Home / Paloalto / Palo Alto Firewalls: Site to Site VPN with OSPF

Palo Alto Firewalls: Site to Site VPN with OSPF

Today I am going to talk about the basic configuration of Site to Site VPN with OSPF onto the Palo Alto Next Generation Firewall. Taking an example of 2 sites where we are going to use OSPF as a dynamic routing protocol for traffic to flow between the sites.

Here in the example, the tunnel IP address on each VPN peer is manually allocated and assists as the next hop for routing data among the sites.

For the basic configuration, first we need to configure the L3 interfaces on the firewalls on both sites. 

Step-1
Select Network>Interfaces>Ethernetand then select the interface you want to configure for VPN. Now Select Layer3from the InterfaceType drop-down.On the Config tab, select the Security Zone to which the interface belongs.The interface must be available from a zone outside of your trust network. 

Think making a committed VPN zone for visibility and control over your VPN traffic.if we have not yet created the zone, select New Zone from the Security Zone drop-down, describe a Name for the new zone and then click OK.Select the Virtual Router to use. 

Fig 1.1- Site to Site VPN with OSPF-Palo Alto Firewalls

To allocate an IP address to the interface, select the IPv4 tab, click Add in the IP section, and input the IP address and network mask to allocate to the interface. To save the interface configuration, click OK.

Configuration for RouteXP_PaloAlto1 is:
Interface: Ethernet1/1
Security Zone: RouteXP
Virtual Router: default
IPv4: 120.1.1.1/24

Configuration for RouteXP_PaloAlto2 is:
Interface: Ethernet1/1
Security Zone: RouteXP
Virtual Router: default
IPv4: 220.1.1.1/24

Step-2
Create a tunnel interface and assign it to a virtual router and security zone. Select Network>Interfaces>Tunnel and click Add.In the Interface Name field, indicate a numeric suffix.On the Config tab, magnify the Security Zone drop-down to describe the zone. 

Select the Virtual Router. Allocate an IP address to the tunnel interface, select the IPv4 or IPv6 tab, click Add in the IP section, and enter the IP address and network mask/prefix to allocate to the interface. This IP address will be used as the next hop IP address to route data to the tunnel and can also be used to monitor the status of the tunnel.

Configuration for RouteXP_PaloAlto1 is:
Interface: tunnel.11
Security Zone: NBCorp
Virtual Router: default
IPv4: 10.1.1.1/24

Configuration for RouteXP_PaloAlto2 is:
Interface: tunnel.10
Security Zone: NBCorp
Virtual Router: default
IPv4: 10.1.1.2/24

Step-3
Set up the Crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase Select Network> Network Profiles> IKE Crypto. Select Network> Network Profiles> IPSec Crypto. 

Step-4
Set up the OSPF configuration on the virtual router and attach the OSPF areas with the appropriate interfaces on the firewall.
Select Network> Virtual Routers and select the default router or add a new router.Select OSPF (for IPv4) or OSPFv3 (for IPv6) and select Enable.

OSPF configuration for RouteXP_PaloAlto1 is:
Router ID: 192.168.20.2
Area ID: 0.0.0.0 that is assigned to the tunnel.1 interface with Link type: p2p
Area ID: 0.0.0.10 that is assigned to the interface Ethernet1/1 and Link Type: Broadcast

The OSPF configuration for RouteXP_PaloAlto2 is:
Router ID: 192.168.20.1
Area ID: 0.0.0.0 that is assigned to the tunnel.1 interface with Link type: p2p
Area ID: 0.0.0.20 that is assigned to the interface Ethernet1/15 and Link Type: Broadcast

Step-5
Set up the IKE Gateway. Select Network> Network Profiles> IKE Gateway. Click Add and configure the options in the General tab.Select the IKE Crypto profile you created earlier to use for IKE phase 1

Configuration for RouteXP_PaloAlto1 is:
Interface: Ethernet1/1
Local IP address: 120.1.1.1/24
Peer IP address: 220.1.1.1/24
Preshared keys: enter a value

The configuration for RouteXP_PaloAlto2 is:
Interface: Ethernet1/1
Local IP address: 220.1.1.1/24
Peer IP address: 120.1.1.1/24
Preshared keys: enter same value as on RouteXP_PaloAlto1.

Step-6
Set up the IPSec Tunnel. Select Network> IPSec Tunnels. Click Add and configure the options in the General tab.Select Show Advanced Options, select Tunnel Monitor, and specify a Destination IP address to ping for verifying connectivity.

Configuration for RouteXP_PaloAlto1 is:
Tunnel Interface: tunnel.10
Type: Auto Key
IKE Gateway: Select the IKE Gateway defined above.
IPSec Crypto Profile: Select the IKE Gateway defined above.

Configuration for RouteXP_PaloAlto2 is:
Tunnel Interface: tunnel.11
Type: Auto Key
IKE Gateway: Select the IKE Gateway defined above.
IPSec Crypto Profile: Select the IKE Gateway defined above.

Step-7
Create policies to allow traffic between the sites (subnets). Select Policies> Security. Create rules to allow traffic between the untrust and the NBCorp zone and the NBCorp and the untrust zone for traffic originating from specified source and destination IP addresses. Verify OSPF adjacencies and routes from the CLI

CLI command: show routing protocol ospf neighbor