Scribd
Upload
13 views26 pages

Paloalto Site To Site 1720455966

The document outlines the concepts and technologies related to Palo Alto VPN Site-to-Site deployments, including benefits such as cost savings and security. It details the processes involved in establishing secure connections using IKE phases and IPsec protocols. Additionally, it discusses various tunneling protocols and methods for securing VPN tunnels.

Uploaded by

Aamir Rangrez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views26 pages

Paloalto Site To Site 1720455966

The document outlines the concepts and technologies related to Palo Alto VPN Site-to-Site deployments, including benefits such as cost savings and security. It details the processes involved in establishing secure connections using IKE phases and IPsec protocols. Additionally, it discusses various tunneling protocols and methods for securing VPN tunnels.

Uploaded by

Aamir Rangrez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Palo Alto VPN Site to Site

• Before VPN Technology


• VPN Benefits
• Palo alto VPN Deployments
• Palo Alto VPN Site to Site concepts
• IPsec Technologies
• Palo Alto IKE Phase1
• Palo Alto IKE Phase2
Before VPN Technology

• Leased Line
• Frame Relay
• MPLS
VPN Benefits:

• Cost Savings

• Security

• Scalability

• Compatibility
Palo alto VPN Deployments

The Palo Alto Networks firewall supports the following VPN deployments:

1. Site-to-Site VPN.
2. Remote User-to-Site (GlobalProtect)
VPN Site to Site concepts

a client that is secured by VPN Peer A needs content from a server located at the other site,
1. VPN Peer A initiates a connection request to VPN Peer B.
2. If the security policy permits the connection, VPN Peer A uses the IKE Crypto profile parameters
(IKE phase 1) to establish a secure connection and authenticate VPN Peer B.
3. Then, VPN Peer A establishes the VPN tunnel using the IPSec Crypto profile, which defines the IKE phase 2
parameters to allow the secure transfer of data between the two sites.
What Are VPN Tunneling Protocols? Phase 1

• Generic Routing Encapsulation (GRE)


• Point-to-Point Tunneling Protocol (PPTP)
• Secure Socket Tunneling Protocol (SSTP)
• Layer 2 Tunneling Protocol (L2TP)/IPSec

• SSL VPN

• OpenVPN

• IPSec ( IKE V1 )

• Internet Key Exchange (IKEv2)/IPSec


IPsec Framework
• Confidentiality
Confidentiality with Encryption:
• Encryption Algorithms:
• Integrity

• Hash Algorithms

• Security of Hash Algorithms


• Authentication

• Peer Authentication Methods

1. Pre-Shared keys (PSK)


• Authentication (Cont.)

2. Digital Certificate (RSA)


• Secure Key Exchange

Diffie-Hellman Key Exchange


DH Group
• IPsec Protocols
• Authentication Header ) AH (
• Encapsulating Security Payload (ECP)
IPsec Technologies

IPsec Framework IPsec Examples


• Internet Key Exchange (IKE)

The IKE Protocol


• Palo alto IKE Phase 1

1. the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto
profile to authenticate each other and set up a secure control channel.
2. IKE Phase supports the use of preshared keys or digital certificates for mutual authentication of
the VPN peers.

The IKE Crypto profile defines the following options that are used in the IKE SA negotiation:

1. Diffie‐Hellman (DH) group for generating symmetrical keys for IKE


2. Authentication algorithms - sha1, sha 256, sha 384, sha 512, or md5
3. Encryption algorithms- 3des, aes‐128‐cbc, aes‐192‐cbc, aes‐256‐cbc, or des
• Palo alto IKE Phase 2 (IP Sec)

IKE Phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto
profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.

The IPSEC uses the following protocols to enable secure communication:


1. Encapsulating Security Payload (ESP) allows you to encrypt the entire IP packet, and authenticate the
source and verify integrity of the data.
Note: you can choose to only encrypt or only authenticate by setting the encryption option to Null.
2. Authentication Header (AH) authenticates the source of the packet and verifies data integrity.
AH does not encrypt the data
• Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

IPSec VPN tunnels can be secured using manual keys or auto keys.
 Manual Key Manual key is typically used if the Palo Alto Networks firewall is establishing a VPN
tunnel with a legacy device, or if you want to reduce the overhead of generating session keys.
If using manual keys, the same key must be configured on both peers.
Manual keys are not recommended for establishing a VPN tunnel because the session keys can be
compromised when relaying the key information between the peers; if the keys are compromised,
the data transfer is no longer secure.

 Auto Key Auto Key allows you to automatically generate keys for setting up and maintaining the
IPSec tunnel based on the algorithms defined in the IPSec Crypto profile.

You might also like