Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Transcription

1 Cradlepoint to Palo Alto VPN Example Summary This configuration covers an IPSec VPN tunnel setup between a Cradlepoint Series 3 router and a Palo Alto firewall. IPSec is customizable on both the Cradlepoint and Palo Alto platforms to fit into a variety of network and security requirements however; this configuration example will address only the basic configuration and a VTI configuration (NCOS 5.4 or greater). Standard IPSec VPN Topology 1

2 Configuration Configuration Difficulty: Intermediate Cradlepoint Configuration: - Step 1: Log into NCOS. For help with logging in please click here. - Step 2: Click on Networking > Tunnels and select IPSec VPN from the drop-down menu. 2

3 3

4 - Step 3: Under VPN Tunnels click Add. - Step 4: Enter a Tunnel Name. - Step 5: Enter a Pre-Shared Key. - Step 6: Set the Initiation Mode to your desired setting. o Note: On Demand will leave the tunnel idle until traffic bound for the other side of the tunnel is detected. Always On will keep the tunnel active whenever the WAN connection is active. - Step 7: Click Next. - Step 8: In the Local Networks section click Add and enter the LAN of Cradlepoint you want to be available across the VPN tunnel. - Step 9: Click Next. - Step 10: Enter the WAN IP of Paloalto in the Remote Gateway. - Step 11: In the Remote Networks section click add and enter the LAN of the Paloalto you want to be available across the VPN tunnel. - Step 12: Click Next. 4

5 - Step 13: For IKE Phase 1 select AES 128 encryption, SHA1 hash and DH Group 2. - Step 14: Click Next. - Step 15: For IKE Phase 2 select AES encryption, SHA1 hash and DH Group 2. - Step 16: Click Next. - Step 17: For Dead Peer Detection leave the default settings. 5

6 - Step 18: Click Finish. - Step 19: Under VPN Tunnels click Enable VPN Service and then Start to start the VPN service on the router. 6

7 Paloalto Configuration: Note: This configuration assumes you already have a Virtual Router setup for basic internet connectivity - Step 1: Log into the Paloalto management interface as admin - Step 2: Navigate to Network > Interfaces > Tunnel - Step 3: Click Add at the bottom of the page - Step 4: Enter an unused number after the Interface Name - Step 5: Enter the Virtual Router and the Security Zone (Recommended: trust) You plan to use - Step 6: Under the IPv4 tab Add the Paloalto s tunnel IP address - Step 7: Under the Advanced tab Select a Management Profile 7

8 o If there isn t one available you can click the link to create a new profile (Recommended at a minimum: Ping and all forms of HTTP) - Step 8: From the left hand menu select Virtual Routers and select the name of the Virtual Router being used - Step 9: Choose Static Routes from the left hand menu and click Add at the bottom of the page - Step 10: Set the Name for the static route - Step 11: Set the Destination to the LAN address range of the Cradlepoint - Step 12: Set the Next Hop to None - Step 13: click OK at the bottom of the window and check that the routes are correct Step 14: Click OK on the Virtual Router window - Step 15: From the left, select IKE Crypto under Network Profiles and click Add at the bottom of the page - Step 16: Add the DH Group as group 2 - Step 17: Add the Authentication Algorithm as sha1 8

9 - Step 18: Add the Encryption Algorithm as aes128 - Step 19: Click OK - Step 20: From the left, select IPSec Crypto under Network Profiles and click Add at the bottom of the page - Step 21: For the IPSec Protocol select ESP - Step 22: follow steps 16 to 19 above - Step 23: From the left, select IKE Gateways under Network Profiles and click Add at the bottom of the page - Step 24: Enter a Name and set the Interface to the physical external interface (with the public IP assigned to it) - Step 25: Set the Peer IP Type to Static and the Peer IP Address to the remote IP of the Cradlepoint - Step 26: Set the Authentication to Pre-Shared Key and set the Pre-shared Key with the password for the tunnel - Step 27: Confirm it in the Confirm Pre-shared Key 9

10 - Step 28: Select the Advanced Phase 1 Options from the tabs at the top of the window - Step 29: Set the Exchange Mode to main and the IKE crypto profile to the previously created profile - Step 30: Optional: ensure Dead Peer Detection is enabled and select OK - Step 31: From the left, select IPSec Tunnels and click Add at the bottom of the page - Step 21: Fill in a Name and set the Tunnel Interface to the interface originally created - Step 32: Leave the Type as Auto Key - Step 33: Set the IKE Gateway and IPSec Crypto Profile to the previously configured gateway and profile 10

11 - Step 34: Click the Proxy IDs tab at the top of the window and click Add at the bottom of the window - Step 35: Enter a name in the Proxy ID field - Step 36: In Local enter the Paloalto s LAN network - Step 37: in Remote enter the Cradlepoint s LAN network - Step 38: Leave Protocol as Any and click OK for both popup windows - Step 39: Click Commit at the top right of the page to save the settings and commit it to the Paloalto - Step 40: After a few minutes the Status lights on the tunnel should go green - Step 42: Also check on the Cradlepoint under Status > VPN Tunnels 11

12 VTI VPN Topology VTI VPN Configuration Configuration Difficulty: Intermediate Note: This requires at least NCOS version 5.4 on the Cradlepoint 12

13 Cradlepoint Configuration: - Step 1: Log into the router's Setup Page. For help with logging in please click here. - Step 2: Click on Networking > Tunnels and select IPSec VPN from the drop-down menu. 13

14 14

15 - Step 3: Under VPN Tunnels click Add. - Step 4: Enter a Tunnel Name. - Step 5: Enter a Pre-Shared Key. Step 6: Set the Mode to VTI Tunnel - Step 7: Set the Initiation Mode to your desired setting. o Note: On Demand will leave the tunnel idle until traffic bound for the other side of the tunnel is detected. Always On will keep the tunnel active whenever the WAN connection is active. - Step 8: Click Next. - Step 9: In the Local VTI Configuration section enter the Local virtual address and Remote virtual address with the tunnel network of Cradlepoint you want to use. - Step 10: Click Next. 15

16 - Step 11: Enter the WAN IP of the Paloalto in the Remote Gateway. - Step 12: In the Remote Networks section click add and enter the LAN of Paloalto you want to be available across the VPN tunnel. - Step 13: Click Next. 16

17 - Step 14: For IKE Phase 1 select AES 128 encryption, SHA1 hash and DH Group 2. - Step 15: Click Next. 17

18 - Step 16: For IKE Phase 2 select AES 128 encryption, SHA1 hash and DH Group 2. - Step 17: Click Next. 18

19 - Step 18: For Dead Peer Detection leave the default settings. - Step 19: Click Finish. 19

20 - Step 20: Click Finish to submit your VPN tunnel. - Step 21: Under IPSec VPN click Enable VPN Service to start the VPN service on the router. - Step 22: Go to Security > Zone Firewall and select Zone Definition - Step 23: Click Add under Zones and fill in a name for the new Zone - Step 24: Click Add to create a new Interface and set the VTI Config Name - Step 25: Click Save 20

21 - Step 26: Go to the Zone Forwardings section and Add forwarding rules as needed o Note the example below 21

22 22

23 Paloalto Configuration: - Step 1: Follow the Paloalto configuration for a standard IPSec VPN tunnel found above - Step 2: Under the Virtual Routers select the virtual router being used and select Static Routes from the left - Step 4: Edit the static route for the VPN tunnel by clicking the configured name (destination of Cradlepoint s LAN) - Step 5: Change the Next Hop to IP Address, fill in the Cradlepoint s tunnel interface address in the box and select OK - Step 7: Under IPSec Tunnels, edit the tunnel created - Step 8: Click on the Proxy IDs tab at the top and delete the Proxy ID that is configured - Step 9: Click OK - Step 10: After a few minutes the Status lights on the tunnel should go green 23