IPsec Site-to-Site VPN Palo Alto <-> Cisco Router

This time I configured a static S2S VPN between a Palo Alto firewall and a Cisco IOS router. Here comes the tutorial:

I am not using a virtual interface (VTI) on the Cisco router in this scenario, but the classical policy-based VPN solution. That is, no route entry is needed on the Cisco machine. However, the Palo Alto implements all VPNs with tunnel interfaces. Hence, a route to the tunnel and Proxy IDs must be configured. (I also wrote a guide for a route-based VPN between a Cisco router and a Palo Alto firewall here.)

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

In my test lab I am running a PA-200 with PAN-OS 6.0.3. The Cisco router is an old Cisco 2621 with IOS 12.3(26) and image “c2600-ik9o3s3-mz.123-26.bin”.

Laboratory

The following figure depicts my test laboratory:

S2S VPN Palo Alto - Cisco Router Laboratory

Palo Alto

The configuration steps for the Palo Alto Networks firewall are the following:

  1. IKE and IPSec Crypto profiles, e.g., aes256, sha1, pfs group 5, lifetime 8h/1h.
  2. IKE Gateway with the pre-shared key and the corresponding IKE Crypto Profile. The “Identification” fields are not needed.
  3. Tunnel Interface within a virtual router (e.g., “default”) and a security zone (e.g., “vpn-s2s”). The interface does not need an IP address.
  4. IPSec Tunnel: Tying all together: tunnel interface, IKE gateway, IPSec crypto profile. Furthermore, the Proxy IDs (= protected networks) are set here.
  5. Static route to the destination network through the tunnel interface (without next hop address).
  6. Policy from untrust to untrust with the applications “ike”, “ipsec”, and “ciscovpn” allowed.
  7. Policies from trust zones to the zone in which the tunnel interface resides.

Here are my configuration screenshots:

Cisco Router

The Cisco router, configured through the CLI, needs the following lines:

  1. crypto isakmp appropriate to the “IKE Crypto” on the PA
  2. crypto isakmp key with the pre-shared key
  3. crypto ipsec appriopriate to the “IPSec Crypto” on the PA
  4. access-list which defines the protected networks, corresponding to the “Proxy IDs”
  5. crypto map with the transform-set, peer, pfs group, and access-list
  6. crypto map applied to the outside interface
  7. (Note: No route entry is needed since this VPN is a policy-based VPN which makes its routing decision based on the access-list.)

Here is the bunch of my configuration commands:

Monitoring

After a successful establishment of the tunnel, the PA shows green bubbles in its IPSec Tunnels overview. The Session Browser reveals active sessions for ike or ciscovpn and ipsec-esp. However, I noticed that after these sessions are gone, only the ike sessions are in my traffic log, while the ipsec sessions are not correct according to the listed traffic bytes. Hm. Has anyone else recognized a similar behaviour?

The Cisco router can be queried with the subsequent commands:

  • show crypto isakmp sa detail
  • show crypto ipsec sa
  • show crypto map
 

And one more time: Since the Cisco Router decides its forwarding decisions for VPNs on the policy (ACL) and NOT on route entries, the routing table does NOT show any of my site-to-site remote networks, but only the connected and static configured routes:

Links

Similar information about this tunnel can be found here:

10 thoughts on “IPsec Site-to-Site VPN Palo Alto <-> Cisco Router

  1. What if you have to make 4 policies on the Cisco Router? Do you create 4 tunnels on Palo Alto, or only the proxy id

    1. You mean if you have 4 ACL entries on the Cisco router? Then you have to set up these 4 networks in the Proxy ID section. You do NOT need to create 4 IPsec tunnels.

  2. “And one more time: Since the Cisco Router decides its forwarding decisions for VPNs on the policy (ACL) and NOT on route entries, the routing table does NOT show any of my site-to-site remote networks, but only the connected and static configured routes”

    The ACL defines what traffic should be encrypted when it is being routed. However, you will NEED to have a route for your remote destinations. The routing decision is done first. Yes, you do not have the routes explicitly configured. You have a static route with a next hop given. This next hop is reachable out of Fa0/0. Traffic for your remote network will be routed out of Fa0/0 and since this interface has the crypto map applied and now the traffic does match the ACL it will be encrypted.

    Forwarding decision is done based on the routing table. What is being encrypted in decided by the ACL.

    1. Sorry, but I am not showing these “vendor A to vendor A” cases. Please read the official Palo Alto documentation where it is explained in detail.

  3. Hi,

    I’m not able to establish the vpn connection. I followed the instructions except for the ip addressing part. Not sure what’s the issue. I’m using GNS3 to do the testing. any advice on what to check?

    Cheers

    1. Hi Dong,
      sorry, I cannot help you. There are MANY potential problems when it comes to IPsec with different vendors. Furthermore, I don’t know how exactly the IPsec implementation is build in GNS3.
      Try to debug as much as possible on both sides…

  4. what if instead you had another cisco router behind the palo that wanted to initiate a tunnel with the cisco router on the other side? the palo would be nating traffic to the cisco router…

    1. You mean:
      Router <<-->> Palo <<-->> Router
      while the VPN is terminated on both routers? Then it’s straightforward, since the Palo only acts as another router than can (but must not) do NAT.

Leave a Reply

Your email address will not be published. Required fields are marked *