allows me to reuse the address object and making
changes to be easier should I need to change this value.
c. Configure objects as follows:
i. Name: Firewall-IP
ii. Description: (Optional)
iii. Type: IP Netmask with value as: 192.168.10.1/30.
iv. Press OK to confirm. You have just created an address object. You can find
the Objects under the Objects tab.
9. Once done, click on the Advanced tab. Under Other Info tab, click on Management Profile
drop down and select New Management Profile. We will create a management profile to
help us test connectivity in the next sections. Configure it as below:
a. Name: Ping-only
b. Leave Administrative Management Services unchecked.
c. Check Ping under the Network Services.
d. Click Ok to save.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 10

10. Now Click Ok to save the interface configurations. You will be directed back to the
Interface screen.

Note that at this point, you have configured the WAN interface (public-facing interface). We
proceed to configure the sub-interface.

11. Click on ethernet1/2 and configure as follows:

a. Interface Type: Layer 3.
b. Click Ok. You will be directed to the Interface Screen.
c. Click away from the “ethernet1/2” text to select the ethernet.
d. You will note that Add Subinterface at the bottom becomes clickable.
e. Click the Add Subinterface.
12. Configure subinterface as below:
a. Config Tab:
i. Type 10 onto the Interface Name
ii. Tag: 10
iii. Virtual Router: jacobian-lab-vrouter
iv. Security Zone: accounts. You create the new zone as before. Refer to the
step where we created the untrust zone.

b. Configure IPv4 address as follows:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 11

i. Type: Static
ii. IP: Create an Address Object and name it Gateway-accounts.
iii. The IP configurations are : IP Netmask; 172.20.10.1/24
c. Configure the Advanced tab as follows:
i. Other Info > Management Profile: Ping-Only. You will note that the
Management Profile you created will be listed (the beauty of objects).
d. Repeat the same for the other two subinterfaces:
Sub-interface Tag Virtual Router Security Zone IPv4 Management
Profile
Ethernet1/2.20 20 jacobian-lab- hr Static Ping-only
vrouter Gateway-hr:
172.20.20.1/24
Ethernet1/2.30 30 jacobian-lab- management Static Ping-only
vrouter Gateway-
mgmt:
172.20.30.1/24
e. Once done, commit all your changes.
i. Click the Commit button at the top right corner of the dashboard.
ii. Click ok at the Commit button at the bottom of the Modal window.
iii. A successful message will be shown.
f. Confirm that you have something like this:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 12

You will note that Link State is green. This means that the interface is up(connected).

Configure Virtual Router

1. Still under the Network tab. Click the Virtual Router Node. You will note that the Virtual
Router, jacobian-lab-vrouter you created will be listed. Click on it to edit it. A modal
window appears:

2. Ensure that all the interfaces you configured are on the list under the General tabs as
shown above. If not, then add them all one by one. Ignore the tunnel interface for now. We
shall get to that later.
3. Click On Static Routes. We are about to configure Static Routes to untrust zone. This is a
step in getting connected to the external networks.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 13

4. Click Add at the bottom. Configure as below:

Note that the 0.0.0.0/0 netmask matches all IP addresses NOT in the Routing tables. Thus, any IP
address not defined (typically outbound traffic) will match this. The interface is ethernet1/1, the
public facing interface. The next hop is ISP-IP which is an address object I created. You can create
this at this step. The Object configuration are as follows:

• Name: ISP-IP
• IP Netmask: 192.168.10.2/30

We will not configure Path Monitoring for this lab.

5. Click Ok.
6. Click Ok again to Confirm the settings.
7. Commit these changes.

You have successfully configured routing on the firewall. In the next section we shall configure
DHCP Servers.

Configure DHCP Servers

In this lab setup, we shall configure DHCP such that each VLAN is assigned to a corresponding
DHCP Server.

1. Under the Network tab, click on the DHCP node.

2. Click Add. We are configuring the DHCP server for the ACCOUNTS VLAN (VLAN10)
3. Configure it as shown:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 14

4. Once done, click OK to confirm.

5. Do the same for the HR VLAN (VLAN 20)
6. Ensure you have the configuration as shown below:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 15

By the end of this, you should have the following:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 16

7. Commit the changes you have made.

For your practice, do the same for the MANAGEMENT VLAN. Follow the same steps. Be sure to
use the correct IP Pool Configurations and Gateway IP Address.

Configure NAT and Security Policies

Before we begin this section, below are the links to resources I found quite useful in understanding
the concepts of NAT and Security Policies that I think you might find helpful as well:

1. https://www.youtube.com/watch?v=Ahrao6kBg8w
2. https://www.youtube.com/watch?v=pyCv_39_OQQ
3. https://www.youtube.com/watch?v=o2MQjV_KSuo

Configure NAT
1. Under the Policies tab, click on the NAT node.
2. Click Add. Configure them as below:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 17

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 18

3. Click OK to confirm the settings once you are done.

4. Commit the changes.

Configure Security Policies

1. Under Policies tab, click on Security node. You will note that two firewall rules exists
already.
2. Click Add.
3. Follow the screenshots below:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 19

4. Leave the Application set to Any.

5. Leave the Service/URL Category set to application-default.

6. Click OK to confirm the changes.

7. Commit your changes.

We have successfully configured NAT and Security policies.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 20

At this point you can test if indeed our configurations hold. To confirm this, double click on of the
VPCs found on site A.

1. Once on the terminal type the command: ip dhcp

2. If successful you will see that it has an IP address assigned to it. See below screenshot:

Site B Firewall Configuration

Repeat the above steps for Site B Firewall. However, do NOTE that the IP Addressing will change.
Use the topology section to get the IP Addressing scheme.

Make sure to Commit changes as you go.

Router Configuration
The Router will perform the following functions:

• Connecting to firewalls for VPN setup.

• It will Route traffic from each site to the Internet.
• It will perform a NAT to allow connectivity to the internet.
• Routing traffic between the VLANs (internal subnets).

By the end of this section, you should be able to:

➢ Configure IP addresses on interfaces

➢ Configure default routes to the internet (Static routes)
➢ Configure NAT on a Cisco Router.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 21

Assigning IP Addresses to Interfaces

1. Access Router CLI:
enable
configure terminal

2. Configure interface Gi0/0 (Site A connection):

interface gigabitEthernet0/0
ip address 192.168.10.2 255.255.255.252
no shutdown
exit

3.Configure interface Gi0/1 (Site B connection):

interface gigabitEthernet0/1
ip address 192.168.20.2 255.255.255.252
no shutdown
exit

4.Configure interface Gi0/2 (Internet/WAN connection):

interface gigabitEthernet0/2
ip address dhcp
no shutdown
exit

Configure Routing
1.Configure the default route to dynamically use the next hop provided by DHCP using interface
Gi0/2 as the next hop:
ip route 0.0.0.0 0.0.0.0 gigabitEthernet0/2

Configure NAT
1.Enable NAT with dynamic overload:
ip nat inside source list 1 interface gigabitEthernet0/2 overload

2.Define the inside and outside NAT interfaces:

a.Mark Gi0/0 and Gi0/1 as NAT inside:

interface gigabitEthernet 0/0
ip nat inside
exit

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 22

interface gigabitEthernet 0/1

ip nat inside
exit

b.Mark Gi0/2 as NAT outside:

interface gigabitEthernet0/2
ip nat outside
exit

3.Create an access list to match internal networks:

access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255

Verify Configuration
Check DHCP-assigned IP on Gi0/2:
show ip interface brief

Check NAT translations:

show ip nat translations

Check the routing table:

show ip route

Test connectivity
Test internet connectivity by pinging a public IP.
ping 8.8.8.8

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 23

IPSec Site-to-Site VPN Setup

Firewall Configuration
By the end of this section, you should be able to:

➢ Create a Tunnel interface

➢ Create an Appropriate Security Zone
➢ Configure Static Routes for VPN Tunneling
➢ Configure IKE Crypto Profile for Phase 1
➢ Configure IPSec Crypto Profile for Phase 2
➢ Configure IKE Gateway
➢ Configure IPSec Tunnel

In order to set up the VPN tunnel we shall use the checklist below.

 Make sure that your Ethernet interfaces, virtual routers, and zones are configured
properly.
 Create your Tunnel interfaces. Ideally, put the tunnel interfaces in a separate zone, so that
tunneled traffic can use different policy rules.
 Set up Static Routes or assign routing protocols to redirect traffic to the VPN tunnels. To
support dynamic routing (OSPF, BGP, RIP are supported), you must assign an IP address to
the tunnel interface.
 Define the Cryptographic profiles (IKE Crypto Profiles and IPSEC Crypto Profiles) that
specify the protocols and algorithms for identification, authentication, and encryption to be
used for setting up VPN tunnels in IKEv1 Phase 1 and Phase 2.
 Define IKE Gateways for establishing communication between the peers across each end
of the VPN tunnel.
 Define IPSec Tunnel Configurations
 (Optional) Specify how the firewall will monitor the IPSec tunnels.
 Define Security Policies to filter and inspect the traffic.

Set up A VPN Tunnel Interface

Create a tunnel interface and attach it to a virtual router and security zone.

1. Select Network > Interfaces > Tunnel and click Add.

2. In the Interface Name field, specify a numeric suffix, such as .1.

3. On the Config tab, expand the Security Zone to define the zone as follows:

• To create a separate zone for VPN tunnel termination, click New Zone. In the Zone dialog,
define a Name for a new zone (Name it vpn-zone), and then click OK.

4. Select the Virtual Router: jacobian-lab-vrouter

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 24

Assign an IP address to the tunnel interface, select the IPv4 or IPv6 tab, click Add in the IP section,
and enter the IP address and network mask to assign to the interface. With static routes, the tunnel
interface doesn’t require an IP address. For traffic that is destined to a specified subnet/IP address,
the tunnel interface will automatically become the next hop. Consider adding an IP address if you
want to enable tunnel monitoring.

5. To save the interface configuration, click OK. See below:

In this setup, the configuration for VPN Peer A (Site A) is:

• Interface—tunnel.10

• Security Zone—vpn-zone

• Virtual Router— jacobian-lab-vrouter

The configuration for VPN Peer B (Site B) is:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 25

• Interface—tunnel.11

• Security Zone— vpn-zone

• Virtual Router— jacobian-lab-vrouter

Commit the changes when done.

Configure Static Routes for VPN Tunnel

In this subsection, we shall configure static routes, on the virtual router, to the destination subnet.
With regards to this topology.

For Site A:

• The destinations subnets are accounts-2 and hr-2 subnets.

For Site B:

• The destinations subnets are accounts-1 and hr-1 subnets.

1.Select Network > Virtual Router and click the jacobian-lab-vrouter.

2. Select Static Route, click Add, and enter a new route to access the subnet that is at the other
end of the tunnel. You will need to add two route entries for each subnet.

In this setup, the configuration for VPN Peer A is:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 26

• Name — vpn-to-siteB-accounts

• Destination—172.30.10.0/24 (siteB-accounts-subnet address object)

• Interface—tunnel.10

• Name — vpn-to-siteB-hr

• Destination—172.30.20.0/24 (siteB-hr-subnet address object)

• Interface—tunnel.10

The configuration for VPN Peer B is:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 27

• Name — vpn-to-siteA-accounts

• Destination—172.20.10.0/24 (siteA-accounts-subnet address object)

• Interface—tunnel.11

• Name — vpn-to-siteA-hr

• Destination—172.20.20.0/24 (siteA-hr-subnet address object)

• Interface—tunnel.11

Commit the changes when done.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 28

Configure Cryptographic Profiles

Set up the crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase 2).
Complete this task on both peers and make sure to set identical values.

IKE Crypto Profile – Phase 1

1. Select Network > Network Profiles > IKE Crypto.

2. Click Add.

Commit the changes when done.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 29

IPSec Crypto Profile – Phase 2

1. Select Network > Network Profiles > IPSec Crypto.

2. Click Add.

Commit the changes when done.

Configure IKE Gateway

In this subsection we shall set up IKE Gateways for each site.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 30

1. Select Network > Network Profiles > IKE Gateway.

2. Click Add and configure the options in the General tab.

In this example, the configuration for VPN Peer A (Site A) is:

• Interface—ethernet1/1

• Version: IKEv1 only mode

• Local IP address—192.168.10.1 (Firewall-IP address object)

• Peer IP Address Type/ Peer Address—IP/192.168.20.1 (vpn-peer address object)

• Pre-shared keys—enter a value

• Local identification—None; this means that the local IP address will be used as the local
identification value.

The configuration for VPN Peer B is:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 31

• Interface—ethernet1/1

• Version: IKEv1 only mode

• Local IP address—192.168.20.1 (Firewall-IP address object)

• Peer IP Address Type/ Peer Address—IP/192.168.10.1 (vpn-peer address object)

• Pre-shared keys—enter a value

• Local identification—None; this means that the local IP address will be used as the local
identification value.

3. Select Advanced Phase 1 Options and select the IKE Crypto profile you created earlier to use for
IKE phase 1.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 32

Set up the IPSec Tunnel

1. Select Network > IPSec Tunnels.

2. Click Add and configure the options in the General tab.

In this setup, the configuration for VPN Peer A is:

• Tunnel Interface—tunnel.10

• Type—Auto Key

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 33

• IKE Gateway—Select vpn-site-a-gway.

• IPSec Crypto Profile—Select siteA-siteB-phase2.

The configuration for VPN Peer B is:

• Tunnel Interface—tunnel.11

• Type—Auto Key

• IKE Gateway—Select vpn-site-b-gway

• IPSec Crypto Profile—Select siteB-siteA-phase2

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 34

Commit the changes.

At this point the tunnel configurations are complete. However, the IPSec Tunnel status would still
indicate in red color. To conclude we need to allow traffic between the zones.

Create Security Policy Rules to Allow VPN Tunnel Traffic

In our setup, you will note that we have 4 distinct zones for each site, namely:

• untrust zone
• accounts zone
• hr zone and
• vpn-zone zone

By default, the interzone policy denies any traffic from one zone to another. To allow VPN traffic
from the users zones( in hr and accounts) to remote sites, we will have to allow traffic from users
zones to the vpn-zone and from vpn-zone to the untrust where the outside facing ethernet1/1
interface is. The return traffic should also be allowed.When we all bring this together, the
configurations are as follows:

The configuration for VPN Peer A (Site A):

• Name: allow-vpn-to-site-B
• Source: untrust, vpn-zone (to allow traffic return)
• Destination: untrust, vpn-zone (to allow traffic return)
• Application: Any
• Service/URL Category: application-default
• Actions: Allow

The second rule to define is:

• Name: allow-users-to-vpn-zone
• Source: accounts, hr, vpn-zone ( to allow traffic return)
• Destination: accounts, hr, vpn-zone (to allow traffic return)
• Application: Any
• Service/URL Category: application-default
• Actions: Allow

The configuration for VPN Peer B (Site B):

• Name: allow-vpn-to-site-A
• Source: untrust, vpn-zone (to allow traffic return)
• Destination: untrust, vpn-zone (to allow traffic return)
• Application: Any
• Service/URL Category: application-default
• Actions: Allow

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 35

The second rule to define is:

• Name: allow-users-to-vpn-zone
• Source: accounts, hr, vpn-zone ( to allow traffic return)
• Destination: accounts, hr, vpn-zone (to allow traffic return)
• Application: Any
• Service/URL Category: application-default
• Actions: Allow

By the end of this your rule base should resemble this:

For Site A

For Site B:

Once done, Commit your changes.

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 36

Test Connectivity
To test the end-to-end connectivity, double click one of the endpoint machine in one of the Site A.
Ping one of the end hosts in Site B. Refer to the screenshot below:

From the screenshot, you can see that I am able to ping the remote hr-2 host. This shows that the
tunnel is up. Try Pinging hr-1 from hr-2.

To further confirm this, navigate to the Network>IPSec Tunnel node to confirm this. You should see
something identical to this from both firewalls.

See the screenshot below for the Traffic Logs:

Compiled by: Jacob Hanningtone Orwa Oyim.

Site To Site VPN Lab Using Palo Alto 37

Troubleshooting IPSec Tunnel Connectivity

Hopefully, your tunnel will behave as expected. If that is not the case, review the system logs in

Monitor > Logs > System Logs.

Refer to the links below for what may be the cause of the issue:

1. https://docs.paloaltonetworks.com/network-security/ipsec-
vpn/administration/troubleshooting/test-vpn-connectivity
2. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlFxCAI
&lang=en_US%E2%80%A9
3. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC
4. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

-------------------THE END------------------

Compiled by: Jacob Hanningtone Orwa Oyim.