IPsec VPN Configuration Example: Palo Alto Networks Appliance

This example illustrates how to configure two IPsec VPN tunnels from a Palo Alto Networks appliance to two Zscaler Enforcement Nodes (ZENs): a primary tunnel from the PA-200 appliance to a ZEN in one data center, and a secondary tunnel from the PA-200 appliance to a ZEN in another data center.

NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.

In this example, the IP address of the primary ZEN  is 95.172.74.5, and the IP address of the secondary ZEN is 199.168.151.112. You can learn how to locate the ZEN IP addresses for your organization under Prerequisites, below.

Organizations typically forward all traffic destined for any port to the Zscaler service. Alternatively, you can limit the traffic that you forward to the service to HTTP and HTTPS traffic (traffic destined for port 80 and port 443). Regardless, tunneling provides visibility into the internal IP addresses, which can be used for the Zscaler security policies and logging.

Prerequisites

Before you start configuring the Zscaler service and the firewall, ensure that you have the following information for setting up the tunnel:

Loc

  1. Go to ips.<your cloud name>.net

    You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?
  2. From the menu on the left, click Cloud Enforcement Node Ranges.
  3. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel.

    For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination.
    See image.  

Cloud ENR

Cloud ENR

Configuring the Zscaler Service

A. Enter the VPN credentials.

  1. Go to Administration > Resources > VPN Credentials.
  2. Click Add VPN Credential and do the following:
    • You can choose from three different authentication types: FQDN, XAUTH, or IP. In this deployment scenario, we are using the IP address that your organization provided to Zscaler.
    • Enter the pre-shared key in the text box and confirmation box.
    • Optionally, type in comments.
  3. Click Save and activate the change.

B. Link the VPN credentials to a location.

  1. Go to Administration > Resources > Locations.
  2. Do one of the following:
    • Add a new location or edit a location.
  3. In the Add Location or Edit Location dialog box, click the down arrow beside VPN Credentials and choose the credentials you created.
  4. Click Save and activate the change.

Configuring the PA-200

This section describes how to configure two IPsec VPN tunnel interfaces on a PA-200 firewall running version 6.0.1. Refer to Palo Alto Networks documentation for additional information about the user interface.

The following figure shows the lab setup.

Configuring the PA-200

The ethernet1/2 interface represents the internal corporate network. All traffic from the corporate network will egress through this interface. The ethernet1/4 interface is the external interface. Traffic destined for any external network goes out through this interface. Ensure that the internal network is in the trust security zone and that the external network is in the untrust security zone. Also, ensure that these two interfaces are in the same default virtual router service.

Configuration for Version 6.0.1

A. Ensure that you are able to ping both of the public ZEN IP addresses you located with the instructions provided under Prerequisites. If you are unable to ping both IP addresses, please contact Zscaler Technical Support.

B. Configure two tunnel interfaces (tunnel and tunnel.2) on the external interface (ethernet1/4) with the following parameters:

  • MTU is 1400
  • Configure an IP address that VPN monitoring can use as the source address. This can be any IP address that does not coincide with an existing subnet.
  • Both tunnels are in the untrust zone.
  • The IP addresses of the tunnel interfaces in the configuration below are 10.10.10.1 and 10.10.10.2. (see how to locate the ZEN IP addresses under Prerequisites)

The following procedure describes how to configure the first tunnel interface, which is called tunnel. The IP address of tunnel is 10.10.10.1. Use the same procedure to configure the tunnel.2 interface with IP address 10.10.10.2

  1. Navigate to Network > Interfaces > Tunnel.
  2. Click Add.
  3. In the Tunnel Interface dialog, complete the following:
    • Interface Name: tunnel
    • IP: Enter 10.10.10.1
    • Management Profile: Select the appropriate profile.
    • MTU: Enter 1400.
    • Assign Interface to:
      • Virtual Router: Select Default.
      • Security Zone: Select untrust.
  4. Click OK.
  5. Click Save and Commit.

The following figure shows the configured tunnel interfaces.

C. Configure the IKE parameters. Create an IKE crypto profile that specifies the security settings for the IKE phase 1 negotiations.

  1. From the Network tab, expand Network Profile, and select IKE Crypto.
  2. Click Add and in the IKE Crypto Profile dialog, select Add in each section to create a profile with the following settings:
    • DH Group: group2
    • Encryption: aes128
    • Authentication: sha1
    • Lifetime: 24 hours
  3. Click OK.

The following figure shows the IKE crypto profile.

Create two IKE gateways, one for each Zscaler IPsec VPN node. The following procedure describes how to create an IKE gateway. The gateway created in this example is called ZscalerPT and the IP addresses is 95.172.74.5. Use the same procedure to add a second gateway named ZscalerBT with a destination address of 199.168.151.112.

  1. From the Network tab, expand Network Profiles and select IKE Gateways.
  2. In the IKE Gateways dialog, complete the following:
    • Name: Enter ZscalerPT.
    • Interface: Select ethernet 1/4 (external interface).
    • Local IP Address: Select None.
    • Peer IP Type: Select Static.
    • Peer IP Address: Enter the IP addresses of a ZEN. In this example, enter 95.172.74.5.
    • Authentication: Select Pre Shared Key.
    • Pre-shared Key: Enter the pre-shared key palo and enter it again in the Confirm Pre-shared Key field. Note that this key is the same as the one you defined in the Zscaler service interface.
      • Local Identification: Select IP address and enter 99.41.72.25.
      • Peer Identification: Select None.
  3. Click Show Advanced Phase-1 Options and complete the following:
    • Exchange Mode: Select aggressive.
    • IKE Crypto Profile: Select the profile you created earlier, which was Zscaler.
    • Select Enable NAT Traversal.
    • Select Dead Peer Detection and enter an Interval of 20 seconds and Retry of 5 times.
  4. Click OK.

The following figure displays the configuration for each gateway.

Create an IPsec Crypto profile that specifies the security parameters for the IKE Phase 2 negotiations.

NOTE: Zscaler supports both AES and null encryption. Zscaler recommends using null encryption because this reduces the load on the local router/firewall for traffic destined for the Internet. But if you would like to use AES, you may purchase a separate subscription and enable it as shown below.

  1. From the Network tab, expand Network Profiles and select IPsec Crypto.
  2. Click Add and in the IPsec Crypto Profile dialog, complete the following:
    • IPSec Protocol: Select ESP.
    • Encryption: Click Add and select aes128.
    • Authentication: Click Add and select md5.
    • DH Group: Select group2.
    • Lifetime: Set it to 8 Hours.
    • Lifesize: Set to 100 MB.

The following figure displays the IPsec Crypto profile.

Create a tunnel monitor profile. A tunnel monitor profile specifies how the firewall monitors IPSec tunnels and the actions it takes if the tunnel is not available.

  1. Navigate to Network.
  2. Expand Network Profiles and select Monitor.
  3. Click Add and in the Monitor Profile dialog, complete the following:
    • Name: Enter fail-over.
    • Action: Select Fail Over.
    • Interval (sec): Enter 20.
    • Threshold: Enter 5.

D. Configure the following IPsec tunnels.

Create two IPsec tunnels to two different ZENs. This procedure describes how to configure the primary IPsec tunnel from VPN gateway ZscalerPT to the ZEN with IP address 95.172.74.5.

Repeat the procedure to create a secondary IPsec tunnel from VPN gateway ZscalerBT to the ZEN at 199.168.151.112.

  1. Navigate to Network > IPsec Tunnels.
  2. Click Add and in the IPsec Tunnel dialog, complete the following:
    • Name: Enter a name for the tunnel. In this example, the name is ZscalerPT.
    • Tunnel Interface: Select tunnel.
    • Type: Select Auto Key.
    • IKE Gateway: Select one of the gateways you created earlier. In this example, select ZscalerPT.
    • IPSec Crypto Profile: Select gateways you created earlier. In this example, select Zscaler-IPsec.
  3. Select Show Advanced Options and complete the following:
    • Select Enable Replay Protection.
    • Tunnel Monitor: Disable this, as it is only applicable for monitoring tunnels between two Palo Alto Network devices. Separate Tunnel Monitoring will be set up in the Policy Based Forwarding rules.
  4. Under the Proxy IDs section, add a new service with Local and Remote IP addresses as 0.0.0.0/0 and protocol as any.
  5. Click OK, and then click Save and Commit.

E. Define the Policy Based Forwarding rule.

Create two policy based forwarding rules to route the traffic from Palo Alto Network appliance into the tunnel. If you want to send only port 80/443 traffic, you can configure it in the Service section of the Destination/Application/Service tab.

The following procedure describes how to configure the rule for Primary tunnel. Use the same procedure to configure the rule for Backup tunnel.

  1. Click the Policies tab and click Policy Based Forwarding.
  2. Click Add at the bottom of the page.
    • General tab.
      • Name: Enter a name for the policy.
      • Description: This is not a mandatory field and you can leave it blank.
      • Tags: This is not a mandatory field and you can leave it blank.
      • See image.
    • Source tab:
      • For Source Zone, click Add and select Trust.
      • See image.
    • Destination/Application/Service tab:
      • For Destination Zone, leave the default settings as they are. If you want to send only port 80/443 traffic, you can select service-http and service-https in the Service section.
      • See image.
    • Forwarding tab:
      • Action: Forward
      • Egress Interface: tunnel
      • Next Hop: Leave this field blank.
        Enable Monitor here with the following parameters:
      • Profile: fail-over
      • Select the checkbox for Disable this rule if nexthop/monitor ip is unreachable.
      • IP address: 8.8.8.8. Zscaler encourages customers to ping any IP address beyond Zscaler servers to monitor the health of tunnel.
        Do not enable Enforce Symmetric Return.
      • Click OK.
      • See image.

For the second tunnel, do not enable the Tunnel monitoring. This is to ensure that PA does not keep on switching tunnels back and forth between Primary and Backup tunnel.

general tab

general tab

source tab

source tab

destination tab

destination tab

forwarding tab

forwarding tab

F. Define a static route for ICMP packets going via the tunnel.

  • Navigate to Network > Virtual Routers.
  • Click on Static Routes and Add a new route as follows:

Troubleshooting

Following are some sample commands that you can use to monitor and troubleshoot the VPNs. Make an SSH connection to the PA-200 and log in to the CLI to execute the commands.

View list of "show vpn" commands

admin@PA-200> show vpn ?
> flow Show dataplane IPSec-VPN tunnel information
> gateway show list of IKE gateway configuration
> ike-sa show IKE SA
> ipsec-sa show IPSec SA
> tunnel show list of auto-key IPSec tunnel configuration

View the VPN tunnels and their states and peer addresses

admin@PA-200> show vpn flow
total tunnels configured: 2
filter - type IPSec, state any
total IPSec tunnel configured: 2
total IPSec tunnel shown: 2
id name             state monitor local-ip peer-ip        	tunnel-i/f
-------------------------------------------------------------------------------------------------------------------------------------
3 ZscalerPT	             active up    0.0.0.0 95.172.74.5	 	tunnel
4 ZscalerBT	             active up    0.0.0.0 199.168.151.112	tunnel.2

View the VPN gateway configuration information

admin@PA-200> show vpn gateway
GwID Name Peer Address/ID Local Address/ID Protocol Proposals
-------------------------------------------------------------------------------------------------------------------------------------
       1    ZscalerPT          95.172.74.5                    99.41.72.25(ipaddr:99.41.72.25) Aggr       [PSK][DH2][AES128][SHA1] 28800-sec
       2   ZscalerBT          199.168.151.112            99.41.72.25(ipaddr:99.41.72.25) Aggr       [PSK][DH2][AES128][SHA1] 28800-sec
Show IKE gateway config: Total 2 gateways found.

View the Phase 1 Tunnel

admin@PA-200> show vpn ike-sa
phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
-------------------------------------------------------------------------------------------------------------------------------------
              1 95.172.74.5            ZscalerPT              Init Aggr PSK/DH2/A128/SHA1 Nov.14 10:57:54 Nov.14 18:57:54 v1 12  5   2342 
              2 199.168.151.112        ZscalerBT              Init Aggr PSK/DH2/A128/SHA1 Nov.14 11:15:05 Nov.14 19:15:05 v1 12  1   2156 
Show IKEv1 IKE SA: Total 2 gateways found. 2 ike sa found.
phase-2 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Algorithm               SPI(in)  SPI(out) MsgID    ST Xt
-------------------------------------------------------------------------------------------------------------------------------------
              1 95.172.74.5            ZscalerPT              Init DH2 /tunl/ESP/A128/MD5  A9E46021 08F92DD3 F6A1AA02  9  1 
              2 199.168.151.112        ZscalerBT              Init DH2 /tunl/ESP/A128/MD5  CDA37FAC 0B84DBFD 4CDC542F  9  1 
Show IKEv1 phase2 SA: Total 2 gateways found. 2 ike sa found.

View the Phase 2 Tunnel

admin@PA-200> show vpn ipsec-sa
GwID/client IP  TnID Peer-Address           Tunnel(Gateway)                                Algorithm     SPI(in)  SPI(out) life(Sec/KB)
-------------------------------------------------------------------------------------------------------------------------------------              1    1 95.172.74.5            ZscalerPT(ZscalerPT)                           ESP/A128/MD5  EA722827 05F7782A   7199/102400
              2    2 199.168.151.112        ZscalerBT(ZscalerBT)                           ESP/A128/MD5  E9251A84 0DDF8BFA   7199/102400
Show IPSec SA: Total 2 tunnels found. 2 ipsec sa found.

View VPN Tunnels

TnID Name(Gateway) Local Proxy IP Ptl:Port Remote Proxy IP Ptl:Port  Proposals
3  Zscaler-Tunnel(VPN-71) 0.0.0.0/0 0:0 0.0.0.0/0 0:0  ESP tunl [DH2][AES128][MD5] 7200-sec
4  Zscaler-backup-tunnel(VPN-81) 0.0.0.0/0 0:0 0.0.0.0/0 0:0  ESP tunl [DH2][AES128][MD5] 7200-sec
Show IPSec tunnel config: Total 2 tunnels found

Clear Phase 1 Tunnel

admin@PA-200> clear vpn ike-sa
Delete IKEv1 IKE SA: Total 2 gateways found. 2 ike sa found.

Clear Phase 2 Tunnel

admin@PA-200> clear vpn ipsec-sa
Delete IKEv1 IPSec SA: Total 2 tunnels found. 2 ipsec sa found.

View the Routing Table

admin@PA-200> show routing fib
total virtual-router shown : 1
-------------------------------------------------------------------------------------------------------------------------------------
virtual-router name: Default
interfaces:
   ethernet1/2 ethernet1/4 tunnel tunnel.2
route table:
flags: u - up, h - host, g - gateway
maximum of fib entries for device:                 1000
maximum of IPv4 fib entries for device:            1000
maximum of IPv6 fib entries for device:            1000
number of fib entries for device:                  9
maximum of fib entries for this fib:               1000
number of fib entries for this fib:                9
number of fib entries shown:                       9
id      destination           nexthop            flags  interface          mtu 
-------------------------------------------------------------------------------------------------------------------------------------
20      0.0.0.0/0             0.0.0.0            u      tunnel             1300
19      10.10.10.1/32         0.0.0.0            uh     tunnel             1300
16      10.10.10.2/32         0.0.0.0            uh     tunnel.2           1300
2       10.84.0.0/24          0.0.0.0            u      ethernet1/2        1500
1       10.84.0.116/32        0.0.0.0            uh     ethernet1/2        1500
12      95.172.74.5/32        99.41.72.30        ug     ethernet1/4        1500
4       99.41.72.16/28        0.0.0.0            u      ethernet1/4        1500
3       99.41.72.25/32        0.0.0.0            uh     ethernet1/4        1500
18      199.168.151.112/32    99.41.72.30        ug     ethernet1/4        1500
-------------------------------------------------------------------------------------------------------------------------------------