Technical Tip: Configuring IPSec tunnel between FortiGate and Palo Alto

epinheiro · ‎10-30-2023

Description

This article is a sample configuration of IPsec VPN authenticating a remote Palo Alto peer with a pre-shared key.

Topology:

2023-10-30 19_33_35-Novo(a) Documento do Microsoft Word - Word.jpg

Scope

FortiGate, Palo Alto.

Solution

Go to: VPN -> IPSec Tunnels, select 'Create New '-> IPSec Tunnel.

2023-10-30 19_35_44-Novo(a) Documento do Microsoft Word - Word.jpg

2023-10-30 19_36_44-Novo(a) Documento do Microsoft Word - Word.jpg

Note:

The wizard shows all available options so that it is possible to speed up the process, but the Custom' option will be used for a better understanding of each step for the IPSec tunnel creation:

2023-10-30 19_37_47-Novo(a) Documento do Microsoft Word - Word.jpg

Set the tunnel name (After creation, the tunnel name cannot be modified).

2023-10-30 19_37_47-Novo(a) Documento do Microsoft Word - Word.jpg

The process is straightforward. Using only one screen, it will be possible to configure Phase 1 and Phase 2.

Note:

This is just a sample and it is necessary to adjust the tunnel configuration according to the requirements of the network.

Phase I Configuration:

2023-10-30 19_39_56-Novo(a) Documento do Microsoft Word - Word.jpg

2023-10-30 19_40_50-Novo(a) Documento do Microsoft Word - Word.jpg 2023-10-30 19_42_12-Novo(a) Documento do Microsoft Word - Word.jpg

Phase II Configuration:

2023-10-30 19_43_06-Novo(a) Documento do Microsoft Word - Word.jpg

Checking the tunnel:

2023-10-30 19_44_23-Novo(a) Documento do Microsoft Word - Word.jpg

Create the static route pointing to the Palo Alto LAN:

2023-10-30 19_45_22-Novo(a) Documento do Microsoft Word - Word.jpg

Create the firewall policy allowing outbound and inbound traffic:

2023-10-30 19_46_10-Novo(a) Documento do Microsoft Word - Word.jpg

Note:

All parameters are configured on FortiGate, it is also necessary to configure on the Palo Alto firewall for Phase 1 and Phase 2.

On Palo Alto, it is necessary to access more options on different screens to create the IPSec tunnel.

For Phase 1 Proposal, access 'IPSec Crypto':

2023-10-30 19_48_29-Novo(a) Documento do Microsoft Word - Word.jpg

For Phase 2 Proposal, access 'IKE Crypto':

2023-10-30 19_49_33-Novo(a) Documento do Microsoft Word - Word.jpg

Then, configure the IKE gateway:

2023-10-30 19_50_34-Novo(a) Documento do Microsoft Word - Word.jpg

On 'Advanced Options', set the Phase 2 Proposal on 'Ike Crypto Profile':

2023-10-30 19_51_54-Novo(a) Documento do Microsoft Word - Word.jpg

Create a tunnel interface on the following path: Network -> Interfaces -> Tunnel.

It is necessary to set an ID for the tunnel.

2023-10-30 19_52_46-Novo(a) Documento do Microsoft Word - Word.jpg

Then create the IPSec tunnel on the following path: Network -> IPSec tunnel.

It is necessary to select the tunnel interface with the ID just created, in this case, 'tunnel.1'. Also, select the Phase 1 Proposal on 'IPSec Crypto Profile':

2023-10-30 20_25_25-PaloAlto.jpg