Palo Alto EDU-110: Site to Site VPNs


  • Describe the three basic requirements for creating a VPN
  • Configure the interface, IP addresses, and PSK for the IKE Gateway
  • Configure the DH group, encryption methods, and authentication methods for an IKE Cryptographic profile
  • Configure a static route in the route table for the tunnel
  • Troubleshoot IPSec VPN issues from the responder side of the VPN tunnel

Site to Site Overview

IPsec VPNs are implemented between Palo Alto firewalls as routed based tunnels, rather than policy based designs.

In a route based VPN, the determining factor of which traffic will be tunneled is the final destination of that traffic.

Route based VPNs are easy to deploy and can scale easily due to the advantage of being supported by dynamic routing protocols.

The Palo Alto firewall can also interoperate with third party policy based VPN devices.

When recieved traffic is destined for a remote private network, it looks up the next hop in the routing table.

If it is a remote network, the routing table points to a logical tunnel interface.

This interface is not a real interface, but has the information required to create an IPSec tunnel.

Once the traffic is sent to this logical tunnel interface, the VPN is created and traffic is sent through it.

Palo Altos support IKE version 1 and 2. Version 1 is more commonly used but version 2 supports the requirements of the Network Device Protection Profile, or NDPP.

The option of ‘IKEv2 preferred mode’ provides the ability for the Palo Alto to fall back to IKEv1 after 5 failed retries, that takes around 30 seconds.

IKE Phase 1

IKE Phase 1 identifies the end points of the VPN.

Phase 1 uses peer IDs to identify the devices at each end of the VPN. This is often just the public IP address of the device.

In situations where the public IP is not static, it can be replaced with a domain name or other text value

Three settings are available on Palo Alto firewalls: Aggressive, Main, and Auto

Five snippits of information are transmitted during Phase 1:

  1. Authentication Method
  2. Diffie-Hellman key exchange
  3. Symmetric Key Algorithm / Bulk Data Encryption
  4. Hashing Algorithm
  5. Lifetime

IKE Phase 2

Phase 2 creates the tunnel that will encapsulate data traffic.

Whilst IKE Phase 1 deals with the authentication, Phase 2 focuses on the data that is transmitted across the tunnel.

Each side of the tunnel has proxy IDs to identify the traffic it is sending and what it expects to receive. These IDs can be a specific network range or a generic network of

Both sides need to know what the other side will be sending in order for the VPN tunnel to work.

Five snippits of information are transmitted during Phase 2, these are:

  1. IPSec type and mode
  2. Diffie-Hellman / PFS
  3. Symmetric Key Algorithm / Bulk Data Encryption
  4. Hashing Algorithm
  5. Lifetime before rekeying

Route Based Site to Site VPN

A single VPN may be sufficient for connecting between a singel central site and a remote site.

Connections between a central site and multiple remote sites require VPN tunnels for each central remote site pair.

Each tunnel is bound to a tunnel inteface.

VPN traffic is moved across the tunnel interface to the same virtual router as the incoming plaintext traffic.

If a packet comes to the firewall, the route lookup function can determine the most approriate tunnel to use.

The tunnel interface appears to the Palo Alto operating system as a normal interface, and existing routing protocols and infrastructure can be applied.

Each tunnel interface can have a maximum of 10 IPSec tunnels, that allow creation of IPSec tunnels for individual networks that are associated on the same tunnel interface as the firewall.

VPN Tunnel Component Interaction

Three basic requirements for creating a VPN in Pan-OS:

  1. Create the tunnel interface or Phase 1 Objects
    1. See Network -> Intefaces -> Tunnel
    2. The new logical interface must be added to a Layer 3 zone and to a virtual router just as any other logical Layer 3 interface would
  2. Configure the IPSec tunnel or Phase 2 Objects:
    1. A basic interface can be used when creating a tunnel between PAN-OS devices with known IP addresses
    2. The only values needed are the tunnel interface to use, local peer ID, remote peer ID, and pre-shared key
    3. If configuration is with another Palo Alto firewall, make use of the default crypto profiles
    4. If the configuration is with another vendors firewall, configure the advanced settings in Crypto Profiles to match both sides
  3. Add a static route to the virtual router or enable a routing protocol such as BGP, OSPF, or RIP
    1. Add a route table entry fo the remote network that points to the tunnel interface in Steps 1 and 2
    2. Create a route for the remote network using the tunnel interface
    3. No next-hop IP address is required when tunnel interfaces are used
    4. Ensure to create a security rule to allow tunneled traffic

Troubleshooting IPSec Tunnels

Begin by looking at the IPSec Tunnel page, each tunnel provides useful troubleshooting information.

Go to Network -> IPSec tunnels

Tunnel Status, green indicates a Phase 2 SA tunnel has established. Red indicates SA is not available or has expired.

IKE Gateway Status: Green indicates a valid IKE Phase 1 SA or IKEv2 IKE SA. Red indicates that IKE Phase 1 SA is not available or has expired

Tunnel Interface Status:

Green indicates that the tunnel interface is up, because tunnel monitor is disabled or the tunnel monitor status is up and the monitoring IP is reachable. Red indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote IP address is unreachable.

Tunnels are established only when traffic is attempting to cross. The test vpn command in the CLI can be used to initiate a tunnel manually.

Common VPN error messages

Always troubleshoot error messages from the responder!

IssueInitiator ErrorResponder Error
Wrong IP/no ConnectionP1 – TimeoutP1 – Timeout
No matching P1 proposalP1 – TimeoutNo suitable proposal (P1)
Mismatched peer IDP1 – TimeoutPeer identifier does not match
No matching P2 proposalNo proposal chosenNo suitable proposal (P2)
PFS Group MismatchP2 – TimeoutPFS group mismatch
Mismatched proxy IDP2 – TimeoutCannot find matching Phase 2 tunnel







Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.